Well, once again we find ourselves faced with the monthly ritual known as "Microsoft Patch Day”. This time around the ordeal is relatively minor, with only three new items in the bucket. Two of these items could potentially result in attacker-supplied code being run on a target system, but both are reliant on other limiting factors, which greatly reduce the global stress level associated with Patch Tuesday. All items, of course, are still worthy of close inspection by any admin to see if they apply to the machines and networks that they are responsible for.
The first issue we’ll address in this blog is the PGM overflow vulnerability (MS06-052, CVE-2006-3442, BID 19922). This is the most severe of the issues presented this month because it allows an attacker to execute arbitrary code remotely on the affected system. So then, what’s the good news? Well, the affected code is in MSMQ3.0, which is disabled (and not even installed) by default!
We’re always advising people to disable any unneeded services—vendors themselves are no exception. Please note that if you have enabled MSMQ3.0 in your environment, then this does in fact apply to you and you should patch as soon as possible to avoid targeted attacks. Because of the limited target base, we do not expect new malicious propagating code to be built around an exploit for this, but it is still feasible that an attack could be added to any number of modular bots in existence today.
Next on our agenda is the Publisher vulnerability (MS06-054, CVE 2006-001, BID 19951), whereby intentionally malformed .pub files can execute arbitrary code in the context of the Publisher process. To exploit this, an attacker has to get the victim to open the malicious file in a vulnerable version of Publisher (2000, 2002, or 2003—without the provided patch). Publisher is certainly less widespread than Word, but still popular enough that the installation base might make an attractive target to attackers looking to increase their bot size.
The last issue is the Indexing Service XSS bug (MS06-053, CVE-2006-0032, BID 19927). This vulnerability could allow an attacker to run attack script against an IIS server via an established browser session with the permissions of the current user, but only if a number of unlikely conditions are in place. First, the target system has to have been set up with both Indexing Services and IIS. Second, the Indexing service has to be configured to allow Web-based administration via IIS. Finally, the browsing user has to click on the malicious link while they have an active and open administration session to the vulnerable IIS server. Certainly this configuration happens in practice, but once again the target distribution is greatly diminished due to these requirements.
Exploitation of each of these vulnerabilities requires some set of non-default or at least slightly unusual conditions. However, before you write them off as irrelevant, you need to ask yourself some questions. Are you certain that nobody on your network has installed Publisher? Do you know the exact configuration of every Indexing Service/IIS installation on your network? Is it possible that somebody, somewhere, has installed MSMQ3.0? What might be a low-priority release on the hypothetically ‘typical network’ might, in fact, be of grave concern on a specific network. We all know how much users love IT and IS policies and how much work will sometimes go toward subverting them in the name of convenience. As always, make no assumptions of safety and patch as soon as possible, if required.