Microsoft has published a new security advisory about a COM object vulnerability that could pose a critical threat. In addition, the software vendor released six security bulletins for August, three of which are critical. The remaining three bulletins, however, still pose a threat if you're running affected systems.
Details
On August 18, Microsoft published Security Advisory 906267: "A COM Object (Msdds.dll) Could Cause Internet Explorer to Unexpectedly Exit," about which the company's security team has recently received reports. Microsoft Knowledge Base article 906267 addresses this threat (CAN-2005-2127). According to silicon.com, some online sources are reporting exploit code is available and potentially circulating around the hacker nets.
The security advisory is an early notification step. Although it includes possible workarounds, Microsoft says it's still investigating the possible threat and that the company has no knowledge of any attacks based on this potential vulnerability.
Applicability
This vulnerability could apply to all Internet Explorer versions after 5.01 on most or all operating platforms. Although the bulletin includes some specific versions, keep in mind that it's a preliminary report.
Risk level – Critical
The vulnerability could pose a denial of service threat. The security advisory includes a statement about the potential for an attacker exploiting it to run arbitrary code, which would raise the threat rating to critical.
Mitigating factors
Msdds.dll doesn't ship with Windows by default. If you don't have the DLL on your system, you aren't at any risk from this threat. In addition, users would have to open a malicious Web site to initiate the attack. However, the necessary code to modify a Web site is apparently already available on the Web.
Fix
Microsoft is still investigating the threat and plans to include a fix in an upcoming security bulletin. In the meantime, the software giant has published workarounds to protect against this vulnerability. In IE, set security zones to High and configure the browser to prompt users before running a new ActiveX control. In addition, disable or unregister Msdss.dll on systems.
Meanwhile, let's get back to our coverage of Microsoft's August security bulletins. Last time, I ran through the three critical bulletins. Now, let's get up to speed on the three remaining threats.
MS05-040
Microsoft Security Bulletin MS05-040, "Vulnerability in Telephony Service Could Allow Remote Code Execution" is a newly discovered threat that someone privately reported to the vendor (CAN-2005-0058). Microsoft updated this bulletin to version 1.1 on August 17 to include information about Windows 98, Windows SE, and Windows ME. I haven't seen any examples of exploits in the wild.
Applicability
* Windows 2000 Service Pack 4
* All versions of Windows XP (including SP2 and 64-bit editions)
* All versions of Windows Server 2003 (including Itanium editions)
* Windows 98
* Windows SE
* Windows ME
Risk level
Microsoft has rated this threat as important for Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. It has rated it as a not critical threat for Windows 98, Windows SE, and Windows ME.
Mitigating factors
The telephony service isn't a particularly common tool to enable, so many systems won't be vulnerable. In addition, firewall best practices should mitigate the threat.
Fix
Apply the update. As workarounds, disable telephony services in Control Panel, block UDP ports 135, 137, 138, and 445, and block TCP ports 135, 139, 445, and 593. In addition, block unsolicited inbound traffic on all ports above 1024.
MS05-041
Microsoft Security Bulletin MS05-041, "Vulnerability in Remote Desktop Protocol Could Allow Denial of Service" is a newly discovered threat that someone privately reported to the vendor (CAN-2005-1218). No exploits have yet surfaced in the wild.
Applicability
* Windows 2000 Server SP4
* All versions of Windows XP (including SP2 and 64-bit editions)
* All versions of Windows Server 2003 (including Itanium editions)
This vulnerability doesn't affect Windows 2000 Professional SP4, Windows 98, Windows SE, or Windows ME.
Risk level
Microsoft has rated this vulnerability as a moderate threat for all affected systems.
Mitigating factors
None of the affected Windows versions enable RDP by default. In addition, using firewall best practices should prevent any attack on systems that have RDP enabled.
Fix
Apply the update. Suggested workarounds include blocking TCP port 3389 at the enterprise firewall and disabling Terminal Services, Remote Desktop, and Remote Assistance.
MS05-042
Microsoft Security Bulletin MS05-042, "Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing," includes two threats: a PKINIT vulnerability (CAN-2005-1982) and the Kerberos threat (CAN-2005-1981). Both are newly discovered threats that researchers privately reported to the vendor.
Applicability
* Windows 2000 Service Pack 4
* All versions of Windows XP (including SP2 and 64-bit editions)
* All versions of Windows Server 2003 (including Itanium editions)
This threat doesn't affect Windows 98, Windows SE, or Windows ME.
Risk level
Microsoft has rated this as a low threat for Windows 2000 Professional and Windows XP systems. It is a moderate threat for Windows 2000 Server and Windows Server 2003 systems.
Mitigating factors
Valid logon credentials are required to exploit either component vulnerability.
Fix
Apply the update. Understand that this patch could affect some functionality. For more information, read the entire security bulletin.
As a workaround for the Kerberos threat, block both TCP and UDP ports 88 at the firewall. No known workarounds are available for the PKINIT threat.
Final word
Of course, the big news in the past week was how quickly the mainstream media jumped on the Zotob family of malware, which targeted a vulnerability in Windows 2000 that Microsoft patched earlier this month. All of the reports that I've seen indicate that this is a relatively minor threat. However, since several high-profile media outlets fell victim to this worm, it is big news—at least to them.
Symantec doesn't list any Zotob version as being worse than a grade 3 threat. (Grade 5 is the maximum threat level.) In addition, only Zotob.E reached that level; the other variants were only grade1 or 2. Nevertheless, this is a real threat to anyone who's running an unpatched Windows 2000 system. For more information, check out these TechRepublic resources:
* "New worms prevention and cure"
* "Microsoft offers Zotob removal tool"
* TechRepublic Real World Guide: Virus Prevention and Recovery (download)
* Virus Protection Policy (download)
I'm not making light of this threat—only the way the media jumped on this while ignoring Esbot.A, which is certainly as dangerous and also targets the PnP vulnerability patched in MS05-039. The most important thing to remember is that any vulnerability that affects your system is a critical threat—even if yours is the only one compromised.
This blog provide all info on Microsoft, Cisco, COmptia and more exams training at certkingdom.com
No comments:
Post a Comment