Microsoft Patch Tuesday: December 2006
All aboard! Welcome to another ride on the monthly Microsoft patch train. We’ve got quite a few stops this month and most are client-side vulnerabilities, meaning that an end user has to take specific actions (typically by obtaining and then opening hostile content). Unless otherwise stated, the privilege granted to the attacker for all of the below vulnerabilities is the privilege level of the victim user. Most were publicly disclosed for the first time today, but the exceptions are noted. They are listed below in the order of most to least critical for the fabled “typical” network.
This vulnerability seems almost old-fashioned in the modern security landscape – a common buffer overflow in a service. Thankfully, this is not in a default service, but SNMP is a fairly common protocol in corporate environments. However, if best practices are being followed, the SNMP service should not be reachable by anything but trusted networks.
This remote code execution vulnerability is caused by an unchecked buffer in the SNMP service on Windows 2000, XP, and Server 2003. This service is not installed by default. Successful exploitation will result in the complete compromise of the target system, with the attacker’s supplied code running at the SYSTEM privilege level. A working exploit for this vulnerability was released shortly after the patch became available.
This single patch fixes four issues, two of which are rated as severe by both Microsoft and Symantec Security Response. As such, it is an easy winner for the ignominious position at the top of the heap.
Non-existent elements in DHTML scripting can cause IE to execute remotely-supplied code. This can be leveraged against IE 6 and 6 SP1 on Windows XP and Server 2003 systems. An exploit for this issue is available publicly, which is why we rate this vulnerability higher than the other similar issues fixed by this cumulative patch.
A vulnerability in error handling could allow remote Web content to execute arbitrary code in the security context of the browser. Outlook and Outlook Express have default security settings that would make email-based attacks impossible, although those settings can be altered. This affects IE 5, 6, and 6 SP1 running on Windows 2000, XP, and Server 2003 systems. No exploit for this is currently available to the general public.
This is an information disclosure vulnerability only – drag and drop operations on a hostile Web page may reveal information to an attacker, including the system user name and the contents of the Temporary Internet Files folder. While this would not necessarily be a devastating attack on its own, it can be used in information gathering sessions prior to an all out attack, and the information retrieved could certainly aid future attacks. This affects IE 5, 6, and 6 SP1 on Windows 2000, XP, and Server 2003.
This is very similar to the previous issue, but allows the attacker to actually retrieve contents from the TIF location. This also affects IE 5, 6, and 6 SP1 on Windows 2000, XP, and Server 2003.
This patch addresses two vulnerabilities in Windows Media Player, one in ASF file handling, and the other in playlist file handling.
This issue was originally reported on November 22, 2006, and an exploit has been available since that time. This heap overflow vulnerability is the result of improper handling of unexpected protocols specified in URLs referenced in playlist files (.asx format). Windows Media Player 7.1, 8, 9, and 10 are affected as well as Windows Media Format 9.5
This is another client-side code execution vulnerability, caused by an unchecked buffer in the ASF (Advanced Streaming Format) file handling code of Windows Media Player (WMP). ASF files may have the ASF, WMA, or WMV file extensions. The delivery vector could be any method that allows the transfer of these files, such as email, Web, and P2P, because the vulnerability is in the player and associated libraries. Successful exploitation results in the attacker’s code running in the security context of the owner of the WMP process. Affected versions are: Windows Media Player 6.4, 7.1, 9, and 10. Note that Windows Media Format 11 Runtime is not affected by the vulnerability.
Exploits for this issue do not exist yet in the public realm, but given the interest of attackers in leveraging video files distributed over P2P networks, it is only a matter of time. Should patching be impossible, the relevant ActiveX kill bits can be set for IE to at least reduce the number of available vectors. See the Microsoft advisory for specific details.
This vulnerability has been known to the public since Nov 1, 2006, and exploit code has been available since that time. Attacks against this vulnerability have been observed in the wild. All versions of Visual Studio 2005 are affected. The issue is caused by the WMI Object Broker ActiveX control. Therefore, the CLSID kill bit can be set to mitigate this vulnerability pending patch installation, if required. See the Microsoft advisory for more details.
The Remote Installation Service (RIS) allows OS installations to occur over the network. Attackers can upload arbitrary files to a Windows 2000 RIS server via the TFTP service, effectively back dooring any installations performed from that server. RIS is not installed by default. This vulnerability should hopefully be mitigated by general best practices that would disallow connections to the RIS server from any but trusted networks. This is obviously not going to be a concern for the average home user, and the service is not that widely deployed, even in corporate environments.
This is a client-side code execution vulnerability, caused by an unchecked buffer within the Windows Address Book file processing code in Outlook Express. Attackers must entice vulnerable users to open the malformed Windows Address Book file in Outlook Express and if successful, the attackers are then able to run their code on the target system at the privilege level of the victim user. Note that Outlook is not vulnerable to this issue. This affects Outlook Express 5.5, 6, and 6 SP1.
Windows XP and Server 2003 are susceptible to a local privilege escalation attack. This is due to improper handling of file manifests (XML-based metafiles that describe executables in the same folder). SYSTEM-level privileges can be gained by any local user. Exploits for this issue have not been released to the public.
Well, this is your stop! Hopefully you are already well on your way to having these addressed. Happy patching, and see you in 2007.