Issue #7, 10/12/05
In this issue:
- Upcoming Public Courses
- Randy's Independent Insights on This Month's bulletins
- Subscribe, Unsubscribe and Usage Information
============================================
This Month’s Security Updates from Microsoft
============================================
Well, last month Microsoft released 0 patches but they made up for it on yesterday’s Patch Tuesday. Eight bulletins in all. Most of this month’s patches are primarily workstation related risks that you can wait to deploy until you finish a full round of testing in your environment. However I recommend loading the Internet Explorer patch (MS05-052) on workstations as soon as possible, with little or no testing depending on where your organization falls in the vulnerability vs. stability range. The most important patch that effects servers one dealing with the Collaboration Data Objects (CDO) vulnerability MS05-048. Be sure to assess your exposure to that risk. 2 trends continue this month. First, XP SP2 and Windows Server 2003 SP1 continue to come out less scathed than earlier versions of Windows for many vulnerabilities. I have to give Microsoft credit for making progress on these 2 post-Trustworthy Computing iniative releases. Second, following best practices such as refraining from dangerous activities (i.e. web browsing) while logged on at a server and disabling unneeded features continue to reduce your exposure to future vulnerabilities.
==========================================
Upcoming Public Courses
==========================================
http://www.ultimatewindowssecurity.com/register.asp
Security Log Secrets
12/8/05 - 12/9/05 -
Register before November 11th to save $100. See below for how to save another $100.
Complete Windows Security
1/23/06 - 1/27/06 -
Total WiFi Security
2/27/06-2/28/06 -
============================================================================
MS05-050 - Vulnerability in DirectShow Could Allow Remote Code Execution
(904706)
============================================================================
This critical vulnerability allows an attacker to execute arbitrary code under the current user’s authority on all versions of Windows. This is primarily a workstation risk since the attacker must succeed in getting the user to view a malicious webpage or a specially crafted AVI file. Best practice prohibits viewing web content and other activities such as opening untrusted files, reading email, etc while logged on at a server. At this time no proof-of-concept code or actual attacks have been reported so most organizations will choose to perform normal testing before deploying this patch. (DirectShow is the Windows component that handles streaming media from web sites, DVDs, AVI files, etc.)
Assuming you follow best practice and limit activities while logged on to servers interactively or via remote desktop to built-in MMCs, you should be able to avoid loading this patch on servers. Workstations however should be patched after light testing.
=============
Did you know?
=============
Security Log Secrets is the only course devoted to the revealing how to leverage the Windows security log for SOX compliance, forensics and intrusion detection?
============================================================================
MS05-051 - Vulnerabilities in MSDTC and COM+ Could Allow Remote Code
Execution (902400)
============================================================================
This critical bulletin covers several vulnerabilities with different types of impact. The worst impact associated with this bulletin is root access in which a remote attacker sends a specially crafted network message on the targeted system which results in execution of arbitrary code under the authority of the operating system itself thereby gaining complete control. Root access impact is limited to Windows systems prior to Windows XP SP2 and Windows Server 2003 SP1. Many back level systems on your network will have limited or nor vulnerability depending on the status of Microsoft Distributed Transaction Coordinator (MSDTC), the Transaction Internet Protocol (TIP) and COM+. To assess your exposure to root access impact of this bulleten analyze the Mitigating Factors for MSDTC and COM+ vulnerabilities in MS05-051. MSDTC is the distributed transaction techonology in Windows and is used by SQL Server, BizTalk Server, Exchange Server, Message Queuing and cluster environments.
Another impact of this bulletin is local privilege escalation in which a user can elevate his privileges and gain administrator authority to the system where he is currently logged on. This impact is only relevant if you have a locked down workstation environment where users are not already members of the local Administrators group on their workstations or in Terminal Services user mode environments.
The final impact of this bulletin is denial of service. All versions of Windows are potentially exposed to this vulnerability however exposure really depends on the status of MSDTC and the TIP component of MSDTC. Windows 2000 has the highest exposure.
Bottom line: you can probably avoid loading this patch if your network consists of Windows XP SP2 and Windows Server 2003 SP1 and if you don’t use a locked down desktop environment. For other vulnerable systems carefully read the mitigating factors and workarounds before determining which systems must receive the patch.
==================================
As a thank you for subscribing...
==================================
To readers of this newsletter, we are offering $100 off the registration fee for Security Log Secrets on 12/8/05 - 12/9/05 in
============================================================================
MS05-052 - Cumulative Security Update for Internet Explorer (896688)
============================================================================
This critical vulnerabilty allows an attacker to execute arbitrary code under the authority of the current user. To exploit the vulnerability the attacker must trick the user into opening a specially crafted web page in Internet Explorer. Provided best practice is followed when administrators log on to a server interactively or via remote desktop, risk is limited to workstations and Terminal Services user mode environments.
Bottom line: you should load this fix on Windows workstations as soon as possible. Since this vulnerability is already being exploited on the Internet and proof of concept code already exists publicly, this patch should be deployed before testing is complete especially for workstations of users with access to important applications and information.
============================================================================
MS05-046 - Vulnerability in the Client Service for NetWare Could Allow
Remote Code Execution (899589)
============================================================================
This vulnerability only affects Windows systems with CSNW (Client Service for NetWare) or GSNW (Gateway Service for Netware) which is not installed by default on any version of Windows. Given thate there are no reports of this vulnerability being exploited in actual attacks, that there is no proof of concept code public at this time and that CSNW/GSNW is not a core component of Windows it is likely it won’t be immediately targeted.
Bottom line: If you have Netware servers and use CSNW consider loading this patch after complete testing in your environment.
============================================================================
MS05-047 - Vulnerability in Plug and Play Could Allow Remote Code Execution
and Local Elevation of Privilege (905749)
============================================================================
This vulnerability could allow a remote but authenticated user to gain root access to Windows 2000 and XP SP1 systems but not Windows Server 2003. Risk on XP SP2 systems is limited to local privilege escalation by a user logged on interactively or via remote desktop. Your Windows 2000 servers are at risk from malicious users with a valid user account. Pre XP SP2 systems are also at risk to remote attack if ports 139 or 445 are open. This is only a risk to XP SP2 in locked down desktop environments in which end users are not members of the local Administrators group.
Bottom line: In locked down desktop environments, load this patch after full testing. For Windows 2000 and pre XP SP2 systems you may decide to load this patch after full testing. Other organizations will choose not to load the patch since risk is limited to “trusted” users and there is currently no proof-of-concept code public.
============================================================================
MS05-048 - Vulnerability in the Microsoft Collaboration Data Objects Could
Allow Remote Code Execution (907245)
============================================================================
This important vulnerability allows a remote attacker to gain complete control of a system using a specially crafted SMTP email. The vulnerability affects all versions of Windows and Exchange Server 2000 however there are significant prerequisites for a successful attack. First the computer must be running Exchange Server 2000 or have IIS 5 or 6 installed with the SMTP service active. Futhermore, an application must be actively using a certain feature of the SMTP service , Collaboration Data Objects (CDO). CDO is a COM component widely used by applications that create email messages or applications add functionality to SMTP or Exchange servers. An application that uses CDO only opens this vulnerability if the application uses CDO’s event sinks in an unpublished “vulnerable manner” (see http://www.sec-1.com/applied_hacking_course.html). Event sinks are “user exits” that allow an application to step-in the the middle of SMTP’s handling of a message and perform additional processing (e.g. an anti-spam product or email archive solution). To determine if a system running SMTP is vulnerable to this exploit you can run “cscript.exe smtpreg.vbs /enum” which will produce a list of applications that have registered event sink entries with CDO. You can obtain smtpreg.vbs at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/smtpevt/html/6b7a017e-981e-45a1-8690-17ff26682bc7.asp. This is primarily a server issue since it should be unusual to have SMTP running on workstations. For servers you identify as vulnerable you should consider the likelihood of the server receiving a malicious message crafted to exploit this vulnerability. Email gateways facing the Internet are the most likely target. It is not clear whether down stream servers are vulnerable to malicious messages forwarded from a patched server.
Bottom line: email servers and gateways exposed to the Internet should be patched as soon as possible; some organizations will deploy the update before testing is complete with all vulnerable servers to follow as soon as testing is complete.
============================================================================
MS05-049 - Vulnerabilities in Windows Shell Could Allow Remote Code
Execution (900725)
============================================================================
This important vulnerability allows an attacker run arbitrary code under the authority of the victim user and applies to all versions of Windows. The attacker must trick the user into opening a specially crafted LNK file (aka shortcut) by sending an email with a link to a page that has the malicious LNK file or luring the user to the page through some other means. Depending on your email server and client policies the attacker may be able to send the LNK file as an attachment. You should be able to avoid loading this patch on servers provided best practice is followed by administrators who log on interactively or via remote desktop (i.e. no web browsing, email usage, etc). There are no reports of this vulnerability being used in actual attacks and there’s no public proof-of-concept code.
Bottom line: load this patch on all workstations after testing.
============================================================================
MS05-044 - Vulnerability in the Windows FTP Client Could Allow File Transfer
Location Tampering (905495)
============================================================================
This vulnerability allows an attacker who can post a file with a specially formatted file name to an FTP site to override the destination of the file when downloaded by the client. For example: AttackJack creates a file with a special file name and posts it to ftp.public.com. UserB downloads the file using Window’s FTP client. UserB specifies the file should be downloaded to My Documents but the file ends up in c:\windows\system32 because of how the AttackJack formatted the filename. This introduces the risk of trojan horses and other back doors if the attack succeeds in replacing an important system file. Replacement requires the user to allow the transer after an “Overwrite File?” warning. Spam filters, firewall policies restricting FTP downloads also help to mitigate this threat.
Bottom line: This vulnerability is relevant to computers downloading files from FTP sites where malicious content could be posted but due to prerequisites for the attack many organizations will choose to install this patch to workstations only after full testing.
============================================================================
MS05-045 - Vulnerability in Network Connection Manager Could Allow Denial of
Service (905414)
============================================================================
This denial of service vulnerability allows an authenticated but malicious user to send a specially crafted network message to the vulnerable system and temporarily knock out the system’s ability to respond to incoming and outgoing dial-up and VPN connection attempts however the system will evidently recover within a few seconds.
Bottom line: don’t install this patch unless you start experiencing the problem. If you do experience the problem you have a rogue user on your hands.
Until next month, happy patching! Don't forget about the $200 savings available if you pre-register now for Security Log Secret without obligation. Lock in the savings at http://www.ultimatewindowssecurity.com/register.asp and then pursue getting approval.
Regards,
Randy Franklin Smith
CISA, SSCP, Microsoft Security VIP
CEO, Monterey Technology Group, Inc.
============================================
Subscribe, Unsubscribe and Usage Information
============================================
- subscribe to this newsletter
- unsubscribe from this newsletter
- usage information
If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.
Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).
You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.
While Monterey Technology Group, Inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.
If you need personalized attention in any way, just email me: mailto:rsmith@montereytechgroup.com. I endeavor to respond to everyone who emails.
Thanks for reading!
No comments:
Post a Comment