• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases December 2006 Security Bulletin for Multiple Vulnerabilities

Security Alerts

Search Security Alerts:

December 12, 2006

Microsoft Releases December 2006 Security Bulletin for Multiple Vulnerabilities

Summary

On December 12, 2006, Microsoft released their monthly security bulletin with the latest security updates for workstations and servers. Among these updates are critical patches to correct remote code execution vulnerabilities in the Internet Explorer web browser, SNMP service, Windows Media format, and the Outlook Express client. The potential does exists for the SNMP vulnerability to be exploited remotely from the Internet via port 161. The Microsoft bulletin lists seven (7) security vulnerabilities, with three (3) listed as critical and four (4) listed as important. All these patches should be applied. The affected operating system platforms are:

* Windows Server 2003
* Windows XP
* Windows 2000 SP4

It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet. All these patches will be delivered via BigFix, except for the Visual Studio 2005 patch (MS06-073) which may require manual patching as of this writing. Details are in the Technical Details section of this post.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. The BigFix deliverable includes all of the patches of this bulletin, except for the Visual Studio 2005 patch (MS06-073) which is undergoing a feasibility study by campus BigFix administrators about ways of optimizing delivery of this patch. Individual updates can be downloaded by going to the Summary section of this Microsoft website. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Details

It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, those with an * delivered via BigFix:

Critical (3)

*Microsoft Security Bulletin MS06-072
Cumulative Security Update for Internet Explorer (925454)
This update resolves vulnerabilities in Internet Explorer that could allow remote code execution.

Script Error Handling Memory Corruption Vulnerability - CVE-2006-5579:
A remote code execution vulnerability exists in Internet Explorer due to attempts to access previously freed memory when handling script errors in certain situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page. If a user viewed the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

DHTML Script Function Memory Corruption Vulnerability - CVE-2006-5581:
A remote code execution vulnerability exists in the way Internet Explorer interprets certain DHTML script function calls to incorrectly created elements. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

TIF Folder Information Disclosure Vulnerability - CVE-2006-5577:
An information disclosure vulnerability exists in Internet Explorer in certain scenarios where the path to the cached content in the TIF folder could be disclosed. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability would be able to retrieve files from the Temporary Internet Files (TIF) folder on a user’s system. However, user interaction is required to exploit this vulnerability.

TIF Folder Information Disclosure Vulnerability - CVE-2006-5578:
An information disclosure vulnerability exists in Internet Explorer in the way that drag and drop operations are handled in certain situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed and interacted with the Web page. An attacker who successfully exploited this vulnerability would be able to retrieve files from the Temporary Internet Files (TIF) folder on a user’s system.

Microsoft Security Bulletin MS06-073
Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)
This update resolves a vulnerability in Visual Studio 2005 that could allow remote code execution.

WMI Object Broker Vulnerability - CVE-2006-4704:
A remote code execution vulnerability exists in the WMI Object Broker control that the WMI Wizard uses in Visual Studio 2005.An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

*Microsoft Security Bulletin MS06-078
Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)
This update resolves a vulnerability in Windows Media Player that could allow remote code execution.

Windows Media Format ASF Parsing Vulnerability - CVE-2006-4702
A remote code execution vulnerability exists in Windows Media Format Runtime due to the way it handles Advanced Systems Format (ASF) files. An attacker could exploit the vulnerability by constructing specially crafted Windows Media Player content that could potentially allow remote code execution if a user visits a malicious Web site or opens an e-mail message with malicious content.

Windows Media Format ASX Parsing Vulnerability - CVE-2006-6134
A remote code execution vulnerability exists in Windows Media Format Runtime due to the way it handles certain elements contained in Advanced Stream Redirector (ASX) files. An attacker could exploit the vulnerability by constructing a specially crafted ASX file that could allow remote code execution if a user visits a malicious Web site, where specially crafted ASX files are used to launch Windows Media player, or if a user clicks on a URL pointing to a specially crafted ASX file.

Important (4)

*Microsoft Security Bulletin MS06-074
Vulnerability in SNMP Could Allow Remote Code Execution (926247)
This update resolves a vulnerability in Simple Network Management Protocol (SNMP) that could allow remote code execution. The SNMP service is not installed by default in any supported version of Windows.

SNMP Memory Corruption Vulnerability - CVE-2006-5583:
A remote code execution vulnerability exists in SNMP Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

*Microsoft Security Bulletin MS06-075
Vulnerability in Windows Could Allow Elevation of Privilege (926255)
A vulnerability exists in Windows that could allow elevation of privilege on an affected system. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

File Manifest Corruption Vulnerability - CVE-2006-5585:
A privilege elevation vulnerability exists in the way that Microsoft Windows starts applications with specially crafted file manifests.

*Microsoft Security Bulletin MS06-076
Cumulative Security Update for Outlook Express (923694)
This update resolves a vulnerability in Outlook Express that could allow remote code execution. User interaction is required for an attacker to exploit this vulnerability.

Windows Address Book Contact Record Vulnerability - CVE-2006-2386
A remote code execution vulnerability in a component of Outlook Express could allow an attacker who sent a Windows Address Book file to a user of an affected system to take complete control of the system. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

*Microsoft Security Bulletin MS06-077
Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121)
This update resolves a vulnerability in Remote Installation Service (RIS) that could allow remote code execution. RIS is not installed by default.

RIS Writable Path Vulnerability - CVE-2006-5584:
The Remote Installation Service enables a TFTP service on the server which by default could allow an anonymous user to potentially overwrite existing operating system files or upload a specially crafted file. This could allow an attacker to compromise operating system installs offered by the RIS server.

Affected Platforms and Applications:

Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows Server 2003 x64 Edition
Windows Server 2003
Windows Server 2003 Service Pack 1
Windows Server 2003 for Itanium-based Systems
Windows Server 2003 with SP1 for Itanium-based Systems
Windows XP Professional x64 Edition

Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 when installed on Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2
Internet Explorer 6 for Windows XP Professional x64 Edition
Internet Explorer 6 for Windows Server 2003 and Windows Server 2003 Service Pack 1
Internet Explorer 6 for Windows Server 2003 for Itanium-based Systems and Windows Server 2003 with SP1 for Itanium-based Systems
Internet Explorer 6 for Windows Server 2003 x64 Edition
The .NET Framework Development Tools and Platforms Affected:
Visual Studio 2005
Outlook Express 5.5 Service Pack 2 on Windows 2000 Service Pack 4
Outlook Express 6 Service Pack 1 when installed on Windows 2000 Service Pack 4
Outlook Express 6 on Windows XP Service Pack 2
Outlook Express 6 on Windows XP Professional x64 Edition
Outlook Express 6 on Windows Server 2003 or on Windows Server 2003 with Service Pack 1
Outlook Express 6 on Windows Server 2003 for Itanium-based Systems or on Windows Server 2003 with SP1 for Itanium-based Systems
Outlook Express 6 on Windows Server 2003 x64 Edition
Windows Media Format 7.1 through 9.5 Series Runtime on Windows 2000 Service Pack 4
Windows Media Format 7.1 through 9.5 Series Runtime on Windows XP Service Pack 2
Windows Media Format 7.1 through 9.5 Series Runtime on Windows XP Professional x64 Edition
Windows Media Format 7.1 through 9.5 Series Runtime on Windows Server 2003 or Windows Server 2003 Service Pack 1
Windows Media Format 7.1 through 9.5 Series Runtime on Windows Server 2003 X64 Edition
Windows Media Format 9.5 Series Runtime x64 Edition on Windows XP Professional x64 Edition
Windows Media Format 9.5 Series Runtime x64 Edition on Windows Server 2003 x64 Edition
Windows Media Player 6.4 on Windows 2000 Service Pack 4
Windows Media Player 6.4 on Windows XP Service Pack 2
Windows Media Player 6.4 on Windows XP Professional x64 Edition
Windows Media Player 6.4 on Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Pack 1
Windows Media Player 6.4 on Microsoft Windows Server 2003 x64 Edition

References

Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms06-dec.mspx