All aboard! Welcome to another ride on the monthly Microsoft patch train. We’ve got quite a few stops this month and most are client-side vulnerabilities, meaning that an end user has to take specific actions (typically by obtaining and then opening hostile content). Unless otherwise stated, the privilege granted to the attacker for all of the below vulnerabilities is the privilege level of the victim user. Most were publicly disclosed for the first time today, but the exceptions are noted. They are listed below in the order of most to least critical for the fabled “typical” network.
Vulnerability in SNMP Could Allow Remote Code Execution MS06-074 / KB926247
This vulnerability seems almost old-fashioned in the modern security landscape – a common buffer overflow in a service. Thankfully, this is not in a default service, but SNMP is a fairly common protocol in corporate environments. However, if best practices are being followed, the SNMP service should not be reachable by anything but trusted networks.
Microsoft Windows SNMP Service Remote Code Execution Vulnerability CVE-2006-5583; BID 21537
Microsoft Rating: Important; Symantec Rating:10/10
This remote code execution vulnerability is caused by an unchecked buffer in the SNMP service on Windows 2000, XP, and Server 2003. This service is not installed by default. Successful exploitation will result in the complete compromise of the target system, with the attacker’s supplied code running at the SYSTEM privilege level. A working exploit for this vulnerability was released shortly after the patch became available.
Cumulative Security Update for Internet Explorer MS06-072 / KB925454
This single patch fixes four issues, two of which are rated as severe by both Microsoft and Symantec Security Response. As such, it is an easy winner for the ignominious position at the top of the heap.
Microsoft Internet Explorer DHTML Script Function Remote Code Vulnerability
CVE-2006-5581; BID 21546
Microsoft Rating: Critical / Symantec Rating: 9/10
Non-existent elements in DHTML scripting can cause IE to execute remotely-supplied code. This can be leveraged against IE 6 and 6 SP1 on Windows XP and Server 2003 systems. An exploit for this issue is available publicly, which is why we rate this vulnerability higher than the other similar issues fixed by this cumulative patch.
Microsoft Internet Explorer Script Error Handling Remote Code Execution Vulnerability
CVE-2006-5579; BID 21552
Microsoft rating: Critical; Symantec Rating: 7/10
A vulnerability in error handling could allow remote Web content to execute arbitrary code in the security context of the browser. Outlook and Outlook Express have default security settings that would make email-based attacks impossible, although those settings can be altered. This affects IE 5, 6, and 6 SP1 running on Windows 2000, XP, and Server 2003 systems. No exploit for this is currently available to the general public.
Microsoft Internet Explorer Drag and Drop TIF Folder Information Disclosure Vulnerability
CVE-2006-5578; BID 21494
Microsoft Rating: Important; Symantec Rating: 6/10
This is an information disclosure vulnerability only – drag and drop operations on a hostile Web page may reveal information to an attacker, including the system user name and the contents of the Temporary Internet Files folder. While this would not necessarily be a devastating attack on its own, it can be used in information gathering sessions prior to an all out attack, and the information retrieved could certainly aid future attacks. This affects IE 5, 6, and 6 SP1 on Windows 2000, XP, and Server 2003.
Microsoft Internet Explorer Object Tag TIF Folder Information Disclosure Vulnerability
CVE-2006-5577; BID 21507
Microsoft Rating: Moderate; Symantec Rating: 6/10
This is very similar to the previous issue, but allows the attacker to actually retrieve contents from the TIF location. This also affects IE 5, 6, and 6 SP1 on Windows 2000, XP, and Server 2003.
Vulnerability in Windows Media Player Could Allow Remote Code Execution MS06-078 / KB923689
This patch addresses two vulnerabilities in Windows Media Player, one in ASF file handling, and the other in playlist file handling.
Windows Media Player ASX PlayList File Heap Overflow Vulnerability
CVE-2006-6134; BID 21247
Microsoft Rating: Critical; Symantec Rating: 9/10
This issue was originally reported on November 22, 2006, and an exploit has been available since that time. This heap overflow vulnerability is the result of improper handling of unexpected protocols specified in URLs referenced in playlist files (.asx format). Windows Media Player 7.1, 8, 9, and 10 are affected as well as Windows Media Format 9.5
Windows Media Player Remote ASF File Buffer Overflow Vulnerability
CVE-2006-4702; BID 21505
Microsoft Rating: Critical, Symantec Rating: 7/10
This is another client-side code execution vulnerability, caused by an unchecked buffer in the ASF (Advanced Streaming Format) file handling code of Windows Media Player (WMP). ASF files may have the ASF, WMA, or WMV file extensions. The delivery vector could be any method that allows the transfer of these files, such as email, Web, and P2P, because the vulnerability is in the player and associated libraries. Successful exploitation results in the attacker’s code running in the security context of the owner of the WMP process. Affected versions are: Windows Media Player 6.4, 7.1, 9, and 10. Note that Windows Media Format 11 Runtime is not affected by the vulnerability.
Exploits for this issue do not exist yet in the public realm, but given the interest of attackers in leveraging video files distributed over P2P networks, it is only a matter of time. Should patching be impossible, the relevant ActiveX kill bits can be set for IE to at least reduce the number of available vectors. See the Microsoft advisory for specific details.
Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution MS06-073 / KB925674
Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution
Vulnerability
CVE-2006-4704; BID 20843
Microsoft Rating: Critical; Symantec Rating: 9/10
This vulnerability has been known to the public since Nov 1, 2006, and exploit code has been available since that time. Attacks against this vulnerability have been observed in the wild. All versions of Visual Studio 2005 are affected. The issue is caused by the WMI Object Broker ActiveX control. Therefore, the CLSID kill bit can be set to mitigate this vulnerability pending patch installation, if required. See the Microsoft advisory for more details.
Vulnerability in Remote Installation Service Could Allow Remote Code Execution MS06-077 / KB926121
Microsoft Windows 2000 Remote Installation Service Remote Code Execution Vulnerability
CVE-2006-5584; BID 21495
Microsoft Rating: Important; Symantec Rating: 8/10
The Remote Installation Service (RIS) allows OS installations to occur over the network. Attackers can upload arbitrary files to a Windows 2000 RIS server via the TFTP service, effectively back dooring any installations performed from that server. RIS is not installed by default. This vulnerability should hopefully be mitigated by general best practices that would disallow connections to the RIS server from any but trusted networks. This is obviously not going to be a concern for the average home user, and the service is not that widely deployed, even in corporate environments.
Cumulative Security Update for Outlook Express MS06-076 / KB923694
This cumulative update only patches one new vulnerability, but also includes the patches released as MS06-016 and MS06-043.
Microsoft Outlook Express Windows Address Book Contact Record Remote Code Execution Vulnerability
CVE-2006-2386; BID 21501
Microsoft Rating: Important; Symantec Rating: 7/10
This is a client-side code execution vulnerability, caused by an unchecked buffer within the Windows Address Book file processing code in Outlook Express. Attackers must entice vulnerable users to open the malformed Windows Address Book file in Outlook Express and if successful, the attackers are then able to run their code on the target system at the privilege level of the victim user. Note that Outlook is not vulnerable to this issue. This affects Outlook Express 5.5, 6, and 6 SP1.
Vulnerability in Windows Could Allow Elevation of Privilege MS06-075 / KB926255
Microsoft Windows Manifest File Privilege Escalation Vulnerability
CVE-2006-5585; BID 21550
Microsoft Rating:Important; Symantec Rating:7/10
Windows XP and Server 2003 are susceptible to a local privilege escalation attack. This is due to improper handling of file manifests (XML-based metafiles that describe executables in the same folder). SYSTEM-level privileges can be gained by any local user. Exploits for this issue have not been released to the public.
Well, this is your stop! Hopefully you are already well on your way to having these addressed. Happy patching, and see you in 2007.