• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases November 2006 Security Bulletin for Multiple Vulnerabilities

Security Alerts

Search Security Alerts:

November 15, 2006

Microsoft Releases November 2006 Security Bulletin for Multiple Vulnerabilities

Summary

On November 14, 2006, Microsoft released their monthly security bulletin with the latest security updates for workstations and servers. Among these updates are important patches to correct remote code execution vulnerabilities in DirectAnimation ActiveX controls and HTML Rendering (Internet Explorer), Microsoft Agent, Macromedia Flash Player, Workstation Service, and Microsoft XML Core Services. In addition, there is one critical update to correct remote execution vulnerabilities in the Client Service for Netware. Of particular critical urgency is the Workstation Service vulnerability (MS06-070) as an exploit can quickly proliferate from the Internet via TCP ports 139 and 445. It is important Windows computers be patched immediately for this vulnerability. The Microsoft bulletin lists five (6) security vulnerabilities, with five (5) listed as critical and one (1) listed as important. The affected operating system platforms are:

* Windows Server 2003
* Windows XP
* Windows 2000 SP4

It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet. The Workstation Service patch (MS06-070) is to be applied immediately because the potential exists for an exploit to profilerate quickly to campus computers via the Internet. Details are in the Technical Details section of this post.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. The BigFix deliverable includes all of the patches of this bulletin and will include the Client for Netware Service patch to protect Netware clients that are still being used on campus. Individual updates can be downloaded by going to the Summary section of this Microsoft website. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Details

It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, and will all be delivered via BigFix:

Critical (5):

*Microsoft Security Bulletin MS06-067
Cumulative Security Update for Internet Explorer (922760)

DirectAnimation ActiveX Controls Memory Corruption Vulnerabilities - CVE-2006-4446 and CVE-2006-4777:
Remote code execution vulnerabilities exist in DirectAnimation ActiveX controls that could be exploited if the ActiveX controls are passed unexpected data. An attacker could exploit these vulnerabilities by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited the specially crafted Web page. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system.

HTML Rendering Memory Corruption Vulnerability - CVE-2006-4687:
A remote code execution vulnerability exists in the way Internet Explorer interprets HTML with certain layout combinations. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

* Microsoft Security Bulletin MS06-068
Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213)

Microsoft Agent Memory Corruption Vulnerability - CVE-2006-3445:
There is a remote code execution vulnerability in the way that Microsoft Agent handles specially crafted .ACF files. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system

* Microsoft Security Bulletin MS06-069
Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789)

Macromedia Flash Player Vulnerabilities - CVE-2006-3311, CVE-2006-3014, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640:
Several remote code execution vulnerabilities exist in Macromedia Flash Player from Adobe because of the way that it handles Flash Animation (SWF) files. An attacker could exploit these vulnerabilities by constructing a specially crafted Flash Animation (SWF) file that could potentially allow remote code execution if a user visited a Web site containing the specially crafted SWF file. The specially crafted SWF file could also be sent as an e-mail attachment. A user would only be at risk if opening this e-mail attachment. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system.

* Microsoft Security Bulletin MS06-070
Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)

Workstation Service Memory Corruption Vulnerability - CVE-2006-4691:
A remote code execution vulnerability exists in the Workstation service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker can exploit this vulnerability through TCP ports 139 and 445 directly from the Internet. The vulnerability is from an unchecked buffer in the Workstation service. Both local file system requests and remote file or print network requests are routed through the Workstation service. This service determines where the resource is located and then routes the request to the local file system or to the networking components. When the Workstation service is stopped, all requests are assumed to be local requests. An attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code. Systems running Windows 2000 Service Pack 4 and Windows XP Service Pack 2 are primarily at risk from this vulnerability.

* Microsoft Security Bulletin MS06-071
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)

Microsoft XML Core Services Vulnerability - CVE-2006-5745:
A vulnerability exists in the XMLHTTP ActiveX control within Microsoft XML Core Services that could allow for remote code execution. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited that page or clicked a link in an e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.

Important (1):

*Microsoft Security Bulletin MS06-066
Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution (923980)

Client Service for NetWare Memory Corruption Vulnerability - CVE-2006-4688:
There is a remote code execution vulnerability in Client Service for NetWare (CSNW) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

NetWare Driver Denial of Service Vulnerability - CVE-2006-4689:
A denial of service vulnerability exists in Client Service for NetWare (CSNW) that could allow an attacker to send a specially crafted network message to an affected system running the Client Service for NetWare service. An attacker could cause the system to stop responding.

Affected Platforms and Applications:

.Windows Server 2003 Service Pack 1
.Windows Server 2003
.Windows Server 2003 with SP1 for Itanium-based Systems
.Windows Server 2003 for Itanium-based Systems
.Windows Server 2003 x64 Edition
.Windows XP Service Pack 2
.Windows XP Professional x64 Edition
.Windows 2000 Service Pack 4

Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 on Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2
Internet Explorer 6 for Windows XP Professional x64 Edition
Internet Explorer 6 for Windows Server 2003 and Windows Server 2003 Service Pack 1
Internet Explorer 6 for Windows Server 2003 for Itanium-based Systems and Windows Server 2003 with SP1 for Itanium-based Systems
Internet Explorer 6 for Windows Server 2003 x64 Edition
Microsoft XML Core Services 4.0
Microsoft XML Core Services 6.0

References

Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx