Endpoint Protection

Microsoft released six security bulletins this morning, covering a total of 11 distinct security vulnerabilities. In rough order of most urgent to least, here we go:

Topping the list in raw urgency is MS06-066 (BID 21023 and BID 20984, CVE-2006-4688 and CVE-2006-4689). This affects everything from Win2K SP0 to XP SP2, provided that the systems have the Client Service for Netware enabled. This obviously reduces the population of vulnerable systems, but for those systems this is where you want to start. This addresses two vulnerabilities, the more severe of which is the Microsoft Windows Client Service For Netware Remote Code Execution Vulnerability. If your computers match that description, you are wide open to remote attackers, who have the opportunity to run code of their choice on your machines – until you apply the patch, of course. The vulnerable service is not installed by default, but if it has been installed and is not needed it can (and should) be removed. BID 21023 allows full compromise and working exploit code has been published, so if your network is affected this should be a priority for you.

Next up is MS06-067, a cumulative update that addresses three vulnerabilities in IE 5 and 6 (BID 19738/ CVE-2006-4446, BID 20047/CVE-2006-4777, and BID 21020 / CVE-2006-4687). The most urgent of these issues is the Microsoft Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability (BID 20047). This is a previously known issue disclosed in September, and allows malicious Web site operators or defacers to run code using the browser’s improper handling of malformed parameters to the KeyFrame method of the DirectAnimation.PathControl object. Limited exploitation of this issue has been seen in the wild. Exploits for two of the three resolved issue are known to exist. There are multiple workarounds described in the MS Bulletin that should be followed immediately if patching is not an option right away.

MS06-071 (BID 20915 / CVE-2006-5745), the Microsoft XML Core Service XMLHTTP ActiveX Control Remote Code Execution Vulnerability, addresses an issue in the XML core service of Windows 2000, 2003 and XP. Like the others, this can also allow attackers to run code of their choice on the affected system. This was first publicly mentioned earlier in November when exploitation of this issue was discovered in the wild by ISS xForce. Needless to say, multiple exploits for this vulnerability are now available for download. The vector of attack is the XMLHTTP ActiveX control. In the event that patching is not possible, the control can be disabled via the kill bit – see the bulletin for complete details.

MS06-070 (BID 20985 / CVE-2006-4691), the Microsoft Windows Workstation Service NetpManageIPCConnect Remote Code Execution Vulnerability, had the potential to be the most severe issue this month (initially). Longer-than-expected hostnames sent in RPC transactions to W2K and XP targets could result in the execution of attacker-supplied code at the SYSTEM privilege level, making this a prime candidate for automated and self-replicating exploitation. However, (thankfully) it can only be exploited by users already possessing Administrator rights on XP. Windows 2000 machines can be compromised by anonymous attackers however, so this is still a serious threat on that platform. Exploits are not known to exist publicly at this time.

MS06-068 (BID 21034 / CVE-2006-3445) was published to address a vulnerability in the Microsoft Agent ActiveX control. This vulnerability could allow arbitrary code to be run at the privilege level of the browser via a malicious ACF file. Exploits for this issue are not known to exist, and the usual ActiveX workarounds apply.

And finally, we have MS06-069 (BID 19980 / CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640; BID 18894 / CVE-2006-3587, CVE-2006-3588), which details several issues in the Adobe Flash Player included in Windows XP.