Internet Security Systems - AlertCon(TM)

December Microsoft Patches

Posted by Tom Cross on December 12, 2006 at 4:45 PM EST.

Early December brings long lines at the shopping malls, fights between parents over this year’s hottest toy, and, of course, another round of patches from Microsoft. This month we have 7 bulletins covering 11 vulnerabilities. Those numbers are still low relative to what we were seeing last summer.

We think MS06-074 will be a target for exploit writers because it involves SNMP. While this service is not run by default on Windows hosts, it is frequently enabled on high value and critical infrastructure servers for monitoring purposes. This is an integer underflow vulnerability that would enable attackers to gain complete control of vulnerable hosts. We strongly advise network operators to block SNMP traffic that is not sourced from management lans. However, the fact that this service is UDP based makes attacks easier to spoof.

We're also expecting attacks on MS06-077, a vulnerability in Microsoft's Remote Installation Service. RIS is the Windows equivalent of Sun's JumpStart or Redhat's KickStart. It allows thin clients to boot by loading their software over the network via TFTP. Its also useful for rapid deployment of standardized Operating System setups on new machines. Unfortunately, the TFTP server that RIS runs allows anonymous TFTP users to overwrite the files in the Operating System images being served. Attackers could easily replace any OS file or library with a trojaned component, and thereby gain complete control of new machines that boot off of the RIS server thereafter. Because this attack is so easy to perform we think real world exploitation is likely.

MS06-073 is already being exploited in the wild. This vulnerability is in Visual Studio 2005, Microsoft's Interactive Development Environment. Visual Studio installs an ActiveX control known as the WMI Object Broker. This control can be accessed by a web page, and it includes a method which can be used directly to execute commands on the browser host. There is no buffer overflow here. This is simply a case where the browser security model is violated, giving web pages too much power over the host they are running on.

Last week IBM Internet Security Systems X-Force® shipped coverage for one of the vulnerabilities in Windows Media Player patched by MS06-078. Detailed information about this vulnerability, which impacts ASX playlist files, was publicly disclosed last Wednesday. A proof of concept has been circulated online, so if this bug is not already being exploited, it is only a matter of time. This patch also fixes an integer overflow in ASF file parsing, but we think the later bug is less likely to be targeted. 

Microsoft is patching four vulnerabilities in Internet Explorer with MS06-072. Two of these are remote code execution involving pointers to objects that aren't there, and the other two involve disclosure of information about the victim's Temporary Internet Files folder. The information disclosure vulnerabilities are important as they may allow an attacker to learn what web pages have been viewed previously by the victim, and the attacker may be able to see private content that the user has accessed on password protected or firewalled websites. However, some of this information can be leaked from browsers without exploiting a vulnerability. JavaScript can detect whether a particular URL appears in the browser's history, by checking to see if the CSS style that would be applied to a link to that URL is the style for visited or unvisited links. A script can run through a list of URLs quite quickly and determine which ones have been visited and which ones have not. As we've said before, browser vulnerabilities will continue to be a target for attackers as browsers provide an increasingly complex set of interfaces to web pages written by malicious people.

MS06-076 patches an integer underflow vulnerability in the parsing of Windows Address Book (.WAB) files by Outlook Express. The vulnerability leads to remote code execution. Fortunately, Outlook Express does not automatically parse .WAB files sent as email attachments. The attacker would need to convince the user to open the maliciously crafted .WAB file. This reduces the likelihood that this vulnerability will result in a widespread email worm outbreak, but it could be employed in targeted attacks, as well as attacks against unsophisticated users who don't have good internet street smarts.

Finally, MS06-075 patches a heap overflow in Microsoft's parsing of file manifests that leads to local privilege escalation. Parsing of these manifests occurs in a privileged context, affording unprivileged attackers a way to gain complete control over the computer they are using. They need merely create the malformed manifest for an executable application they have write access to, and then run the application. In the age of single user systems these privilege escalation problems have become a lower priority, but users of Metaframe and other multi-user windows applications should be on the lookout for this.

In addition to covering the MS patch drop, our IBM X-Press Update™ product enhancement will also cover a new code execution vulnerability in Microsoft Word which was not patched in this month's patch drop. Microsoft Security Advisory 929433 covers this issue, which has been exploited in targeted attacks in the wild.  

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.