十二月份资讯安全公告Dec 14,2006

十二月份資訊安全公告

Dec14,2006RichardChen陳政鋒

(Net+,Sec+,MCSE2003+Security,CISSP)

資深技術支援工程師

台灣微軟技術支援處QuestionsandAnswersSubmittextquestionsusingthe

“AskaQuestion”buttonWhatWeWillCoverRecapNov.releasesknownissuesReviewDec.

releasesOthersecurityresourcesPreparefornewWSUSSCAN.CABarchitectureIE7overAULifecycleInformationWindowsMaliciousSoftwareRemovalToolResourcesQuestionsandanswersRecapNov.KnownissuesandMS06-066NetwareGetofferingevennoCSNWisinstalled:NormalproactivepatchingMS06-067IEpatch3rdpartyAPcompatibilityissue,seeKB922760MS06-069AdobeFlashPlayerRe-offering,installthelatestFlashPlayertosolvetheissueMS06-070WorkstationserviceWormvulnerability,installthepatchimmediatelyMS06-071MSXMLWSUScategory/descriptionerror,fixingnow.MSXML4installfailure,seeKB927978Dec2006SecurityBulletins

SummaryOnDec13:7NewSecurityBulletins5Windows(1critical,4important)1VisualStudio(critical)1MediaPlayer(critical)1re-releaseMS06-059(critical)5High-prioritynon-securityupdatesNovember2006SecurityBulletinsOverviewBulletinNumberTitleMaximumSeverityRatingProductsAffectedMS06-072CumulativeSecurityUpdateforInternetExplorer(925454)CriticalInternetExplorer5.01&6MS06-073VulnerabilityVisualStudio2005CouldAllowRemoteCodeExecution(925674)CriticalVisualStudio2005MS06-074VulnerabilityinSNMPCouldAllowRemoteCodeExecution(926247)ImportantWindows2000,XP,2003MS06-075VulnerabilityinWindowsCouldAllowElevationofPrivilege(926255)ImportantWindowsXP,2003MS06-076CumulativeSecurityUpdateforOutlookExpress(923694)ImportantOutlookExpressonWindows2000,XP,2003MS06-077VulnerabilityinRemoteInstallationServiceCouldAllowRemoteCodeExecution(926121)ImportantWindows2000MS06-078VulnerabilityinWindowsMediaFormatCouldAllowRemoteCodeExecution(923689)CriticalWindowsMediaFormat7.1–9.5andWindowsMediaPlayer6.4onWindows2000,XP,2003December

2006SecurityBulletins

SeveritySummaryBulletinNumberWindows2000SP4WindowsXPSP2WindowsServer2003WindowsServer2003SP1MS06-072CriticalCriticalModerateCriticalWindows2000SP4WindowsXPSP2WindowsServer2003WindowsServer2003SP1MS06-074ImportantImportantImportantImportantMS06-075NotAffectedImportantImportantNotAffectedMS06-077ImportantNotAffectedNotAffectedNotAffectedVisualStudio2005MS06-073CriticalWindowsMediaPlayer6.4Windows2000SP4WindowsXPSP2WindowsServer2003&SP1MS06-078CriticalCriticalCriticalCriticalOutlookExpress5.5OutlookExpress6WindowsVistaMS06-076ImportantImportantNotAffectedMS06-072:InternetExplorer–

CriticalTitle&KBArticle:CumulativeSecurityUpdateforInternetExplorer(925454)AffectedSoftware:

IE5.01SP4onWindows2000SP4IE6SP1onWindows2000SP4IE6forWindowsXPSP2IE6forWindowsServer2003RTMandSP1IE6forWindowsServer2003RTMia64andSP1ia64IE6forWindowsServer2003x64IE6forWindowsXPProx64ReplacedUpdates:

MS06-067andallpreviousCumulativeSecurityUpdatesforInternetExplorerVulnerabilities:CVE-2006-5577-TIFFolderInformationDisclosureVulnCVE-2006-5578-TIFFolderInformationDisclosureVulnCVE-2006-5579-ScriptErrorHandlingMemoryCorruptionVuln

CVE-2006-5581-DHTMLScriptFunctionMemoryCorruptionVulnPubliclyDisclosed:NoKnownExploits:NoMS06-072:InternetExplorer–

CriticalIssueSummary:Two“RemoteCodeExploit”vulnerabilitiesandtwo“InformationDisclosure”vulnerabilitiesexistinIEthatcouldallowanattackertorunarbitrarycodeFixDescription:ThefixmodifiesthehandlingofDHTMLscriptfunctioncallsandscripterrorexceptions.ItalsorestrictsOBJECTtagsfromexposingsensitivepathstoscriptsandaccesstocachedcontentintheTIFfolderAttackVectors:

MaliciousWebPageMaliciousEmailMitigations:AuserwouldhavetobepersuadedtovisitamaliciousWebsiteExploitationonlyallowstheprivilegeleveloftheloggedonuserBydefault,IEonWindows2003runsinarestrictedmodeOutlookExpress6,Outlook2002,andOutlook2003openHTMLe-mailmessagesintheRestrictedsiteszoneInternetExplorer7isnotaffectedWorkaround:Disable“DragandDroporcopyandpastefiles”DisableActiveScriptingorsetto“Prompt”SetIEsecuritytoHighforInternetandIntranetzonesOpenHTMLe-mailmessagesintheRestrictedsiteszone,applyupdate235309forOutlook2000RestartRequirement:NOInstallationandRemoval:

Add/RemoveProgramsCommandlineuninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-072.mspxMS06-073:WMIObjectBroker-

Critical

Title&KBArticle:VulnerabilityVisualStudio2005CouldAllowRemoteCodeExecution(925674)AffectedSoftware:MicrosoftVisualStudio2005ReplacedUpdates:NONEVulnerabilities:WMIObjectBrokerVulnerability-CVE-2006-4704:AremotecodeexecutionvulnerabilityexistsintheWMIObjectBrokercontrolthattheWMIWizardusesinVisualStudio2005.AnattackercouldexploitthevulnerabilitybyconstructingaspeciallycraftedWebpagethatcouldpotentiallyallowremotecodeexecutionifauserviewedtheWebpage.Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecompletecontrolofanaffectedsystem.PubliclyDisclosed:YesKnownExploits?:Yes.CVE-2006-4704.MS06-073:WMIObjectBroker-

CriticalIssueSummary:Thisupdateresolvesapublicvulnerability.Anattackerwhohassuccessfullyexploitedthisvulnerabilitycouldtakecompletecontrolofanaffectedsystem.Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.Ifauserisloggedonwithadministrativeuserrights,anattackerwhohassuccessfullyexploitedthisvulnerabilitycouldtakecompletecontrolofanaffectedsystem.Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.FixDescription:TheupdateremovesthevulnerabilitybymodifyingthewaythattheWMIObjectBrokerinstantiatesothercontrols.AttackVectors:

MaliciousWebPageEmailswithMaliciousComponentsMS06-073:WMIObjectBroker-

Critical

Mitigations:AuserwouldhavetobepersuadedtovisitamaliciousWebsiteThisActiveXcontrolisnotinthedefaultallow-listforActiveXcontrolsinInternetExplorer7.OnlycustomerswhohaveexplicitlyapprovedthiscontrolbyusingtheActiveXOpt-inFeatureareatrisktoattemptstoexploitthisvulnerability.ExploitationonlyallowsthesameprivilegesastheloggedonuserTheRestrictedsiteszonehelpsreduceattacksthatcouldtrytoexploitthisvulnerabilitybypreventingActiveScripting/ActiveXcontrolsfrombeingusedwhenreadingHTMLe-mail.Thevulnerabilitycouldnotbeexploitedautomaticallythroughe-mail.Foranattacktobesuccessfulausermustopenanattachmentthatissentinane-mailmessageormustclickonalinkwithinane-mail.Bydefault,InternetExploreronWindowsServer2003runsinarestrictedmodethatisknownasEnhancedSecurityConfiguration.Workaround:DisableattemptstoinstantiatetheWMIObjectBrokercontrolwithinInternetExplorer(seeMicrosoftKnowledgeBaseArticle240797.)ConfigureInternetExplorertopromptbeforerunningActiveXControlsordisableActiveXControlsintheInternetandLocalintranetsecurityzoneSetInternetandLocalintranetsecurityzonesettingsto“High”topromptbeforerunningActiveXControlsandActiveScriptinginthesezonesForOutlook2000,installOutlookE-mailSecurityUpdatesothatOutlook2000opensHTMLe-mailmessagesintheRestrictedsiteszone.ForOutlookExpress5.5ServicePack2,installMicrosoftSecurityBulletinMS04-018sothatOutlookExpress5.5opensHTMLe-mailmessagesintheRestrictedsiteszone.MS06-073:WMIObjectBroker-

Critical

RestartRequirement:Thisupdatedoesnotrequirearestartunlesstherequiredservicescannotbestoppedbytheinstaller.InstallationandRemoval:

Add/RemoveProgramsCommandlineinstall/uninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-073.mspxMS06-074:SNMP-ImportantTitle&KBArticle:VulnerabilityinSNMPCouldAllowRemoteCodeExecution(926247)AffectedSoftware:Windows2000SP4WindowsXPSP2WindowsXPProx64WindowsServer2003WindowsServer2003&WindowsServer2003SP1WindowsServer2003ia64&WindowsServer2003SP1ia64WindowsServer2003x64ReplacedUpdates:NoneVulnerabilities:CVE-2006-5583PubliclyDisclosed:NoKnownExploits?:NoMS06-074:SNMP-ImportantIssueSummary:AremotecodeexecutionvulnerabilityexistsinSNMPServicethatcouldallowanattackerwhosuccessfullyexploitedthisvulnerabilitytotakecompletecontroloftheaffectedsystem.FixDescription:TheupdateremovesthevulnerabilitybymodifyingthewaythatSNMPServicevalidatesthelengthofamessagebeforeitpassesthemessagetotheallocatedbuffer.AttackVectors:

MaliciouspackettransmissionoverthenetworkMitigations:

SNMPserviceisnotinstalledbydefault.Forcustomerswhorequiretheaffectedcomponent,firewallbestpracticesandstandarddefaultfirewallconfigurationscanhelpprotectnetworksfromattacksthatoriginateoutsidetheenterpriseperimeter.Workaround:RestricttheIPaddressesthatareallowedtomanagethecomputer.

BlockUDPport161atthefirewall.Tohelpprotectfromnetwork-basedattemptstoexploitthisvulnerability,useapersonalfirewall,suchastheWindowsFirewall,whichisincludedwithWindowsXP.RestartRequirement:YesInstallationandRemoval:Add/RemoveProgramsCommandlineuninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-074.mspxMS06-075:FileManifest-ImportantTitle&KBArticle:VulnerabilityinWindowsCouldAllowElevationofPrivilege(926255)AffectedSoftware:

WindowsXPSP2

WindowsServer2003•WindowsServer2003ia64ReplacedUpdates:

NoneVulnerabilities:FileManifestCorruptionVulnerability-CVE-2006-5585PubliclyDisclosed:NoKnownExploits?:NoMS06-075:FileManifest-ImportantIssueSummary:AprivilegeelevationvulnerabilityexistsinthewaythatMicrosoftWindowsstartsapplicationswithspeciallycraftedfilemanifests.Thisvulnerabilitycouldallowaloggedonusertotakecompletecontrolofthesystem.FixDescription:TheupdateremovesthevulnerabilitybymodifyingthewaythatClientServerRun-timeSubsystemvalidatesembeddedfilemanifestsbeforeitpassesdatatotheallocatedbuffer.Thissecurityupdatecorrectsanintegeroverflowinsxs.dll.Anyapplicationthatusesside-by-sideassemblieswithRequestedPrivilegessectionmayBSODthemachine.Compctl32.dllandGDIplus.dllaretwoside-by-sideassembliescommonlyusedbyMicrosoft.IntheworstcasealocalauthenticatedusercanrunexecutecodebeforethemachineBSOD;thereforelocalEoP(fromlocaltosystemispossible).AttackVectors:LoggedonuserMitigations:

Anattackermusthavevalidlogoncredentialsandbeabletologonlocallytoexploitthisvulnerability.Thevulnerabilitycouldnotbeexploitedremotelyorbyanonymoususers.Workaround:NoneRestartRequirement:YesInstallationandRemoval:Add/RemoveProgramsCommandlineuninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-075.mspxMS06-076:OutlookExpress-ImportantTitle&KBArticle:CumulativeSecurityUpdateforOutlookExpress(923694)AffectedSoftware:Win2KSP4WinXPSP2,x64EditionWin2K3andWin2K3SP1,2K3Itanium&Sp1forItanium,Win2K3x64OE5.5SP2onWin2KSP4OE6SP1onWinXPSP2OE6onWinXPSP2,x64EditionOE6onWin2K3andWin2K3SP1,x64Edition,Itanium&ItaniumSP1ReplacedUpdates:MS06-016&MS06-043withOE6onWinXPSP2&x64andOE6onWin2K3Sp1&x64Vulnerabilities:CVE-2006-2386:WindowsAddressBookContactRecordPubliclyDisclosed:CVE-2006-2386–NoKnownExploits?:NoIssueSummary:CVE-2006-2386:AnuncheckedbufferintheWindowsAddressBook(WAB)functionswithinOutlookExpressleadsaremotecodeexecutionattacksFixDescription:CVE-2006-2386:RemovesthevulnerabilitybymodifyingthewaythatOutlookExpress,whenusinga.wabfile,validatesthelengthofafieldbeforeitpassesittotheallocatedbufferAttackVectors:MaliciousEmailMaliciousWebPageMitigations:AuserwouldhavetobepersuadedtovisitamaliciousWebsiteExploitationonlyallowsthesameprivilegesastheloggedonuserAusermustopenanattachmentthatissentinane-mailWorkaround:Backupandremovethe.wabfileassociationImpactofWorkaround:Userswillnotbeabletoopenaddressbooksbydoubleclickingthem.TheywillhavetomanuallystarttheWindowsAddressBookapplicationandpasstheaddressbooktobeusedasacommandlineparameterortheycanimporttheaddressbookfromtheFilemenu.ThisdoesnotaffecttheuseofaddressbooksinOutlookExpressRestartRequirement

NoInstallationandRemoval:Add/RemovePrograms,CommandlineuninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-076.mspxMS06-076:OutlookExpress-ImportantMS06-077:RIS-ImportantTitle&KBArticle:VulnerabilityinRemoteInstallationServiceCouldAllowRemoteCodeExecution(926121)AffectedSoftware:

Windows2000SP4ONLYReplacedUpdates:NoneVulnerabilities:CVE-2006-5584-RISWritablePathVulnerabilityPubliclyDisclosed:NoKnownExploits?:NoMS06-077:RIS-ImportantIssueSummary:RISallowsanonymousaccesstothefilestructureofahostedoperatingsystembuildthroughtheTFTPservice.FixDescription:TheupdatepreventsanonymousTFTPuserstheabilitytowritetotheRIShostedoperatingsystembuild’sfilestructurebyaddingtheregistrykeyidentifiedintheWorkaroundssectionofthebulletin.AttackVectors:MaliciouspackettransmissionoverthenetworkMitigations:AnattackerwouldneedTFTPaccesstoexploitthisvulnerabilityRISisnotinstalledbydefaultStandardFirewallconfigurationsshouldblockthisfromthewebWorkaround:ConfiguretheTFTPserviceasreadonlyDisabletheTFTPServiceBlockUDPport69atthefirewallRestartRequirement:NoInstallationandRemoval:Add/RemoveProgramsCommandlineuninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-077.mspxMS06-078:WindowsMediaPlayer-Critical

Title&KBArticle:VulnerabilityinWindowsMediaPlayerCouldAllowRemoteCodeExecutionKB925398addressesWindowsMediaPlayer6.4KB923689addressesWindowsMediaFormatRuntimesAffectedSoftware:MicrosoftWindowsMediaFormat7.1through9.5SeriesRuntimeonthefollowingoperatingsystemversionsMicrosoftWindows2000ServicePack4-(KB923689)MicrosoftWindowsXPServicePack2-(KB923689)MicrosoftWindowsXPProfessionalx64Edition-(KB923689)MicrosoftWindowsServer2003orMicrosoftWindowsServer2003ServicePack1-(KB923689)MicrosoftWindowsServer2003x64Edition-(KB923689)AffectedSoftware:MicrosoftWindowsMediaFormat9.5SeriesRuntimex64Editiononthefollowingoperatingsystemversions:MicrosoftWindowsXPProfessionalx64Edition-(KB923689)MicrosoftWindowsServer2003x64Edition-(KB923689)MicrosoftWindowsMediaPlayer6.4onthefollowingoperatingsystemversions:Windows2000ServicePack4-(KB925398)MicrosoftWindowsXPServicePack2-(KB925398)MicrosoftWindowsXPProfessionalx64Edition–(KB925398)MicrosoftWindowsServer2003oronMicrosoftWindowsServer2003ServicePack1–(KB925398)MicrosoftWindowsServer2003x64Edition–(KB925398)ReplacedUpdates:NoneVulnerabilities:CVE-2006-4702WindowsMediaFormatVulnerabilityCVE-2006-6134WindowsMediaFormatWMVCOREASXVulnerabilityPubliclyDisclosed:NoKnownExploits?:NoMS06-078:WindowsMediaPlayer-CriticalIssueSummary:BufferoverflowRemoteCodeExecutionWMVCoreASFexploitedASXexploitedFixDescription:

UpdatemodifiesWMVCOREvalidationprocess.AttackVectors:MaliciousWebPageMaliciousEmailMitigations:RequiresaccessingmaliciousWebsite/openingmaliciousemailExploitationonlyallowsthesameprivilegesastheloggedonuserBydefault,IEonWindows2003runsinarestrictedmodeWindowsMediaFormat11runtimeisnotaffectedbythisvulnerabilityandcouldbeusedtopreventanattempttoexploitthisvulnerability.Workaround:DisabletheWindowsMediaPlayerActiveXcontrolsfromrunninginInternetExplorerModifytheAccessControlListonStrmdll.dlltopreventshellbasedattacksonplayersonWindows2000

Unregister

Shmedia.dlltopreventshellbasedattacksonplayersWindowsXPandWindows2003MS06-078:WindowsMediaPlayer-CriticalRestartRequirement:None,ifrequiredservicesareterminable.InstallationandRemoval:Add/RemoveProgramsCommandlineuninstalloptionScriptableDeploymentMoreInformation:

http:///taiwan/technet/security/bulletin/ms06-078.mspxMS06-078:WindowsMediaPlayer-CriticalRe-ReleaseofMS06-059-ExcelCriticalInstallMS06-059mightfailifALLconditionsaretrue:RunningExcel2002MSI2.0PreviouslyinstalledMS06-037Details:Basically,becausethe059patchdoesnotcontaintheMSI2.0patchcodefor037,installingExcel2002’s059ontopof037willtriggeraWindowsInstaller2.0buginsomecases&resultinexcel.exenotgettingupdatedtoversion6816.Resolution:InstallMS06-059v2DetectionandDeploymentBulletinComponentOfficeUpdateWU/MUMBSA1.2+ODTMBSA2.0/

2.0.1SUSWSUSESTSMSSUITSMSITMUDetectanddeployDetectanddeployDetectonlyDetectonlyDetectanddeployDetectanddeployDetectonlyDetectanddeployDetectanddeployMS06-072MicrosoftInternetExplorerNotapplicableYesYesYesYesYesNotapplicableYesYesMS06-073MicrosoftVisualStudioNotapplicableYesNoYesNoYesYesYes,withESUITYesMS06-074SNMPNotapplicableYesYesYesYesYesNotapplicableYesYesMS06-075FileManifestNotapplicableYesYesYesYesYesNotapplicableYesYesMS06-076MicrosoftOutlookExpressNotapplicableYesNoYesYesYesYesYes,withESUITYesMS06-077RemoteInstallationServices(RIS)NotapplicableYesNoYesYesYesYesYesYesMS06-078WindowsMediaPlayerNotapplicableYesPartialYesYesYesYesYes,withESUITPartialOtherUpdateInformationBulletinRestartUninstallReplacesOnproductsMS06-072YesYesMS06-067andallpreviousCumulativeSecurityUpdatesforIEIE5.01SP4,IE6,IE6SP1MS06-073MaybeYesN/AVisualStudio2005MS06-074YesYesN/AWindows2000SP4,XPSP2,W2K3,W2K3SP1MS06-075YesYesN/AXPSP2andW2K3MS06-076NoYesMS06-016&MS06-043withOE6onWinXPSP2&x64andOE6onW2K3SP1&x64OE5.5SP2andOE6MS06-077NoYesN/AW2KOnlyMS06-078MaybeYesN/A

MicrosoftWindowsMediaFormat7.1through9.5SeriesRuntimeonthefollowingoperatingsystemversions

MicrosoftWindowsMediaPlayer6.4December2006Non-SecurityUpdatesNUMBERTITLEDistribution911897UpdateforWindowsServerWU,MU926251UpdateforWindowsXPMediaCenterEditionfor2005WU,MU928388UpdateforWindowsWU,MU929120UpdateforWindowsWU,MU924886UpdateforOffice2003MUNewWSUSSCAN.CABarchitectureNewarchitectureforwsusscan.cabbeginssinceNovember2006Supportforexistingwsusscan.cabarchitectureendsonMarch2007SMSITMUcustomers:downloadanddeployupdatedversionoftheSMSITMU/technet/downloads/sms/2003/tools/msupdates.mspxMBSA2.0offlinescancustomers:

DownloadupdatedversionofMBSA2.0.1nowOrdownloadthenewofflinescanfile,wsusscn2.cab,byclicking/fwlink/?LinkId=76054.

SavethisfiletoC:\DocumentsandSettings\<username>\LocalSettings\ApplicationData\Microsoft\MBSA\2.0\Cache\wsusscn2.cab.IfyouonlyrunMBSA2.0intheonlinemode,doanything.SeeMicrosoftKBArticle926464formoreinformation/kb/926464IE7overAUManualdownload(ENversion)isavailable.InternetExplorer7begandistributionoverAUinNovember