two
Volume 3, Number 43 -- December 13, 2006

Microsoft Patches Two Zero-Day Exploits, Leaves Two Untouched

Published: December 13, 2006

by Alex Woodie

Microsoft yesterday released patches for two zero-day exploits, but left two other zero-days unpatched during its final Patch Tuesday of the year. While Microsoft addressed zero-day problems in Windows and Visual Studio 2005 and fixed another critical problem affecting IE versions 5 and 6, it failed to issue patches for two other recently discovered zero-day flaws that affect Word. All told, seven patches were released, fixing 11 vulnerabilities across a range of mostly client-side products.

The most critical patch issued yesterday was Microsoft Security Bulletin MS06-078, which fixes the two "ASF Playlist" security flaws that hackers could use to take full control of an effected system when a user tries to open a malformed Advanced System Format (ASF) file (or sometimes referred to as Advanced Streaming File) on a Web site or in an e-mail.

The ASF Playlist flaw is a zero-day vulnerability that was discovered three weeks ago, and which Microsoft originally had classified, erroneously, as a denial of service threat, according to security researchers eEye Digital Security, which has been tracking the flaw on its new zero-day vulnerability tracker. Microsoft added MS06-78 to the current patch cycle at the last minute, according to eEye.

The other zero-day flaw fixed yesterday is the WMI Object Broker vulnerability in Visual Studio 2005, an active exploit that allows an attacker to take full control of a computer by luring users to a malformed Web page. This vulnerability, which was fixed with Microsoft Security Bulletin MS06-073, is an ActiveX-based exploit, and users who are running IE version 7, especially on Windows Server 2003 or the new Windows Vista, are not as exposed to the problem as users running older versions of IE on workstations. Just the same, it's a serious problem for those computers running Visual Studio 2005.

The final critical patch, Microsoft Security Bulletin MS06-072, is a cumulative patch that fixes four flaws in our old friends, IE versions 5 and 6. Symantec says MS06-072 is the most critical of the bulletins issued yesterday, largely due to the Script Error Handling Memory Corruption, a newly discovered (but privately reported) flaw that can cause "a memory corruption condition when handling script errors in certain circumstances and may result in a complete system compromise," the security giant says. You can bet your bongos evil-doers are itching to explore all the possible ways they can use this new vector to infect your Windows system in the days and weeks to come.

Microsoft did not patch two Word flaws that are making their rounds of the Internet. Microsoft security researchers are aware of the flaws, and even posted Security Advisory 929433 last Tuesday to confirm it's working on a fix for the first flaw, which is infecting users of many current and older Word programs for Windows and the Mac. On Sunday, security researchers confirmed reports of a new flaw affecting Word 2000 with a posting on the Microsoft Security Response Center Blog!. The team managed to work fast to get MS06-078 out the door at the last second, but fixing these new Word flaws was apparently too much to ask.

But Wait, There's More Patches!

Microsoft issued four other patches yesterday for a range of flaws it deems as important. While these flaws don't carry the same urgency as the flaws listed above, they could prove just as dangerous in your shop, as three of them could allow a hacker to take complete control of the system, which usually results in a "critical" rating. These patches include:

  • Microsoft Security Bulletin MS06-074, which fixes a newly discovered problem in Windows' SNMP service that could allow attackers to execute their choice of code. However, because SNMP is not activated on Windows by default, this flaw does not pose as great a risk.
  • Microsoft Security Bulletin MS06-075, which fixes a newly discovered problem in the way that Windows starts applications with specially crafted file manifests, called the File Manifest Corruption vulnerability. A hacker successfully using this flaw could take complete control of the machine, but he must already have valid log-on credentials, and he can't do it remotely, which is why it rated only "important" on Microsoft's scale. It also only affects Windows XP Service Pack 2 (SP2), Windows Server 2003, and Windows Server 2003 for Itanium-based Systems.
  • Microsoft Security Bulletin MS06-076, which is a cumulative update for Outlook Express that also fixes a newly discovered flaw, called the Windows Address Book (WAB) Contact Record Vulnerability, that could allow attackers to take complete control of the system if they got a user to open a malicious WAB file. The flaw rates only an "important" rating because attackers will only gain the rights of the infected user.
  • Microsoft Security Bulletin MS06-077, which fixes the newly discovered RIS Writable Path vulnerability in Windows 2000 SP4. The flaw exists in Remote Installation Services (RIS), which Microsoft calls a "pre-boot execution environment" (PXE)-based deployment technology that allows Windows setup to initiate over a network. A flaw in RIS could allow an anonymous user to overwrite existing operating system files or upload a specially crafted file.

Yesterday's patch of patches continues the recent trend that sees hackers poking for holes in desktops and client machines, as opposed to servers. "Today's release from Microsoft reconfirms that client-side vulnerabilities are one of the most efficient and well known methods by which computers can become infected, therefore users are urged to install patches as soon as possible," says Oliver Friedrichs, director, Symantec's security response group.

For the year, Microsoft issued 78 patches for hundreds of vulnerabilities, the largest number of patches the company has ever released. For comparison, the company issued 55 patches in 2005, 45 in 2004, 51 in 2003, 72 in 2002, and 60 in 2001.

Microsoft will be hosting a Web cast today at 11 a.m. PST to discuss the current batch of fixes. To register for the event, go to TechNet Security Center.

Sponsored By
VISION SOLUTIONS

Are you managing your downtime effectively?

Managed Availability and Business Continuity center on the elimination of downtime or, at least, mitigating its impact on an organization.

Download Vision Solutions' white paper "Understanding Downtime" and explore common topics associated with downtime. Use the Annual Cost of Downtime Worksheet (included) to help calculate downtime costs relative to your business.

Download the white paper today at
www.visionsolutions.com
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Micro Focus:  Develop, extend and deploy applications with Server Express and Enterprise Server
Wolf Computer Consulting:  Reliable service and affordable rates for business computing needs
COMMON:  Join us at the Spring 2007 conference, April 29 - May 3, in Anaheim, California

 
THIS ISSUE SPONSORED BY:

Vision Solutions
OpenLogic
Lakeview Technology
World Data Products
MKS



TABLE OF CONTENTS
Microsoft Patches Two Zero-Day Exploits, Leaves Two Untouched

Vista Will Boost IT Industry Revenues, Computer Costs

Microsoft's New 'Voice Server' Enters Beta

The Top 10 Warning Signs You May Need a PSA Solution

But Wait, There's More:

Happy Holidays from All of Us at IT Jungle . . . Users Approve of Microsoft-Novell Deal, the Vendors Say . . . Dell, Microsoft Team for Flexible NAS-SAN Solution . . . HP Projects Over $100 Billion in Sales in Fiscal 2008 . . . IBM, AMD Expect 45-Nanometer Chips in Mid-2008 . . . Forrester Predicts IT Spending Slowdown in 2007 . . .

The Windows Observer

BACK ISSUES

The Four Hundred
The Business Case for the System iWant

Rocket Software Inks Deal to Buy Seagull Software

Saving the System i: Fight Pervasive with Pervasive

As I See It: Sweating the Little Stuff

The Linux Beacon
Novell Boosts Profits in Fiscal Q4 Despite Revenue Declines

XenSource, Virtual Iron Gun for VMware with Features, Low Prices

Who's Using Linux on the System i?

The X Factor: You Can't Steal What's Free, But You Can Pay a Lot for Something That Isn't Worth It

Big Iron
IBM Sues PSI: You Say Emulate, We Say Litigate

Happy Holidays from All of Us at IT Jungle

Top Mainframe Stories and Vendor Announcements

Chats, Webinars, Seminars, Shows, and Other Happenings

The Unix Guardian
AIX 5L V5.3 Gets Unix 03 Certification

Azul Systems Revamps Compute Appliances with 48-Core Vega2 Chip

PwC Consultants Predict an IT Talent Shortage

Mad Dog 21/21: Stay the Recourse


 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement