Internet Security Systems - AlertCon(TM)

November Microsoft Patches

Posted by Tom Cross on November 14, 2006 at 4:48 PM EST.

It’s the second Tuesday of the month again, and time for Microsoft’s latest round of security patches. Fortunately, this is a light month relative to what we’ve been seeing over the summer. We have just 6 bulletins, covering 13 vulnerabilities.

The most important of these is MS06-070, a stack overflow vulnerability in the Workstation Service in Windows 2000 SP4 and XP SP2. Remote access to these capabilities requires authentication in XP, but not 2000, making this vulnerability a serious risk for Windows 2000 networks. The vulnerability is easy to exploit, and we expect various organizations that post exploit code to the general public to do so for this issue in a matter of days. Furthermore, this bug could be leveraged in an Internet worm. Fortunately, vulnerabilities disclosed this year that have presented similar risks haven’t been exploited in widespread worm outbreaks. It’s possible that we’re just getting lucky here, but we believe that widespread adoption of Intrusion Prevention technology by enterprises, as well as increased vigilance by corporate network administrators, has significantly cut down the possibility of the sort of widespread worm outbreaks that plagued the Internet in the earlier part of this decade. We’re making progress toward a safer net.

MS06-071 patches a vulnerability in Microsoft’s XML core services that one of IBM XForce’s web crawlers found being exploited in the wild earlier this month. Our Proventia IPS technology preemptively detected and blocked this exploit. We disclosed the issue to Microsoft and provided complete coverage for the vulnerability in an XPU shipped just a few days later. Read our alert here.

MS06-067 should also be high on administrator’s lists for this month. This update patches a number of vulnerabilities in Internet Explorer. Several of these are heap overflows in the DirectAnimation ActiveX Control that allow arbitrary remote code execution and have been exploited in the wild by malware distributors since at least mid September. XForce first provided protection for them at that time. It is relieving to finally get these issues patched and off of the threat radar. However, we suspect that we’ll continue to see more browser vulnerabilities in near term future. The complexity of modern web browsers has made them a favorite target for malware distributors.

In MS06-069, Microsoft is shipping an update to Macromedia’s Flash Player which Adobe shipped back in September. These vulnerabilities exist in a code interpreter, and so they are difficult to comprehensively cover in a network IPS because of the multitude of ways that source code can be obfuscated to evade detection. In our view, the best defenses against this sort of attack are host based security measures, such as software anti-virus and the Buffer Overflow Exploit Protection (BOEP) features in our Proventia Desktop product. However, these specific vulnerabilities were patched months ago and we’re not aware of any attacks or publicly available exploits.

Users of Microsoft’s Client services for Netware should pay attention to MS06-066. One of the vulnerabilities covered by this bulletin is a remote stack overflow which leads to total system compromise. Fortunately, this software is not installed by default on Windows machines.

Finally, we must discuss MS06-068, which patches a buffer overflow in the code that decompresses Microsoft Agent Services Character files. Microsoft Agent Services allows programmers to create user interfaces for their software that involve cute animated characters, such as a genie or a talking parrot. While we’re sure that this feature is popular with certain groups of Windows users, we don’t expect that it gets a lot of play in corporate offices. However, if a user decides to replace their animated character with a custom character downloaded off of the Internet, they might find themselves granting arbitrary code execution to the creator of the character. Therefore, network administrators must take this seriously. We suggest perhaps preventing all files of this type from being downloaded at the network gateway in order to eliminate future vulnerabilities in this feature from being a concern.

What is surprising about this issue is that it involves a custom decompression algorithm. With so many good, standard compression systems in Windows with code that has been audited for security issues, we’re surprised that Microsoft decided to develop new compression technology specifically for these animated characters. This is a good case study in the importance of relying on standards and widely audited code. Had Microsoft chosen something off of the shelf for this file format, we wouldn’t be patching it today.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.