Microsoft Patch Tuesday: December 2006
All aboard! Welcome to another ride on themonthly Microsoft patch train. We’ve got quite a few stops this monthand most are client-side vulnerabilities, meaning that an end user hasto take specific actions (typically by obtaining and then openinghostile content). Unless otherwise stated, the privilege granted to theattacker for all of the below vulnerabilities is the privilege level ofthe victim user. Most were publicly disclosed for the first time today,but the exceptions are noted. They are listed below in the order ofmost to least critical for the fabled “typical” network.
This vulnerability seems almost old-fashioned in the modern securitylandscape – a common buffer overflow in a service. Thankfully, this isnot in a default service, but SNMP is a fairly common protocol incorporate environments. However, if best practices are being followed,the SNMP service should not be reachable by anything but trustednetworks.
This remote code execution vulnerability is caused by an uncheckedbuffer in the SNMP service on Windows 2000, XP, and Server 2003. Thisservice is not installed by default. Successful exploitation willresult in the complete compromise of the target system, with theattacker’s supplied code running at the SYSTEM privilege level. Aworking exploit for this vulnerability was released shortly after thepatch became available.
This single patch fixes four issues, two of which are rated assevere by both Microsoft and Symantec Security Response. As such, it isan easy winner for the ignominious position at the top of the heap.
Non-existent elements in DHTML scripting can cause IE to executeremotely-supplied code. This can be leveraged against IE 6 and 6 SP1 onWindows XP and Server 2003 systems. An exploit for this issue isavailable publicly, which is why we rate this vulnerability higher thanthe other similar issues fixed by this cumulative patch.
A vulnerability in error handling could allow remote Web content toexecute arbitrary code in the security context of the browser. Outlookand Outlook Express have default security settings that would makeemail-based attacks impossible, although those settings can be altered.This affects IE 5, 6, and 6 SP1 running on Windows 2000, XP, and Server2003 systems. No exploit for this is currently available to the generalpublic.
This is an information disclosure vulnerability only – drag and dropoperations on a hostile Web page may reveal information to an attacker,including the system user name and the contents of the TemporaryInternet Files folder. While this would not necessarily be adevastating attack on its own, it can be used in information gatheringsessions prior to an all out attack, and the information retrievedcould certainly aid future attacks. This affects IE 5, 6, and 6 SP1 onWindows 2000, XP, and Server 2003.
This is very similar to the previous issue, but allows the attackerto actually retrieve contents from the TIF location. This also affectsIE 5, 6, and 6 SP1 on Windows 2000, XP, and Server 2003.
This patch addresses two vulnerabilities in Windows Media Player,one in ASF file handling, and the other in playlist file handling.
This issue was originally reported on November 22, 2006, and anexploit has been available since that time. This heap overflowvulnerability is the result of improper handling of unexpectedprotocols specified in URLs referenced in playlist files (.asx format).Windows Media Player 7.1, 8, 9, and 10 are affected as well as WindowsMedia Format 9.5
This is another client-side code execution vulnerability, caused byan unchecked buffer in the ASF (Advanced Streaming Format) filehandling code of Windows Media Player (WMP). ASF files may have theASF, WMA, or WMV file extensions. The delivery vector could be anymethod that allows the transfer of these files, such as email, Web, andP2P, because the vulnerability is in the player and associatedlibraries. Successful exploitation results in the attacker’s coderunning in the security context of the owner of the WMP process.Affected versions are: Windows Media Player 6.4, 7.1, 9, and 10. Notethat Windows Media Format 11 Runtime is not affected by thevulnerability.
Exploits for this issue do not exist yet in the public realm, butgiven the interest of attackers in leveraging video files distributedover P2P networks, it is only a matter of time. Should patching beimpossible, the relevant ActiveX kill bits can be set for IE to atleast reduce the number of available vectors. See the Microsoftadvisory for specific details.
This vulnerability has been known to the public since Nov 1, 2006,and exploit code has been available since that time. Attacks againstthis vulnerability have been observed in the wild. All versions ofVisual Studio 2005 are affected. The issue is caused by the WMI ObjectBroker ActiveX control. Therefore, the CLSID kill bit can be set tomitigate this vulnerability pending patch installation, if required.See the Microsoft advisory for more details.
The Remote Installation Service (RIS) allows OS installations tooccur over the network. Attackers can upload arbitrary files to aWindows 2000 RIS server via the TFTP service, effectively back dooringany installations performed from that server. RIS is not installed bydefault. This vulnerability should hopefully be mitigated by generalbest practices that would disallow connections to the RIS server fromany but trusted networks. This is obviously not going to be a concernfor the average home user, and the service is not that widely deployed,even in corporate environments.
This is a client-side code execution vulnerability, caused by anunchecked buffer within the Windows Address Book file processing codein Outlook Express. Attackers must entice vulnerable users to open themalformed Windows Address Book file in Outlook Express and ifsuccessful, the attackers are then able to run their code on the targetsystem at the privilege level of the victim user. Note that Outlook isnot vulnerable to this issue. This affects Outlook Express 5.5, 6, and6 SP1.
Windows XP and Server 2003 are susceptible to a local privilegeescalation attack. This is due to improper handling of file manifests(XML-based metafiles that describe executables in the same folder).SYSTEM-level privileges can be gained by any local user. Exploits forthis issue have not been released to the public.
Well, this is your stop! Hopefully you are already well on your wayto having these addressed. Happy patching, and see you in 2007.