Security Alerts
August 8, 2006
Microsoft Releases August 2006 Security Bulletin for Multiple Vulnerabilities
Summary
On August 8, 2006, Microsoft released their monthly security bulletin with the latest security updates for workstations and servers. Among these updates are important patches to correct remote code execution vulnerabilities in the Server Service, Windows kernel, DNS and Winsock, Internet Explorer, MMC, Windows Explorer, and parsing of the MHTML protocol (Outlook Express 6). In addition, there are updates to correct remote execution vulnerabilities from Microsoft Office products PowerPoint and Visual Basic. Of particular critical urgency is the Server Service vulnerability (MS06-040) as an exploit can quickly proliferate from the Internet via TCP ports 139 and 445. Microsoft has notified Stanford University of the existence of such an exploit and it is important Windows computers be patched immediately for this vulnerability. The Microsoft bulletin lists twelve (12) security vulnerabilities, with nine (9) listed as critical and three (3) listed as important. The affected operating system platforms are:
* Windows Server 2003
* Windows XP
* Windows 2000 SP4
It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet. The Server Service patch (MS06-040) is to be applied immediately because an exploit already exists and can profilerate quickly via the Internet. Details are in the Technical Details section of this post.
What to Do
Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. The BigFix deliverable includes all of the patches of this bulletin except for the two(2) updates involving Microsoft Office and Visual Basic (MS06-047, MS06-048). Console Operators are to perform these Microsoft Office and Visual Basic updates manually. Individual updates can be downloaded by going to the Summary section of this Microsoft website. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.
Technical Details
It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, with those designated with an asterisk (*) delivered via BigFix:
Critical (9):
*Microsoft Security Bulletin MS06-040
Vulnerability in Server Service Could Allow Remote Code Execution (921883)
This update resolves two vulnerabilities in the Server service, the most serious of which could allow remote code execution. Potential exploit (or worm) can proliferate via TCP ports 139 and 445.
* Microsoft Security Bulletin MS06-041
Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
This update resolves several vulnerabilities in the DNS and Winsock layers that could allow remote code execution.
DNS Vulnerability-
Exploitable via an unchecked buffer in the DNS client layer.
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
An anonymous user could exploit the vulnerability by sending a specially crafted DNS communication to an affected client. For an attack to be successful the attacker would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server. An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet.
Winsock Vulnerability-
Exploitable via an unchecked buffer in the Winsock API.
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
This vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file or view a specially crafted website. There is no way for an attacker to force a user to open a specially crafted file, except potentially through previewing an e-mail message. Additionally, if an application uses the affected API it is possible that it could be exploited during regular usage scenarios that may not require user action.
The update removes the vulnerability by modifying the way that the affected function validates the message before it passes the message to the allocated buffer.
* Microsoft Security Bulletin MS06-042
Cumulative Security Update for Internet Explorer (918899)
This update resolves several vulnerabilities in Internet Explorer that could allow remote code execution.
* Microsoft Security Bulletin MS06-043
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
This update resolves a problem in Outlook Express involving a parsing vulnerability of the MHTML protocol that could allow remote code execution.
An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially lead to remote code execution if a user visited a specially crafted Web site or clicked a link in a specially crafted e-mail message. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. In a Web-based attack scenario, an attacker could host a specially crafted Web site or HTML e-mail message that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site or HTML e-mail message. This can also include Web sites that accept user-provided content or advertisements, Web sites that host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
* Microsoft Security Bulletin MS06-044
Vulnerability in Microsoft Management Console (MMC) Could Allow Remote Code Execution (917008)
This update resolves a vulnerability in the Microsoft Management Console that could allow remote code execution:
* Microsoft Security Bulletin MS06-046
Vulnerability in HTML Help Could Allow Remote Code Execution (922616)
This update resolves several vulnerabilities in HTML Help that could allow remote code execution.
- Microsoft Security Bulletin MS06-047
Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)
This update resolves a vulnerability in Visual Basic for Applications that could allow remote code execution.
- Microsoft Security Bulletin MS06-048
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
This update resolves two vulnerabilities in PowerPoint that could allow remote code execution
* Microsoft Security Bulletin MS06-051
Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)
This update resolves several vulnerabilities in the Windows kernel that could allow remote code execution.
This update focus on two main vulnerabilities.
- CVE-2006-3443: The User Profile Elevation of Privilege - LOCAL
- CVE-2006-3648: The Unhandled Exception - REMOTE
If any of them is successfully exploited, the attacker can gain complete control of the affected system.
Important (3):
* Microsoft Security Bulletin MS06-045
Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)
This update resolves a vulnerability in Windows Explorer that could allow remote code execution.
* Microsoft Security Bulletin MS06-049
Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)
This update resolves several vulnerabilities in the Windows kernel that could allow elevation of privilege.
* Microsoft Security Bulletin MS06-050
Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)
This update resolves two vulnerabilities in the hyperlink object library that could allow remote code execution. User interaction is required for an attacker to exploit these vulnerabilities.
The following operating systems and applications are affected by this Microsoft security bulletin:
Windows Server 2003 Service Pack 1
Windows Server 2003
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 for Itanium-based Systems
Windows Server 2003 x64 Edition
Windows XP Service Pack 2
Windows XP Service Pack 1
Windows XP Professional x64 Edition
Windows 2000 Service Pack 4
Outlook Express 6 for Windows Server 2003 Service Pack 1
Outlook Express 6 for Windows Server 2003 with SP1 for Itanium-based Systems
Outlook Express 6 for Windows Server 2003 x64 Edition
Outlook Express 6 for Windows XP Service Pack 2
Outlook Express 6 for Windows XP Professional x64 Edition
Office 2003 Service Pack 2 and Office 2003 Service Pack 1
Office XP Service Pack 3
Project 2002 Service Pack 1
Visio 2002 Service Pack 2
Office 2000 Service Pack 3
Access 2000 Runtime Service Pack 3
Project 2000 Service Release 1
Works Suite 2006
Works Suite 2005
Works Suite 2004
Microsoft Visual Basic for Applications SDK 6.4
Microsoft Visual Basic for Applications SDK 6.3
Microsoft Visual Basic for Applications SDK 6.2
Microsoft Visual Basic for Applications SDK 6.0
Microsoft Office v. X for Mac
Microsoft Office 2004 for Mac
References
Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx