|
Get Your Patch On: 8 Critical Updates Issued by Microsoft
Published: June 14, 2006
by Alex Woodie
Microsoft yesterday issued 12 security patches, including eight for vulnerabilities the company deems "critical," in one of the most active Patch Tuesdays in recent memory. Among the patches released yesterday was another mega-patch fixing a laundry list of problems in the aging Internet Explorer browser, a fix for the recent zero-day Word exploit, a patch for a newly found flaw in Windows' TCP/IP driver, and more fixes for critical flaws in all current 32- and 64-bit versions of Windows than you can shake a stick at.
This week's mega-patch is its first patch, Microsoft Security Bulletin MS06-021, a cumulative update for Internet Explorer that fixes eight separate newly discovered vulnerabilities affecting all current 32- and 64-bit desktop and server operating systems. Older, unsupported operating systems, such as Windows 2000 Service Pack 3 and Windows NT Server 4.0 SP 6a, are also susceptible to these vulnerabilities.
Some of the vulnerabilities fixed by MS06-021--including the Exception Handling Memory Corruption, the HTML Decoding Memory Corruption Vulnerability, the ActiveX Control Memory Corruption Vulnerability, and the COM Object Instantiation Memory Corruption Vulnerability--carry the risk of remote code execution and therefore were given a "critical" rating. Three of these vulnerabilities, including the CSS Cross-Domain Information Disclosure Vulnerability and two separate Address Bar Spoofing Vulnerabilities, carry the risk of spoofing or information disclosure, while the eighth vulnerability, the MHT Memory Corruption Vulnerability, carries a moderate risk of remote code execution.
Most of these new vulnerabilities were directly reported to Microsoft, a practice it calls "responsible disclosure," although one vulnerability, the CSS Cross-Domain Information Disclosure Vulnerability, has been known to exist since last year. Organizations and individuals contributing to the MS06-021 include the CERT Coordination Center, hoshikuzu star_dust (an Internet alias, one hopes), ITsec Security Services, the University of Kansas' Division of Information Systems and Communications, the Metasploit Project, Secunia, Tipping Point, and the Zero Day Initiative. Microsoft says it's not aware of any attacks using these newly discovered vulnerabilities.
Microsoft Security Bulletin MS06-022 fixes a problem known as the ART Image Rendering Vulnerability, which could allow an attacker to gain control of a computer that opens a malformed AOL ART image file. This vulnerability affects all current 32- and 64-bit desktop and server operating systems, and therefore was given a critical rating. Microsoft says customers who apply the MS06-021 patch will need to apply MS06-022 to prevent Internet Explorer processes from closing unexpectedly when users view invalidly-formed AOL ART images.
All Windows users are encouraged to apply another critical patch, Microsoft Security Bulletin MS06-023, which fixes a serious memory corruption problem in Microsoft's Jscript implementation and eliminates a remote code execution threat when viewing malformed Web sites in Internet Explorer. Microsoft says there are no active attacks using this vector, and that it was privately disclosed.
Microsoft Security Bulletin MS06-024 fixes a critical flaw in Windows Media Player version 9 and 10 that could allow attackers to gain total control of computers running Windows XP SP1, SP2, and the X64 Edition; Windows Server 2003 SP1 and the X64 Edition; and Windows 98/SE/ME. This flaw has to do with improper processing of PNG images, and could be put into play using either a malformed Web site or e-mail message, although Microsoft says it's not aware of any such attacks taking place in the real world; Microsoft says it was tipped off to the flaw through "responsible disclosure."
Microsoft Security Bulletin MS06-025 fixes two flaws--the RRAS Memory Corruption Vulnerability and the RASMAN Registry Corruption Vulnerability--both of which carry the threat of remote code execution, and both of which are deemed critical flaws. All current 32- and 64-bit versions of Windows are susceptible to these flaws; the Windows 98/ME/SE products are not. Microsoft says these flaws were privately reported, and are not the basis of any attacks it knows about.
The Windows 98/ME/SE products do face a remote code execution problem with a newly reported Graphics Rendering Engine vulnerability, which is a variation on the Windows Metafile that caused a lot of concern over the holidays, and was fixed by Microsoft in January. The new Graphics Rendering Engine flaw is addressed by Microsoft Security Bulletin MS06-026, a critical update. Windows Server products are not affected by this flaw.
The recently reported, zero-day Word remote code execution threat--officially known as the Microsoft Word Malformed Object Pointer Vulnerability--has been fixed with Microsoft Security Bulletin MS06-027. This flaw was being actively utilized for attacks (see Zero-Day Word Exploit Attacks from Asia Reported"). Now that Microsoft has issued code that allows users to fix the problem, expect the attacks to ratchet up a notch, so get this patch on ASAP.
Last among this month's critical patches (but by no means least!) is Microsoft Security Bulletin MS06-028, which fixes a newly discovered security flaw in PowerPoint. According to Microsoft, an attacker could exploit this vulnerability by constructing a specially crafted PowerPoint file. The vendor says this flaw was privately reported and that it hasn't heard of any attacks using this vector, but just the same, please be cautious with opening those unsolicited PowerPoints.
Microsoft Security Bulletin MS06-029 fixes a newly discovered script injection vulnerability in Exchange Server 2000 and 2003 that could allow an attacker to gain control of an affected system. This system only affects those Exchange users running Outlook Web Access (OWA), and it requires user interaction to execute the specially crafted script, which means this flaw was rated only "important" on the vulnerability scale. The flaw was privately reported and isn't being exploited in the wild, Microsoft says.
Microsoft Security Bulletin MS06-030 fixes two related problems in the Windows Server Message Block (SMB) communication facility, including the SMB Driver Elevation of Privilege Vulnerability, and the SMB Invalid Handle Vulnerability, which could be used to execute a denial of service (DOS) attack. These vulnerabilities were rated moderate and important for affected systems, which include all current 32- and 64-bit versions of Windows, excepting the Windows 98/SE/ME products. Microsoft says these flaws were privately reported, and that it's not aware of any attacks using this SMB method.
Microsoft Security Bulletin MS06-031 addresses the RPC Mutual Authentication Vulnerability, a spoofing vulnerability, in Windows 2000 SP4, which was supposed to have reached the end of its supported lifetime. This vulnerability, which only affects Windows 2000 SP4, was reported through "responsible disclosure" by Microsoft's business partner and competitor, Symantec. There are no known attacks utilizing the RPC Mutual Authentication Vulnerability, Microsoft says.
An "important" remote code execution vulnerability in the Windows TCP/IP stack has been fixed with Microsoft Security Bulletin MS06-032. Microsoft says an unchecked buffer overflow in its TCP/IP Protocol driver could enable an attacker to gain total control over affected systems, including all current 32- and 64-bit versions of Windows, excepting the Windows 98/SE/ME products. However, nobody's using this vector yet to attack Windows systems, Microsoft says. This flaw was also privately reported to the vendor.
|
