十二月份資訊安全公告 Dec 14, 2006 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security,...

十二月份資訊安全公告十二月份資訊安全公告Dec 14, 2006Dec 14, 2006

Richard Chen Richard Chen 陳政鋒陳政鋒(Net+, Sec+, MCSE2003+Security, CISSP)(Net+, Sec+, MCSE2003+Security, CISSP)

資深技術支援工程師資深技術支援工程師台灣微軟技術支援處台灣微軟技術支援處

Questions and AnswersQuestions and Answers

• Submit text questions using the Submit text questions using the “Ask a Question” button “Ask a Question” button

What We Will CoverWhat We Will Cover

• Recap Nov. releases known issuesRecap Nov. releases known issues• Review Dec.Review Dec. releasesreleases• Other security resourcesOther security resources

– Prepare for new WSUSSCAN.CAB architecturePrepare for new WSUSSCAN.CAB architecture– IE 7 over AU IE 7 over AU – Lifecycle InformationLifecycle Information– Windows Malicious Software Removal ToolWindows Malicious Software Removal Tool

• ResourcesResources• Questions and answersQuestions and answers

Recap Nov. Known issues andRecap Nov. Known issues and

• MS06-066 NetwareMS06-066 Netware– Get offering even no CSNW is installed: Normal proactive Get offering even no CSNW is installed: Normal proactive

patchingpatching

• MS06-067 IE patchMS06-067 IE patch– 3rd party AP compatibility issue, see KB9227603rd party AP compatibility issue, see KB922760

• MS06-069 Adobe Flash PlayerMS06-069 Adobe Flash Player– Re-offering, install the latest Flash Player to solve the issueRe-offering, install the latest Flash Player to solve the issue

• MS06-070 Workstation serviceMS06-070 Workstation service– Worm vulnerability, install the patch immediatelyWorm vulnerability, install the patch immediately

• MS06-071 MSXMLMS06-071 MSXML– WSUS category/description error, fixing now.WSUS category/description error, fixing now.– MSXML4 install failure, see KB927978MSXML4 install failure, see KB927978

Dec 2006 Security BulletinsDec 2006 Security BulletinsSummarySummary

• On Dec 13:On Dec 13:– 7 New Security Bulletins7 New Security Bulletins

• 5 Windows (1 critical, 4 important)5 Windows (1 critical, 4 important)• 1 Visual Studio (critical)1 Visual Studio (critical)• 1 Media Player (critical)1 Media Player (critical)

– 1 re-release MS06-059 (critical)1 re-release MS06-059 (critical)– 5 High-priority non-security updates5 High-priority non-security updates

November 2006 Security Bulletins November 2006 Security Bulletins OverviewOverviewBulletin Bulletin NumberNumber

Title Title Maximum Maximum Severity RatingSeverity Rating

Products AffectedProducts Affected

MS06-072 Cumulative Security Update for Internet Explorer (925454)

Critical Internet Explorer 5.01 & 6

MS06-073 Vulnerability Visual Studio 2005 Could Allow Remote Code Execution (925674)

Critical Visual Studio 2005

MS06-074 Vulnerability in SNMP Could Allow Remote Code Execution (926247)

Important Windows 2000, XP, 2003

MS06-075 Vulnerability in Windows Could Allow Elevation of Privilege (926255)

Important Windows XP, 2003

MS06-076 Cumulative Security Update for Outlook Express (923694)

Important Outlook Express on Windows 2000, XP, 2003

MS06-077 Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121)

Important Windows 2000

MS06-078 Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)

Critical Windows Media Format 7.1 – 9.5 and Windows Media Player 6.4 on Windows 2000, XP, 2003

DecemberDecember 2006 Security Bulletins2006 Security BulletinsSeverity SummarySeverity Summary

Bulletin Bulletin NumberNumber

Windows 2000 SP4 Windows 2000 SP4 Windows XP SP2 Windows XP SP2 Windows Windows Server 2003Server 2003

Windows Windows Server 2003 Server 2003 SP1SP1

MS06-072MS06-072 CriticalCritical CriticalCritical ModerateModerate CriticalCritical

Windows 2000 SP4 Windows 2000 SP4 Windows XP SP2 Windows XP SP2 Windows Windows Server 2003Server 2003

Windows Windows Server 2003 Server 2003 SP1SP1

MS06-074MS06-074 ImportantImportant ImportantImportant ImportantImportant ImportantImportant

MS06-075MS06-075 Not AffectedNot Affected ImportantImportant ImportantImportant Not AffectedNot Affected

MS06-077MS06-077 ImportantImportant Not AffectedNot Affected Not AffectedNot Affected Not AffectedNot Affected

Visual Studio 2005Visual Studio 2005

MS06-073MS06-073 CriticalCritical

Windows Media Player Windows Media Player 6.46.4

Windows 2000 SP4 Windows 2000 SP4 Windows XP Windows XP SP2 SP2

Windows Windows Server 2003 & Server 2003 & SP1SP1

MS06-078MS06-078 CriticalCritical CriticalCritical CriticalCritical CriticalCritical

Outlook Express 5.5Outlook Express 5.5 Outlook Express 6Outlook Express 6 Windows VistaWindows Vista

MS06-076MS06-076 ImportantImportant ImportantImportant Not AffectedNot Affected

MS06-072: Internet Explorer –MS06-072: Internet Explorer – CriticalCritical

Title & KB Article:Title & KB Article: Cumulative Security Update for Internet Explorer (925454)Cumulative Security Update for Internet Explorer (925454)

Affected Software:Affected Software: • IE 5.01 SP4 on Windows 2000 SP4IE 5.01 SP4 on Windows 2000 SP4• IE 6 SP1 on Windows 2000 SP4 IE 6 SP1 on Windows 2000 SP4 • IE 6 for Windows XP SP2 IE 6 for Windows XP SP2 • IE 6 for Windows Server 2003 RTM and SP1IE 6 for Windows Server 2003 RTM and SP1• IE 6 for Windows Server 2003 RTM ia64 and SP1 ia64IE 6 for Windows Server 2003 RTM ia64 and SP1 ia64• IE 6 for Windows Server 2003 x64IE 6 for Windows Server 2003 x64• IE 6 for Windows XP Pro x64 IE 6 for Windows XP Pro x64

Replaced Updates:Replaced Updates: • MS06-067 and all previous Cumulative Security Updates for Internet Explorer MS06-067 and all previous Cumulative Security Updates for Internet Explorer

Vulnerabilities:Vulnerabilities: • CVE-2006-5577 - TIF Folder Information Disclosure VulnCVE-2006-5577 - TIF Folder Information Disclosure Vuln• CVE-2006-5578 - TIF Folder Information Disclosure VulnCVE-2006-5578 - TIF Folder Information Disclosure Vuln• CVE-2006-5579 - Script Error Handling Memory Corruption Vuln CVE-2006-5579 - Script Error Handling Memory Corruption Vuln • CVE-2006-5581 - DHTML Script Function Memory Corruption VulnCVE-2006-5581 - DHTML Script Function Memory Corruption Vuln

Publicly Disclosed:Publicly Disclosed: NoNo

Known Exploits:Known Exploits: NoNo

MS06-072: Internet Explorer –MS06-072: Internet Explorer – CriticalCritical

Issue Summary:Issue Summary: Two “Remote Code Exploit” vulnerabilities and two “Information Disclosure” Two “Remote Code Exploit” vulnerabilities and two “Information Disclosure” vulnerabilities exist in IE that could allow an attacker to run arbitrary codevulnerabilities exist in IE that could allow an attacker to run arbitrary code

Fix Description:Fix Description: The fix modifies the handling of DHTML script function calls and script error The fix modifies the handling of DHTML script function calls and script error exceptions. It also restricts OBJECT tags from exposing sensitive paths to scripts and exceptions. It also restricts OBJECT tags from exposing sensitive paths to scripts and access to cached content in the TIF folderaccess to cached content in the TIF folder

Attack Vectors:Attack Vectors: • Malicious Web PageMalicious Web Page• Malicious EmailMalicious Email

Mitigations:Mitigations: • A user would have to be persuaded to visit a malicious Web siteA user would have to be persuaded to visit a malicious Web site• Exploitation only allows the privilege level of the logged on userExploitation only allows the privilege level of the logged on user• By default, IE on Windows 2003 runs in a restricted mode By default, IE on Windows 2003 runs in a restricted mode • Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages

in the Restricted sites zonein the Restricted sites zone• Internet Explorer 7 is not affectedInternet Explorer 7 is not affected

Workaround:Workaround: • Disable “Drag and Drop or copy and paste files” Disable “Drag and Drop or copy and paste files” • Disable Active Scripting or set to “Prompt”Disable Active Scripting or set to “Prompt”• Set IE security to High for Internet and Intranet zonesSet IE security to High for Internet and Intranet zones• Open HTML e-mail messages in the Restricted sites zone, apply update 235309 Open HTML e-mail messages in the Restricted sites zone, apply update 235309

for Outlook 2000for Outlook 2000

Restart Requirement:Restart Requirement: NONO

Installation and Installation and Removal:Removal:

• Add/Remove Programs Add/Remove Programs • Command line uninstall optionCommand line uninstall option• Scriptable DeploymentScriptable Deployment

More Information:More Information: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-072.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-072.mspx

MS06-073: WMI Object Broker-MS06-073: WMI Object Broker- CriticalCritical

Title & KB Article:Title & KB Article: Vulnerability Visual Studio 2005 Could Allow Remote Code Execution (925674)Vulnerability Visual Studio 2005 Could Allow Remote Code Execution (925674)

Affected Software:Affected Software: • Microsoft Visual Studio 2005Microsoft Visual Studio 2005

Replaced Updates:Replaced Updates: • NONENONE

Vulnerabilities:Vulnerabilities: WMI Object Broker Vulnerability - CVE-2006-4704:WMI Object Broker Vulnerability - CVE-2006-4704:A remote code execution vulnerability exists in the WMI Object Broker control that A remote code execution vulnerability exists in the WMI Object Broker control that the WMI Wizard uses in Visual Studio 2005. An attacker could exploit the vulnerability the WMI Wizard uses in Visual Studio 2005. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.vulnerability could take complete control of an affected system.

Publicly Disclosed:Publicly Disclosed: YesYes

Known Exploits?:Known Exploits?: Yes. CVE-2006-4704.Yes. CVE-2006-4704.

MS06-073: WMI Object Broker-MS06-073: WMI Object Broker- CriticalCritical

Issue Summary:Issue Summary: This update resolves a public vulnerability. This update resolves a public vulnerability. An attacker who has successfully exploited this vulnerability could take complete An attacker who has successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.change, or delete data; or create new accounts with full user rights.

If a user is logged on with administrative user rights, an attacker who has If a user is logged on with administrative user rights, an attacker who has successfully exploited this vulnerability could take complete control of an affected successfully exploited this vulnerability could take complete control of an affected system. Users whose accounts are configured to have fewer user rights on the system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user system could be less impacted than users who operate with administrative user rights. rights.

Fix Description:Fix Description: The update removes the vulnerability by modifying the way that the WMI Object The update removes the vulnerability by modifying the way that the WMI Object Broker instantiates other controls.Broker instantiates other controls.

Attack Vectors:Attack Vectors: • Malicious Web PageMalicious Web Page• Emails with Malicious ComponentsEmails with Malicious Components

MS06-073: WMI Object Broker-MS06-073: WMI Object Broker- CriticalCritical Mitigations:Mitigations: • A user would have to be persuaded to visit a malicious Web siteA user would have to be persuaded to visit a malicious Web site

• This ActiveX control is not in the default allow-list for ActiveX controls in Internet This ActiveX control is not in the default allow-list for ActiveX controls in Internet Explorer 7. Only customers who have explicitly approved this control by using the Explorer 7. Only customers who have explicitly approved this control by using the ActiveX Opt-in Feature are at risk to attempts to exploit this vulnerability.ActiveX Opt-in Feature are at risk to attempts to exploit this vulnerability.

• Exploitation only allows the same privileges as the logged on userExploitation only allows the same privileges as the logged on user• The Restricted sites zone helps reduce attacks that could try to exploit this The Restricted sites zone helps reduce attacks that could try to exploit this

vulnerability by preventing Active Scripting/ActiveX controls from being used vulnerability by preventing Active Scripting/ActiveX controls from being used when reading HTML e-mail. when reading HTML e-mail.

• The vulnerability could not be exploited automatically through e-mail. For an The vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail attack to be successful a user must open an attachment that is sent in an e-mail message or must click on a link within an e-mail.message or must click on a link within an e-mail.

• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as that is known as Enhanced Security ConfigurationEnhanced Security Configuration..

Workaround:Workaround: • Disable attempts to instantiate the WMI Object Broker control within Internet Disable attempts to instantiate the WMI Object Broker control within Internet Explorer (see Microsoft Knowledge Base Article 240797.) Explorer (see Microsoft Knowledge Base Article 240797.)

• Configure Internet Explorer to prompt before running ActiveX Controls or disable Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zoneActiveX Controls in the Internet and Local intranet security zone

• Set Internet and Local intranet security zone settings to “High” to prompt before Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zonesrunning ActiveX Controls and Active Scripting in these zones

• For Outlook 2000, install Outlook E-mail Security Update so that Outlook 2000 For Outlook 2000, install Outlook E-mail Security Update so that Outlook 2000 opens HTML e-mail messages in the Restricted sites zone.opens HTML e-mail messages in the Restricted sites zone.

• For Outlook Express 5.5 Service Pack 2, install Microsoft Security Bulletin MS04-For Outlook Express 5.5 Service Pack 2, install Microsoft Security Bulletin MS04-018 so that Outlook Express 5.5 opens HTML e-mail messages in the Restricted 018 so that Outlook Express 5.5 opens HTML e-mail messages in the Restricted sites zone.sites zone.

MS06-073: WMI Object Broker-MS06-073: WMI Object Broker- CriticalCritical Restart Requirement:Restart Requirement: This update does not require a restart unless the required services cannot be This update does not require a restart unless the required services cannot be

stopped by the installer.stopped by the installer.


• Add/Remove Programs Add/Remove Programs • Command line install/uninstall optionCommand line install/uninstall option• Scriptable DeploymentScriptable Deployment


MS06-074: SNMP -MS06-074: SNMP - Important ImportantTitle & KB Article:Title & KB Article: Vulnerability in SNMP Could Allow Remote Code Execution (926247)Vulnerability in SNMP Could Allow Remote Code Execution (926247)

Affected Software:Affected Software: • Windows 2000 SP 4 Windows 2000 SP 4 • Windows XP SP 2Windows XP SP 2• Windows XP Pro x64 Windows XP Pro x64 • Windows Server 2003 Windows Server 2003 • Windows Server 2003 & Windows Server 2003 SP1Windows Server 2003 & Windows Server 2003 SP1• Windows Server 2003 ia64 & Windows Server 2003 SP1 ia64Windows Server 2003 ia64 & Windows Server 2003 SP1 ia64• Windows Server 2003 x64Windows Server 2003 x64

Replaced Updates:Replaced Updates: • NoneNone

Vulnerabilities:Vulnerabilities: • CVE-2006-5583CVE-2006-5583


Known Exploits?:Known Exploits?: NoNo

MS06-074: SNMP -MS06-074: SNMP - Important Important

Issue Summary:Issue Summary: A remote code execution vulnerability exists in SNMP Service that could allow an A remote code execution vulnerability exists in SNMP Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the attacker who successfully exploited this vulnerability to take complete control of the affected system.affected system.

Fix Description:Fix Description: The update removes the vulnerability by modifying the way that SNMP Service The update removes the vulnerability by modifying the way that SNMP Service validates the length of a message before it passes the message to the allocated validates the length of a message before it passes the message to the allocated buffer.buffer.

Attack Vectors:Attack Vectors: • Malicious packet transmission over the networkMalicious packet transmission over the network

Mitigations:Mitigations: • SNMP service is not installed by defaultSNMP service is not installed by default..• For customers who require the affected component, firewall best practices and For customers who require the affected component, firewall best practices and standard default firewall configurations can help protect networks from attacks that standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. originate outside the enterprise perimeter.

Workaround:Workaround: • Restrict the IP addresses that are allowed to manage the computer. Restrict the IP addresses that are allowed to manage the computer. • Block UDP port 161 at the firewallBlock UDP port 161 at the firewall..• To help protect from network-based attempts to exploit this vulnerability, use a To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Windows Firewall, which is included with Windows XP.personal firewall, such as the Windows Firewall, which is included with Windows XP.

Restart Requirement:Restart Requirement: YesYes




MS06-075: File Manifest -MS06-075: File Manifest - Important Important

Title & KB Article:Title & KB Article: Vulnerability in Windows Could Allow Elevation of Privilege (926255)Vulnerability in Windows Could Allow Elevation of Privilege (926255)

Affected Software:Affected Software: • Windows XP SP 2Windows XP SP 2• Windows Server 2003 Windows Server 2003 • • Windows Server 2003 ia64Windows Server 2003 ia64


Vulnerabilities:Vulnerabilities: • File Manifest Corruption Vulnerability - CVE-2006-5585File Manifest Corruption Vulnerability - CVE-2006-5585



MS06-075: File Manifest -MS06-075: File Manifest - Important Important Issue Summary:Issue Summary: A A privilege elevationprivilege elevation vulnerability exists in the way that Microsoft Windows starts vulnerability exists in the way that Microsoft Windows starts

applications with specially crafted file manifests. This vulnerability could allow a applications with specially crafted file manifests. This vulnerability could allow a logged on user to take complete control of the system.logged on user to take complete control of the system.

Fix Description:Fix Description: The update removes the vulnerability by modifying the way that Client Server Run-The update removes the vulnerability by modifying the way that Client Server Run-time Subsystem validates embedded file manifests before it passes data to the time Subsystem validates embedded file manifests before it passes data to the allocated buffer. This security update corrects an integer overflow in sxs.dll.allocated buffer. This security update corrects an integer overflow in sxs.dll.

Any application that uses side-by-side assemblies with Requested Privileges section Any application that uses side-by-side assemblies with Requested Privileges section may BSOD the machine. Compctl32.dll and GDIplus.dll are two side-by-side may BSOD the machine. Compctl32.dll and GDIplus.dll are two side-by-side assemblies commonly used by Microsoft. In the worst case a local authenticated user assemblies commonly used by Microsoft. In the worst case a local authenticated user can run execute code before the machine BSOD; therefore local EoP (from local to can run execute code before the machine BSOD; therefore local EoP (from local to system is possible).system is possible).

Attack Vectors:Attack Vectors: • Logged on userLogged on user

Mitigations:Mitigations: • An attacker must have valid logon credentials and be able to log on locally to exploit An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.this vulnerability.• The vulnerability could not be exploited remotely or by anonymous users.The vulnerability could not be exploited remotely or by anonymous users.

Workaround:Workaround: • NoneNone

Restart Requirement:Restart Requirement: • YesYes




MS06-076: Outlook Express-MS06-076: Outlook Express- Important ImportantTitle & KB Article:Title & KB Article: Cumulative Security Update for Outlook Express (923694)Cumulative Security Update for Outlook Express (923694)

Affected Software:Affected Software: Win2K SP4Win2K SP4

WinXP SP2 , x64 EditionWinXP SP2 , x64 Edition

Win2K3 and Win2K3 SP1, 2K3 Itanium & Sp1 for Itanium, Win2K3 x64Win2K3 and Win2K3 SP1, 2K3 Itanium & Sp1 for Itanium, Win2K3 x64

OE 5.5 SP2 on Win2K SP4 OE 5.5 SP2 on Win2K SP4

OE 6 SP1 on WinXP SP2OE 6 SP1 on WinXP SP2

OE 6 on WinXP SP2 , x64 Edition OE 6 on WinXP SP2 , x64 Edition

OE 6 on Win2K3 and Win2K3 SP1, x64 Edition , Itanium & Itanium SP1 OE 6 on Win2K3 and Win2K3 SP1, x64 Edition , Itanium & Itanium SP1

Replaced Updates:Replaced Updates: MS06-016MS06-016 & & MS06-043MS06-043 with OE6 on WinXP SP2 & x64 and OE6 on Win2K3 Sp1 & x64 with OE6 on WinXP SP2 & x64 and OE6 on Win2K3 Sp1 & x64

Vulnerabilities:Vulnerabilities: CVE-2006-2386: Windows Address Book Contact Record CVE-2006-2386: Windows Address Book Contact Record

Publicly Disclosed:Publicly Disclosed: CVE-2006-2386 – NoCVE-2006-2386 – No


Issue Summary:Issue Summary: CVE-2006-2386: An unchecked buffer in the Windows Address Book (WAB) functions CVE-2006-2386: An unchecked buffer in the Windows Address Book (WAB) functions within Outlook Express leads a within Outlook Express leads a remote code executionremote code execution attacks attacks

Fix Description:Fix Description: CVE-2006-2386: Removes the vulnerability by modifying the way that Outlook CVE-2006-2386: Removes the vulnerability by modifying the way that Outlook Express, when using a .wab file, validates the length of a field before it passes it to Express, when using a .wab file, validates the length of a field before it passes it to the allocated buffer the allocated buffer

Attack Vectors:Attack Vectors: • Malicious EmailMalicious Email• Malicious Web PageMalicious Web Page

Mitigations:Mitigations: • A user would have to be persuaded to visit a malicious Web siteA user would have to be persuaded to visit a malicious Web site• Exploitation only allows the same privileges as the logged on user Exploitation only allows the same privileges as the logged on user • A user must open an attachment that is sent in an e-mail A user must open an attachment that is sent in an e-mail

Workaround:Workaround: Back up and remove the .wab file associationBack up and remove the .wab file association

Impact of WorkaroundImpact of Workaround:: Users will not be able to open address books by double Users will not be able to open address books by double clicking them. They will have to manually start the Windows Address Book clicking them. They will have to manually start the Windows Address Book application and pass the address book to be used as a command line parameter or application and pass the address book to be used as a command line parameter or they can import the address book from the File menu. This does not affect the use of they can import the address book from the File menu. This does not affect the use of address books in Outlook Expressaddress books in Outlook Express

Restart RequirementRestart Requirement NoNo


• Add/Remove Programs , Command line uninstall optionAdd/Remove Programs , Command line uninstall option• Scriptable DeploymentScriptable Deployment


MS06-076: Outlook Express-MS06-076: Outlook Express- Important Important

MS06-077: RIS -MS06-077: RIS - Important Important

Title & KB Article:Title & KB Article: Vulnerability in Remote Installation Service Could Allow Remote Code Execution Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121)(926121)

Affected Software:Affected Software: • Windows 2000 SP4 ONLY Windows 2000 SP4 ONLY


Vulnerabilities:Vulnerabilities: • CVE-2006-5584 - RIS Writable Path Vulnerability CVE-2006-5584 - RIS Writable Path Vulnerability



MS06-077: RIS -MS06-077: RIS - Important Important Issue Summary:Issue Summary: RIS allows anonymous access to the file structure of a hosted operating system RIS allows anonymous access to the file structure of a hosted operating system

build through the TFTP service.build through the TFTP service.

Fix Description:Fix Description: The update prevents anonymous TFTP users the ability to write to the RIS hosted The update prevents anonymous TFTP users the ability to write to the RIS hosted operating system build’s file structure by adding the registry key identified in the operating system build’s file structure by adding the registry key identified in the Workarounds section of the bulletin. Workarounds section of the bulletin.

Attack Vectors:Attack Vectors: • Malicious packet transmission over the networkMalicious packet transmission over the network

Mitigations:Mitigations: • An attacker would need TFTP access to exploit this vulnerabilityAn attacker would need TFTP access to exploit this vulnerability• RIS is not installed by defaultRIS is not installed by default• Standard Firewall configurations should block this from the web Standard Firewall configurations should block this from the web

Workaround:Workaround: • Configure the TFTP service as read onlyConfigure the TFTP service as read only• Disable the TFTP ServiceDisable the TFTP Service• Block UDP port 69 at the firewallBlock UDP port 69 at the firewall

Restart Requirement:Restart Requirement: NoNo




MS06-078: Windows Media Player - MS06-078: Windows Media Player - CriticalCritical

Title & KB Article:Title & KB Article: Vulnerability in Windows Media Player Could Allow Remote Code ExecutionVulnerability in Windows Media Player Could Allow Remote Code Execution• KB 925398 addresses Windows Media Player 6.4 KB 925398 addresses Windows Media Player 6.4 • KB 923689 addresses Windows Media Format RuntimesKB 923689 addresses Windows Media Format Runtimes

Affected Software:Affected Software: • Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following operating system versionsoperating system versions

• Microsoft Windows 2000 Service Pack 4 - (KB923689)Microsoft Windows 2000 Service Pack 4 - (KB923689)• Microsoft Windows XP Service Pack 2 - (KB923689)Microsoft Windows XP Service Pack 2 - (KB923689)• Microsoft Windows XP Professional x64 Edition - (KB923689)Microsoft Windows XP Professional x64 Edition - (KB923689)• Microsoft Windows Server 2003 or Microsoft Windows Server 2003 Service Pack Microsoft Windows Server 2003 or Microsoft Windows Server 2003 Service Pack

1 - (KB923689)1 - (KB923689)• Microsoft Windows Server 2003 x64 Edition - (KB923689)Microsoft Windows Server 2003 x64 Edition - (KB923689)

Affected Software:Affected Software: • Microsoft Windows Media Format 9.5 Series Runtime x64 Edition on the following Microsoft Windows Media Format 9.5 Series Runtime x64 Edition on the following operating system versions:operating system versions:

• Microsoft Windows XP Professional x64 Edition - (KB923689)Microsoft Windows XP Professional x64 Edition - (KB923689)• Microsoft Windows Server 2003 x64 Edition - (KB923689)Microsoft Windows Server 2003 x64 Edition - (KB923689)

• Microsoft Windows Media Player 6.4 on the following operating system versions:Microsoft Windows Media Player 6.4 on the following operating system versions:• Windows 2000 Service Pack 4 - (KB925398)Windows 2000 Service Pack 4 - (KB925398)• Microsoft Windows XP Service Pack 2 - (KB925398)Microsoft Windows XP Service Pack 2 - (KB925398)• Microsoft Windows XP Professional x64 Edition – (KB925398)Microsoft Windows XP Professional x64 Edition – (KB925398)• Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service

Pack 1 – (KB925398)Pack 1 – (KB925398)• Microsoft Windows Server 2003 x64 Edition – (KB925398)Microsoft Windows Server 2003 x64 Edition – (KB925398)


Vulnerabilities:Vulnerabilities: • CVE-2006-4702 Windows Media Format Vulnerability CVE-2006-4702 Windows Media Format Vulnerability • CVE-2006-6134 Windows Media Format WMVCORE ASX VulnerabilityCVE-2006-6134 Windows Media Format WMVCORE ASX Vulnerability

Publicly Disclosed:Publicly Disclosed: • NoNo

Known Exploits?:Known Exploits?: • NoNo


Issue Summary:Issue Summary: • Buffer overflowBuffer overflow• Remote Code ExecutionRemote Code Execution• WMV Core WMV Core • ASF exploitedASF exploited• ASX exploitedASX exploited

Fix Description:Fix Description: • Update modifies WMVCORE validation process.Update modifies WMVCORE validation process.

Attack Vectors:Attack Vectors: • Malicious Web PageMalicious Web Page• Malicious EmailMalicious Email

Mitigations:Mitigations: • Requires accessing malicious Web site/ opening malicious emailRequires accessing malicious Web site/ opening malicious email• Exploitation only allows the same privileges as the logged on userExploitation only allows the same privileges as the logged on user• By default, IE on Windows 2003 runs in a restricted modeBy default, IE on Windows 2003 runs in a restricted mode• Windows Media Format 11 runtime is not affected by this vulnerability and could Windows Media Format 11 runtime is not affected by this vulnerability and could be used to prevent an attempt to exploit this vulnerability.be used to prevent an attempt to exploit this vulnerability.

Workaround:Workaround: • Disable the Windows Media Player ActiveX controls from running in Internet Disable the Windows Media Player ActiveX controls from running in Internet ExplorerExplorer• Modify the Access Control List on Strmdll.dll to prevent shell based attacks on Modify the Access Control List on Strmdll.dll to prevent shell based attacks on players on Windows 2000players on Windows 2000• Unregister Shmedia.dll to prevent shell based attacks on players Windows XP and Unregister Shmedia.dll to prevent shell based attacks on players Windows XP and Windows 2003Windows 2003


Restart Requirement:Restart Requirement: • None, if required services are terminable. None, if required services are terminable.


• Add/ Remove Programs Add/ Remove Programs • Command line uninstall optionCommand line uninstall option• Scriptable DeploymentScriptable Deployment

More Information:More Information: • http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-078.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-078.mspx


Re-Release of MS06-059- Excel Re-Release of MS06-059- Excel CriticalCritical

• Install MS06-059 might fail if ALL conditions are true:Install MS06-059 might fail if ALL conditions are true:– Running Excel 2002Running Excel 2002– MSI 2.0MSI 2.0– Previously installed MS06-037 Previously installed MS06-037

• Details:Details:– Basically, because the 059 patch does not contain the MSI 2.0 Basically, because the 059 patch does not contain the MSI 2.0

patch code for 037, installing Excel 2002’s 059 on top of 037 will patch code for 037, installing Excel 2002’s 059 on top of 037 will trigger a Windows Installer 2.0 bug in some cases & result in trigger a Windows Installer 2.0 bug in some cases & result in excel.exe not getting updated to version 6816. excel.exe not getting updated to version 6816.

• Resolution: Install MS06-059 v2Resolution: Install MS06-059 v2

Detection and DeploymentDetection and Deployment

Bulletin Component Office

Update WU/MU

MBSA 1.2 + ODT

MBSA 2.0/

2.0.1 SUS WSUS ESTSMS SUIT

SMS ITMU

Detect and

deploy

Detect and

deploy Detect only

Detect only

Detect and

deploy

Detect and

deploy Detect only

Detect and

deploy

Detect and

deploy

MS06-072

Microsoft Internet Explorer

Not applicable Yes Yes Yes Yes Yes

Not applicabl

e Yes Yes

MS06-073

Microsoft Visual Studio

Not applicable Yes No Yes No Yes Yes

Yes, with

ESUIT Yes

MS06-074 SNMP


Not applicabl

e Yes Yes

MS06-075

File Manifest


Not applicabl

e Yes Yes

MS06-076

Microsoft Outlook Express

Not applicable Yes No Yes Yes Yes Yes

Yes, with

ESUIT Yes

MS06-077

Remote Installation

Services (RIS)

Not applicable Yes No Yes Yes Yes Yes Yes Yes

MS06-078

Windows Media Player

Not applicable Yes Partial Yes Yes Yes Yes

Yes, with

ESUIT Partial

Other Update InformationOther Update Information

BulletinBulletin RestartRestart UninstallUninstall ReplacesReplaces On productsOn products

MS06-072MS06-072 YesYes YesYes MS06-067 and all MS06-067 and all previous Cumulative previous Cumulative Security Updates for Security Updates for IEIE

IE 5.01SP4, IE6, IE6 SP1IE 5.01SP4, IE6, IE6 SP1

MS06-073MS06-073 MaybeMaybe YesYes N/AN/A Visual Studio 2005Visual Studio 2005

MS06-074MS06-074 YesYes YesYes N/AN/A Windows 2000 SP4, XPSP2, W2K3, Windows 2000 SP4, XPSP2, W2K3, W2K3SP1W2K3SP1

MS06-075MS06-075 YesYes YesYes N/AN/A XPSP2 and W2K3XPSP2 and W2K3

MS06-076MS06-076 NoNo YesYes MS06-016MS06-016 & & MS06-043MS06-043 with OE 6 on WinXP SP2 with OE 6 on WinXP SP2 & x64 and OE 6 on & x64 and OE 6 on W2K3 SP1 & x64W2K3 SP1 & x64

OE 5.5 SP2 and OE6OE 5.5 SP2 and OE6

MS06-077MS06-077 NoNo YesYes N/AN/A W2K OnlyW2K Only

MS06-078MS06-078 MaybeMaybe YesYes N/AN/A • Microsoft Windows Media Format 7.1 Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the through 9.5 Series Runtime on the following operating system versionsfollowing operating system versions• Microsoft Windows Media Player 6.4Microsoft Windows Media Player 6.4

December 2006 Non-Security UpdatesDecember 2006 Non-Security Updates

NUMBERNUMBER TITLETITLE DistributionDistribution

911897911897 Update for Windows ServerUpdate for Windows Server WU, MUWU, MU

926251926251 Update for Windows XP Media Center Edition for 2005Update for Windows XP Media Center Edition for 2005 WU, MUWU, MU

928388928388 Update for WindowsUpdate for Windows WU, MUWU, MU

929120929120 Update for WindowsUpdate for Windows WU, MUWU, MU

924886924886 Update for Office 2003Update for Office 2003 MUMU

New WSUSSCAN.CAB architectureNew WSUSSCAN.CAB architecture

• New architecture for wsusscan.cab begins since November 2006• Support for existing wsusscan.cab architecture ends on March 2007• SMS ITMU customers: download and deploy updated version of the

SMS ITMU– http://www.microsoft.com/technet/downloads/sms/2003/tools/msupdates.mspx

• MBSA 2.0 offline scan customers: – Download updated version of MBSA 2.0.1 now– Or download the new offline scan file, wsusscn2.cab, by clicking http://

go.microsoft.com/fwlink/?LinkId=76054. Save this file to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\wsusscn2.cab.

• If you only run MBSA 2.0 in the online mode, do anything. • See Microsoft KB Article 926464 for more information

– http://support.microsoft.com/kb/926464

IE 7 over AUIE 7 over AU

• Manual download (EN version) is available.Manual download (EN version) is available.• Internet Explorer 7 began distribution over AU in Internet Explorer 7 began distribution over AU in

November 2006November 2006– ZH version schedule see announcement below!ZH version schedule see announcement below!

• Internet Explorer 7 Blocker Toolkit available for Internet Explorer 7 Blocker Toolkit available for enterprise customers enterprise customers – Blocks automatic delivery of Internet Explorer 7 Blocks automatic delivery of Internet Explorer 7

• For additional information see:For additional information see:– http://www.microsoft.com/technet/updatemanagement/http://www.microsoft.com/technet/updatemanagement/

windowsupdate/ie7announcement.mspxwindowsupdate/ie7announcement.mspx

Lifecycle Support InformationLifecycle Support Information

• Software Update Services (SUS) 1.0Software Update Services (SUS) 1.0– Old deadline of 6 December 2006 has CHANGED to 10 July 2007Old deadline of 6 December 2006 has CHANGED to 10 July 2007– Information on upgrading:Information on upgrading:

http://http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/default.mspx

• Public security support for Windows XP SP1 and Office Public security support for Windows XP SP1 and Office 2003 SP1 HAS ENDED as of 2003 SP1 HAS ENDED as of 10 October 200610 October 2006– No Security UpdatesNo Security Updates for Windows XP SP1 or Office 2003 SP1 starting in for Windows XP SP1 or Office 2003 SP1 starting in

November 2006November 2006– Remaining Windows XP SP1, Office 2003 SP1 customers should upgrade Remaining Windows XP SP1, Office 2003 SP1 customers should upgrade

to Windows XP SP2, Office 2003 SP2 right awayto Windows XP SP2, Office 2003 SP2 right away

• Public security support for Windows 98, 98 SE, and Public security support for Windows 98, 98 SE, and Millennium Edition Millennium Edition HAS ENDED as of 11 July 2006HAS ENDED as of 11 July 2006– See See www.microsoft.com/lifecyclewww.microsoft.com/lifecycle for more information for more information

• Microsoft Forefront Client Security Beta open to download.Microsoft Forefront Client Security Beta open to download.– http://www.microsoft.com/http://www.microsoft.com/taiwan/forefront/default.mspxtaiwan/forefront/default.mspx

Windows Malicious Software Removal Windows Malicious Software Removal Tool – KB890830Tool – KB890830

• Twenty-fourth monthly incremental update. Twenty-fourth monthly incremental update. • The Oct update adds the ability to remove:The Oct update adds the ability to remove:

– Win32/BeenutWin32/Beenut

• Available as priority update through Windows Update or Available as priority update through Windows Update or Microsoft Update for Windows XP usersMicrosoft Update for Windows XP users– Offered through WSUS; not offered through SUS 1.0Offered through WSUS; not offered through SUS 1.0

• Also as an ActiveX control or download at Also as an ActiveX control or download at www.microsoft.com/malwareremovewww.microsoft.com/malwareremove

• Deployment step-by-stsp: KB891716Deployment step-by-stsp: KB891716

ResourcesResources• Nov. Security Bulletin Webcast (US)Nov. Security Bulletin Webcast (US)

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culturehttp://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-=en-US&EventIDUS&EventID=1032313212=1032313212

• Security Bulletins SummarySecurity Bulletins Summaryhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-nov.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-nov.mspx

• Security Bulletins SearchSecurity Bulletins Searchwww.microsoft.com/technet/security/current.aspxwww.microsoft.com/technet/security/current.aspx

• Security AdvisoriesSecurity Advisorieswww.microsoft.com/www.microsoft.com/taiwan/technet/security/advisorytaiwan/technet/security/advisory//

• MSRC BlogMSRC Bloghttp://blogs.technet.com/msrchttp://blogs.technet.com/msrc

• NotificationsNotificationswww.microsoft.com/technet/security/bulletin/notify.mspxwww.microsoft.com/technet/security/bulletin/notify.mspx

• TechNet RadioTechNet Radiowww.microsoft.com/tnradiowww.microsoft.com/tnradio

• IT Pro Security NewsletterIT Pro Security Newsletterwww.microsoft.com/technet/security/secnews/www.microsoft.com/technet/security/secnews/

• TechNet Security CenterTechNet Security Centerwww.microsoft.com/taiwan/technet/securitywww.microsoft.com/taiwan/technet/security

• TechNet Forum ITProTechNet Forum ITProhttp://forums.microsoft.com/technet-cht/default.aspx?siteid=23http://forums.microsoft.com/technet-cht/default.aspx?siteid=23

• Detection and deployment guidance for the December 2006 security Detection and deployment guidance for the December 2006 security releasereleasehttp://support.microsoft.com/kb/929656http://support.microsoft.com/kb/929656

Questions and AnswersQuestions and Answers

• Submit text questions using the Submit text questions using the “Ask a Question” button “Ask a Question” button

• Don’t forget to fill out the surveyDon’t forget to fill out the survey• For upcoming and previously recorded For upcoming and previously recorded

webcasts: webcasts: http://www.microsoft.com/taiwan/technet/webcast/default.aspxhttp://www.microsoft.com/taiwan/technet/webcast/default.aspx

• Webcast content suggestions:Webcast content suggestions:[email protected]@microsoft.com

十二月份資訊安全公告 Dec 14, 2006 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security,...

Documents

Transcript of 十二月份資訊安全公告 Dec 14, 2006 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security,...