Video Screencast Help
Security Response

Microsoft Patch Tuesday: December 2006

Created: 12 Dec 2006 08:00:00 GMT • Updated: 23 Jan 2014 18:54:35 GMT
Ben Greenbaum's picture
0 0 Votes
Login to vote

All aboard! Welcome to another ride on themonthly Microsoft patch train. We’ve got quite a few stops this monthand most are client-side vulnerabilities, meaning that an end user hasto take specific actions (typically by obtaining and then openinghostile content). Unless otherwise stated, the privilege granted to theattacker for all of the below vulnerabilities is the privilege level ofthe victim user. Most were publicly disclosed for the first time today,but the exceptions are noted. They are listed below in the order ofmost to least critical for the fabled “typical” network.

Vulnerability in SNMP Could Allow Remote Code Execution MS06-074 / KB926247

This vulnerability seems almost old-fashioned in the modern securitylandscape – a common buffer overflow in a service. Thankfully, this isnot in a default service, but SNMP is a fairly common protocol incorporate environments. However, if best practices are being followed,the SNMP service should not be reachable by anything but trustednetworks.

Microsoft Windows SNMP Service Remote Code Execution Vulnerability CVE-2006-5583; BID 21537
Microsoft Rating: Important; Symantec Rating:10/10

This remote code execution vulnerability is caused by an uncheckedbuffer in the SNMP service on Windows 2000, XP, and Server 2003. Thisservice is not installed by default. Successful exploitation willresult in the complete compromise of the target system, with theattacker’s supplied code running at the SYSTEM privilege level. Aworking exploit for this vulnerability was released shortly after thepatch became available.

Cumulative Security Update for Internet Explorer MS06-072 / KB925454

This single patch fixes four issues, two of which are rated assevere by both Microsoft and Symantec Security Response. As such, it isan easy winner for the ignominious position at the top of the heap.

Microsoft Internet Explorer DHTML Script Function Remote Code Vulnerability
CVE-2006-5581; BID 21546
Microsoft Rating: Critical / Symantec Rating: 9/10

Non-existent elements in DHTML scripting can cause IE to executeremotely-supplied code. This can be leveraged against IE 6 and 6 SP1 onWindows XP and Server 2003 systems. An exploit for this issue isavailable publicly, which is why we rate this vulnerability higher thanthe other similar issues fixed by this cumulative patch.

Microsoft Internet Explorer Script Error Handling Remote Code Execution Vulnerability
CVE-2006-5579; BID 21552
Microsoft rating: Critical; Symantec Rating: 7/10

A vulnerability in error handling could allow remote Web content toexecute arbitrary code in the security context of the browser. Outlookand Outlook Express have default security settings that would makeemail-based attacks impossible, although those settings can be altered.This affects IE 5, 6, and 6 SP1 running on Windows 2000, XP, and Server2003 systems. No exploit for this is currently available to the generalpublic.

Microsoft Internet Explorer Drag and Drop TIF Folder Information Disclosure Vulnerability
CVE-2006-5578; BID 21494
Microsoft Rating: Important; Symantec Rating: 6/10

This is an information disclosure vulnerability only – drag and dropoperations on a hostile Web page may reveal information to an attacker,including the system user name and the contents of the TemporaryInternet Files folder. While this would not necessarily be adevastating attack on its own, it can be used in information gatheringsessions prior to an all out attack, and the information retrievedcould certainly aid future attacks. This affects IE 5, 6, and 6 SP1 onWindows 2000, XP, and Server 2003.

Microsoft Internet Explorer Object Tag TIF Folder Information Disclosure Vulnerability
CVE-2006-5577; BID 21507
Microsoft Rating: Moderate; Symantec Rating: 6/10

This is very similar to the previous issue, but allows the attackerto actually retrieve contents from the TIF location. This also affectsIE 5, 6, and 6 SP1 on Windows 2000, XP, and Server 2003.

Vulnerability in Windows Media Player Could Allow Remote Code Execution MS06-078 / KB923689

This patch addresses two vulnerabilities in Windows Media Player,one in ASF file handling, and the other in playlist file handling.

Windows Media Player ASX PlayList File Heap Overflow Vulnerability
CVE-2006-6134; BID 21247
Microsoft Rating: Critical; Symantec Rating: 9/10

This issue was originally reported on November 22, 2006, and anexploit has been available since that time. This heap overflowvulnerability is the result of improper handling of unexpectedprotocols specified in URLs referenced in playlist files (.asx format).Windows Media Player 7.1, 8, 9, and 10 are affected as well as WindowsMedia Format 9.5

Windows Media Player Remote ASF File Buffer Overflow Vulnerability
CVE-2006-4702; BID 21505
Microsoft Rating: Critical, Symantec Rating: 7/10

This is another client-side code execution vulnerability, caused byan unchecked buffer in the ASF (Advanced Streaming Format) filehandling code of Windows Media Player (WMP). ASF files may have theASF, WMA, or WMV file extensions. The delivery vector could be anymethod that allows the transfer of these files, such as email, Web, andP2P, because the vulnerability is in the player and associatedlibraries. Successful exploitation results in the attacker’s coderunning in the security context of the owner of the WMP process.Affected versions are: Windows Media Player 6.4, 7.1, 9, and 10. Notethat Windows Media Format 11 Runtime is not affected by thevulnerability.

Exploits for this issue do not exist yet in the public realm, butgiven the interest of attackers in leveraging video files distributedover P2P networks, it is only a matter of time. Should patching beimpossible, the relevant ActiveX kill bits can be set for IE to atleast reduce the number of available vectors. See the Microsoftadvisory for specific details.

Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution MS06-073 / KB925674

Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution
Vulnerability

CVE-2006-4704; BID 20843
Microsoft Rating: Critical; Symantec Rating: 9/10

This vulnerability has been known to the public since Nov 1, 2006,and exploit code has been available since that time. Attacks againstthis vulnerability have been observed in the wild. All versions ofVisual Studio 2005 are affected. The issue is caused by the WMI ObjectBroker ActiveX control. Therefore, the CLSID kill bit can be set tomitigate this vulnerability pending patch installation, if required.See the Microsoft advisory for more details.

Vulnerability in Remote Installation Service Could Allow Remote Code Execution MS06-077 / KB926121

Microsoft Windows 2000 Remote Installation Service Remote Code Execution Vulnerability
CVE-2006-5584; BID 21495
Microsoft Rating: Important; Symantec Rating: 8/10

The Remote Installation Service (RIS) allows OS installations tooccur over the network. Attackers can upload arbitrary files to aWindows 2000 RIS server via the TFTP service, effectively back dooringany installations performed from that server. RIS is not installed bydefault. This vulnerability should hopefully be mitigated by generalbest practices that would disallow connections to the RIS server fromany but trusted networks. This is obviously not going to be a concernfor the average home user, and the service is not that widely deployed,even in corporate environments.

Cumulative Security Update for Outlook Express MS06-076 / KB923694

This cumulative update only patches one new vulnerability, but also includes the patches released as MS06-016 and MS06-043.

Microsoft Outlook Express Windows Address Book Contact Record Remote Code Execution Vulnerability
CVE-2006-2386; BID 21501
Microsoft Rating: Important; Symantec Rating: 7/10

This is a client-side code execution vulnerability, caused by anunchecked buffer within the Windows Address Book file processing codein Outlook Express. Attackers must entice vulnerable users to open themalformed Windows Address Book file in Outlook Express and ifsuccessful, the attackers are then able to run their code on the targetsystem at the privilege level of the victim user. Note that Outlook isnot vulnerable to this issue. This affects Outlook Express 5.5, 6, and6 SP1.

Vulnerability in Windows Could Allow Elevation of Privilege MS06-075 / KB926255

Microsoft Windows Manifest File Privilege Escalation Vulnerability
CVE-2006-5585; BID 21550
Microsoft Rating:Important; Symantec Rating:7/10

Windows XP and Server 2003 are susceptible to a local privilegeescalation attack. This is due to improper handling of file manifests(XML-based metafiles that describe executables in the same folder).SYSTEM-level privileges can be gained by any local user. Exploits forthis issue have not been released to the public.

Well, this is your stop! Hopefully you are already well on your wayto having these addressed. Happy patching, and see you in 2007.