「相談支援」の“きほん”がわかる 相談支援 ハンド …2016/03/31 · 「相談支援」の“きほん”がわかる 相談支援 ハンドブック (Ver.2.4)
九月份資訊安全公告 Sep 14, 2006 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security,...
-
Upload
dennis-gibbs -
Category
Documents
-
view
242 -
download
2
Transcript of 九月份資訊安全公告 Sep 14, 2006 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security,...
九月份資訊安全公告九月份資訊安全公告Sep 14, 2006Sep 14, 2006
Richard Chen Richard Chen 陳政鋒陳政鋒(Net+, Sec+, MCSE2003+Security, CISSP)(Net+, Sec+, MCSE2003+Security, CISSP)
資深技術支援工程師資深技術支援工程師台灣微軟技術支援處台灣微軟技術支援處
Questions last timeQuestions last time
• When will XPSP3 release?When will XPSP3 release?• Answer:Answer:
SP3 for Windows XP Professional is currently planned for 2H 2007. SP3 for Windows XP Professional is currently planned for 2H 2007.
This date is preliminary.This date is preliminary. • Check the following:Check the following:
http://www.microsoft.com/windows/lifecycle/servicepacks.mspxhttp://www.microsoft.com/windows/lifecycle/servicepacks.mspx
What We Will CoverWhat We Will Cover
• Review Sep.Review Sep. releasesreleases– Re-released bulletinsRe-released bulletins– New security bulletinsNew security bulletins– High-priority non-security updatesHigh-priority non-security updates
• Other security resourcesOther security resources– Windows Malicious Software Removal ToolWindows Malicious Software Removal Tool
• ResourcesResources• Questions and answersQuestions and answers
Questions and AnswersQuestions and Answers
• Submit text questions using the Submit text questions using the “Ask a Question” button “Ask a Question” button
Sep 2006 Security BulletinsSep 2006 Security BulletinsSummarySummary
• 3 New Security Bulletins for September3 New Security Bulletins for September– 1 new critical1 new critical– 1 new moderate1 new moderate– 1 new important 1 new important
• 2 Re-released Bulletins2 Re-released Bulletins– both criticalboth critical
• 2 Security Advisories2 Security Advisories
Sep 2006 Security Bulletins Sep 2006 Security Bulletins OverviewOverviewBulletin Bulletin NumberNumber
Title Title Maximum Severity Maximum Severity RatingRating
Products AffectedProducts Affected
MS06-040v2 Vulnerability in Server Service Could Allow Remote Code Execution (921883)
Critical All currently supported versions of Windows
MS06-042v3 Cumulative Security Update for Internet Explorer (918899)
Critical Internet Explorer on all currently supported versions of Windows
MS06-052 Pragmatic General Multicast (PGM) (919007)
Important Windows XP SP1/SP2 with MSMQ installed
MS06-053 Indexing Service (920685) Moderate All currently supported versions of Windows
MS06-054 Office Publisher (910729) Critical Office 2000/2002/2003
MS06-040v2: Windows - CriticalMS06-040v2: Windows - CriticalTitleTitle Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)
The Problem:The Problem: A remote code execution vulnerability is exposed in the Server service, which could A remote code execution vulnerability is exposed in the Server service, which could allow an attacker to take complete control of the an unprotected system by sending an allow an attacker to take complete control of the an unprotected system by sending an unauthenticated, specially crafted message to the Server service.unauthenticated, specially crafted message to the Server service.
Vulnerabilities:Vulnerabilities: Server Service Vulnerability - CVE-2006-3439Server Service Vulnerability - CVE-2006-3439
Affected Versions:Affected Versions: All supported versions of Windows:All supported versions of Windows:
•• Microsoft Windows 2000 Service Pack 4Microsoft Windows 2000 Service Pack 4
•• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 22
•• Microsoft Windows XP Professional x64 EditionMicrosoft Windows XP Professional x64 Edition
•• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1Pack 1
•• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based SystemsWindows Server 2003 with SP1 for Itanium-based Systems
•• Microsoft Windows Server 2003 x64 EditionMicrosoft Windows Server 2003 x64 Edition
MS06-040v2: Windows - CriticalMS06-040v2: Windows - CriticalTitleTitle Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)
Attack Attack Vectors/Impact:Vectors/Impact:
•Any unpatched system with the Server service’s listening port (TCP 139, 445) exposed Any unpatched system with the Server service’s listening port (TCP 139, 445) exposed to a potentially compromised network is susceptible to an unauthenticated attack.to a potentially compromised network is susceptible to an unauthenticated attack.•Systems compromised by this vulnerability could be used to propagate a Blaster-style Systems compromised by this vulnerability could be used to propagate a Blaster-style internet worminternet worm
The Fix:The Fix: The update removes the vulnerability by modifying the way that Server service The update removes the vulnerability by modifying the way that Server service validates the length of a message it receives in RPC communications before it passes validates the length of a message it receives in RPC communications before it passes the message to the allocated buffer.the message to the allocated buffer.
Mitigations:Mitigations: Systems with the Server service disabled will not be exposed Systems with the Server service disabled will not be exposed (NOTE: this is an extremely rare case in most enterprise environments)(NOTE: this is an extremely rare case in most enterprise environments)
Workaround:Workaround: Block TCP 139 and TCP 445 at perimeter and on hosts connected to untrusted Block TCP 139 and TCP 445 at perimeter and on hosts connected to untrusted networksnetworks
MS06-040v2: Windows - CriticalMS06-040v2: Windows - Critical
TitleTitle Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)
Detection and Detection and Deployment:Deployment:
• Detectable via MBSA 1.2Detectable via MBSA 1.2**, MBSA 2.0, SMS 2.0, MBSA 2.0, SMS 2.0**, SMS 2003, SMS 2003• Deployable via WU, MU, SUSDeployable via WU, MU, SUS**, WSUS, SMS 2.0*, SMS 2003, WSUS, SMS 2.0*, SMS 2003 * * does not support x64 and ia64 versions of Windowsdoes not support x64 and ia64 versions of Windows
Does this Does this supersede any supersede any updates? updates?
• NoNo
Publicly Disclosed Publicly Disclosed (?)(?)
• This vulnerability was initially reported through responsible disclosure, but was later This vulnerability was initially reported through responsible disclosure, but was later disclosed publiclydisclosed publicly
• MSRC was made aware of public exploitation prior to bulletin releaseMSRC was made aware of public exploitation prior to bulletin release
Reboot and Reboot and Uninstall Uninstall Information:Information:
• Installing the update requires a reboot of the systemInstalling the update requires a reboot of the system• This update is uninstallableThis update is uninstallable
MS06-040v2: Windows - CriticalMS06-040v2: Windows - CriticalTitleTitle Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)
What is this reason What is this reason for this re-release? for this re-release?
• Initial building of WS03 SP1 updates for MS06-040 required netapi32.dll be loaded at Initial building of WS03 SP1 updates for MS06-040 required netapi32.dll be loaded at a different base address in memory due to increase in code sizea different base address in memory due to increase in code size
• Re-basing can cause applications that reserve large amounts of contiguous memory Re-basing can cause applications that reserve large amounts of contiguous memory to fail.to fail.
• Subsequent code changes allowed the base address for netapi32.dll to be changed Subsequent code changes allowed the base address for netapi32.dll to be changed back to its original location.back to its original location.
• 921883 has been updated to include the original pre- 921883 has been updated to include the original pre- MS06-040 base address that was included in hotfix 924054MS06-040 base address that was included in hotfix 924054..
Other information:Other information: • 921883 v2 will automatically upgrade systems requiring the new update (ie. uninstall 921883 v2 will automatically upgrade systems requiring the new update (ie. uninstall of 921883 v1 is not required)of 921883 v1 is not required)
• Only WS03 SP1 systems (and systems that use the WOW64 components from that Only WS03 SP1 systems (and systems that use the WOW64 components from that OS) are affected:OS) are affected:
– WS03 SP1 (x86/x64/ia64)WS03 SP1 (x86/x64/ia64)– WinXP x64WinXP x64
More Information:More Information: • For more Information, please review the FAQ at:For more Information, please review the FAQ at:http://support.microsoft.com/kb/921883http://support.microsoft.com/kb/921883http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-040.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-040.mspx
Questions about MS06-040v2?Questions about MS06-040v2?
MS06-042v3: IE Cumulative (Critical)MS06-042v3: IE Cumulative (Critical)
TitleTitle MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-releaserelease
The Problem:The Problem: • This update resolves several newly discovered, publicly and privately This update resolves several newly discovered, publicly and privately reported vulnerabilities. reported vulnerabilities.
• An attacker who successfully exploited the most severe of these An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. vulnerabilities could take complete control of an affected system.
• An attacker could then install programs; view, change, or delete data; An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. or create new accounts with full user rights.
• Users whose accounts are configured to have fewer user rights on the Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative system could be less impacted than users who operate with administrative user rights. user rights.
New VulnerabilitiesNew Vulnerabilities • Long URL Buffer Overflow Vulnerability CVE-2006-3869Long URL Buffer Overflow Vulnerability CVE-2006-3869• Long URL Buffer Overflow Vulnerability CVE-2006-3873Long URL Buffer Overflow Vulnerability CVE-2006-3873
MS06-042v3: IE Cumulative (Critical)MS06-042v3: IE Cumulative (Critical)
TitleTitle MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-releaserelease
Affected SoftwareAffected Software •• Microsoft Windows 2000 Service Pack 4Microsoft Windows 2000 Service Pack 4
•• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
•• Microsoft Windows XP Professional x64 EditionMicrosoft Windows XP Professional x64 Edition
•• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 SP1Microsoft Windows Server 2003 and Microsoft Windows Server 2003 SP1
•• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based SystemsWindows Server 2003 with SP1 for Itanium-based Systems
•• Microsoft Windows Server 2003 x64 EditionMicrosoft Windows Server 2003 x64 Edition
MS06-042v3: IE Cumulative (Critical)MS06-042v3: IE Cumulative (Critical)TitleTitle MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-
releaserelease
Who needs to Who needs to install MS06-install MS06-042v3?042v3?
• If v1 or v2 is NOT installed: All Affected Software (above) … If v1 or v2 is NOT installed: All Affected Software (above) … • If v1 or v2 is installed, the following still need to install MS06-042:If v1 or v2 is installed, the following still need to install MS06-042:
– IE 5.01 SP4 on Windows 2000 SP4 IE 5.01 SP4 on Windows 2000 SP4 – IE 6 SP1 for Windows XP SP1 and Windows 2000 SP4IE 6 SP1 for Windows XP SP1 and Windows 2000 SP4– IE 6 for Windows Server 2003IE 6 for Windows Server 2003
Who does NOT Who does NOT needs to install needs to install MS06-042v3?MS06-042v3?
• If v1 or v2 is installed, the following does NOT need to install MS06-042:If v1 or v2 is installed, the following does NOT need to install MS06-042:– IE 6 for Windows XP SP2IE 6 for Windows XP SP2– IE 6 for Windows Server 2003 SP1IE 6 for Windows Server 2003 SP1
MS06-042v3: New VulnerabilitiesMS06-042v3: New Vulnerabilities
VulnerabilityVulnerability Long URL Buffer Overflow Vulnerability - CVE-2006-3869Long URL Buffer Overflow Vulnerability - CVE-2006-3869
Possible Attack Possible Attack VectorsVectors
Remote code Execution: From a malicious web site with a specially crafted Remote code Execution: From a malicious web site with a specially crafted Web page (via Email attachment or IM request etc)Web page (via Email attachment or IM request etc)
Impact of AttackImpact of Attack Attackers could take complete control of an affected systemAttackers could take complete control of an affected system
The FixThe Fix: Modified the way IE handles long URLs when navigating to : Modified the way IE handles long URLs when navigating to websites using the HTTP 1.1 protocol and compression.websites using the HTTP 1.1 protocol and compression.
VulnerabilityVulnerability Long URL Buffer Overflow Vulnerability CVE-2006-3873 Long URL Buffer Overflow Vulnerability CVE-2006-3873
Possible Attack Possible Attack VectorsVectors
Remote code Execution: From a malicious web site with a specially crafted Remote code Execution: From a malicious web site with a specially crafted Web page (via Email attachment or IM request etc)Web page (via Email attachment or IM request etc)
Impact of AttackImpact of Attack Attackers could take complete control of an affected systemAttackers could take complete control of an affected system
The FixThe Fix: Modified the way IE handles long URLs when navigating to : Modified the way IE handles long URLs when navigating to websites using the HTTP 1.1 protocol and compression.websites using the HTTP 1.1 protocol and compression.
MS06-042v3: IE Cumulative (Critical)MS06-042v3: IE Cumulative (Critical)TitleTitle MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-
releaserelease
MitigationsMitigations • Web based attacks require user to visit malicious websWeb based attacks require user to visit malicious webs• Html email is opened in restricted zone: OE6, OL2002,Html email is opened in restricted zone: OE6, OL2002,
OL2003, and OL2002 w/OL email security updateOL2003, and OL2002 w/OL email security update• LUA: Attackers who successfully exploited these vulns could gainLUA: Attackers who successfully exploited these vulns could gain
the same user rights as the local user. the same user rights as the local user. • IE on Windows Server 2003 – Enhanced Security ConfigurationIE on Windows Server 2003 – Enhanced Security Configuration
WorkaroundWorkaround • (New) Disable the HTTP 1.1 protocol in Internet Explorer.(New) Disable the HTTP 1.1 protocol in Internet Explorer.• Disable caching of your Web site’s contentDisable caching of your Web site’s content• Set Active Scripting to Disabled or Prompt in the Internet ZoneSet Active Scripting to Disabled or Prompt in the Internet Zone• Set Internet and Local intranet security zone settings to “High” Set Internet and Local intranet security zone settings to “High” • Add Trusted sites to the trusted site zoneAdd Trusted sites to the trusted site zone• Read email in plain text formatRead email in plain text format• Disable Com Object instantiation (set kill bit)Disable Com Object instantiation (set kill bit)
Detection and Detection and DeploymentDeployment
• Next Page…Next Page…
MS06-042v3: IE Cumulative (Critical)MS06-042v3: IE Cumulative (Critical)TitleTitle MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-
releaserelease
Does this Does this supersede any supersede any updates? updates?
•MS06-021MS06-021
Other information:Other information: •Is a Restart required? YESIs a Restart required? YES•Is there an uninstall option? YESIs there an uninstall option? YES•Are the new vulnerabilities publicly known?Are the new vulnerabilities publicly known?
– CVE-2006-3869:CVE-2006-3869:•Publicly KnownPublicly Known: : YESYES•Publicly Exploited: Publicly Exploited: NONO
– CVE-2006-3873:CVE-2006-3873:•Publicly Known: Publicly Known: NONO•Publicly Exploited: Publicly Exploited: NONO
More Information:More Information: •FAQ: FAQ: •http://support.microsoft.com/kb/918899http://support.microsoft.com/kb/918899•http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-042.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-042.mspx
Questions about MS06-042v3?Questions about MS06-042v3?
MS06-052: Pragmatic General Multicast (PGM) -MS06-052: Pragmatic General Multicast (PGM) -ImportantImportant
TitleTitle Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Code Execution KB919007Code Execution KB919007
The ProblemThe Problem This update resolves a newly discovered, privately reported, vulnerability which is This update resolves a newly discovered, privately reported, vulnerability which is documented in the "Vulnerability Details" section of this bulletin.documented in the "Vulnerability Details" section of this bulletin.
An attacker who successfully exploited the vulnerability could take complete control An attacker who successfully exploited the vulnerability could take complete control of the affected system of the affected system
VulnerabilitiesVulnerabilities PGM Code Execution Vulnerability - PGM Code Execution Vulnerability - CVE-2006-3442CVE-2006-3442
Affected versionsAffected versions Microsoft Windows XP Service Pack 1 Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2 Microsoft Windows XP Service Pack 2
Attack Attack Vectors/ImpactVectors/Impact
There is a remote code execution vulnerability that could allow an attacker to send a There is a remote code execution vulnerability that could allow an attacker to send a specially crafted multicast message to an affected system and execute code on the specially crafted multicast message to an affected system and execute code on the affected system. affected system.
MS06-052: Pragmatic General Multicast (PGM) -MS06-052: Pragmatic General Multicast (PGM) -ImportantImportant
TitleTitle Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Code Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Code Execution KB919007Execution KB919007
The FixThe Fix The update removes the vulnerability by modifying the way that the MSMQ Service The update removes the vulnerability by modifying the way that the MSMQ Service validates a PGM message before it passes the message to the allocated buffer. validates a PGM message before it passes the message to the allocated buffer.
MitigationsMitigations •For customers who require the affected component, firewall best practices and For customers who require the affected component, firewall best practices and standard default firewall configurations can help protect networks from attacks that standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.are connected to the Internet have a minimal number of ports exposed.•Pragmatic General Multicast (PGM) is only supported when Microsoft Message Pragmatic General Multicast (PGM) is only supported when Microsoft Message Queuing (MSMQ) 3.0 is installed. The MSMQ service is not installed by default.Queuing (MSMQ) 3.0 is installed. The MSMQ service is not installed by default.
WorkaroundWorkaround We have not identified any workarounds for this vulnerability.We have not identified any workarounds for this vulnerability.
MS06-052: Pragmatic General Multicast (PGM) -MS06-052: Pragmatic General Multicast (PGM) -ImportantImportant
TitleTitle Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Code Execution KB919007Code Execution KB919007
Does this Does this supersede any supersede any updates? updates?
NoNo
Other informationOther information • Was the vulnerability publicly known? NoWas the vulnerability publicly known? No• Are there any known exploits? NoAre there any known exploits? No• Is a Restart required? YesIs a Restart required? Yes• Is there an uninstall option? Yes Is there an uninstall option? Yes
More InformationMore Information • For more Information, please review the FAQ at:For more Information, please review the FAQ at:•http://support.microsoft.com/?id=919007http://support.microsoft.com/?id=919007•http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-052.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-052.mspx
Questions on MS06-052?Questions on MS06-052?
MS06-053: Indexing Service - ModerateMS06-053: Indexing Service - ModerateTitleTitle Vulnerability in Indexing Service Could Allow Cross-Site Scripting (KB920685)Vulnerability in Indexing Service Could Allow Cross-Site Scripting (KB920685)
The ProblemThe Problem •There is an information disclosure vulnerability in Indexing Service because of the way There is an information disclosure vulnerability in Indexing Service because of the way that it handles query validation, creating the possibility of cross-site scripting.that it handles query validation, creating the possibility of cross-site scripting.•The vulnerability could allow an attacker to run client-side script on behalf of a user. The vulnerability could allow an attacker to run client-side script on behalf of a user. The script could spoof content, disclose information, or take any action that the user The script could spoof content, disclose information, or take any action that the user could take on the affected web sitecould take on the affected web site
VulnerabilitiesVulnerabilities Microsoft Indexing Service Vulnerability - Microsoft Indexing Service Vulnerability - CVE-2006-0032CVE-2006-0032
Affected versionsAffected versions • Microsoft Windows 2000 Service Pack 4Microsoft Windows 2000 Service Pack 4• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 • Microsoft Windows XP Professional x64 EditionMicrosoft Windows XP Professional x64 Edition• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack
1 1 • Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows
Server 2003 with SP1 for Itanium-based SystemsServer 2003 with SP1 for Itanium-based Systems• Microsoft Windows Server 2003 x64 EditionMicrosoft Windows Server 2003 x64 Edition
MS06-053: Indexing Service - ModerateMS06-053: Indexing Service - Moderate
TitleTitle Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685
Attack Vectors Attack Vectors /Impact:/Impact:
A user would have to be enticed to click on a URL which goes to a malicious web site A user would have to be enticed to click on a URL which goes to a malicious web site which hosts the exploit.which hosts the exploit.
The Fix:The Fix: The update removes the vulnerability by modifying the way that Indexing Service The update removes the vulnerability by modifying the way that Indexing Service validates the length of a message before it passes the message to the allocated buffer.validates the length of a message before it passes the message to the allocated buffer.
Mitigations:Mitigations: •By default, Internet Information Services 6.0 is not enabled on Windows Server By default, Internet Information Services 6.0 is not enabled on Windows Server •On Windows Server 2003, if the Internet Information Services (IIS) has been enabled, On Windows Server 2003, if the Internet Information Services (IIS) has been enabled, the Indexing Service is not enabled by default. the Indexing Service is not enabled by default. •When Indexing Service is installed, web-based query pages must be created or When Indexing Service is installed, web-based query pages must be created or installed manually that will allow IIS to receive queries from anonymous users and pass installed manually that will allow IIS to receive queries from anonymous users and pass those queries to the Indexing Service.those queries to the Indexing Service.•(Continued on the next slide)(Continued on the next slide)
MS06-053: Indexing Service - ModerateMS06-053: Indexing Service - ModerateTitleTitle Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685
Mitigations Mitigations (Continued):(Continued):
•The attacker would have to persuade users to visit the Web site, typically by getting The attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.to the attacker's Web site.•Firewall best practices and standard default firewall configurations (E.g. systems that Firewall best practices and standard default firewall configurations (E.g. systems that connected to the Internet have a minimal number of ports) can help protect networks connected to the Internet have a minimal number of ports) can help protect networks from attacks that originate outside the enterprise perimeter.from attacks that originate outside the enterprise perimeter.
Workarounds:Workarounds: •Firewall best practices and standard default firewall configurations (E.g. systems that Firewall best practices and standard default firewall configurations (E.g. systems that connected to the Internet have a minimal number of ports) can help protect networks connected to the Internet have a minimal number of ports) can help protect networks from attacks that originate outside the enterprise perimeter. Block at the firewall: from attacks that originate outside the enterprise perimeter. Block at the firewall: UDP UDP ports 137 and 138 and TCP ports 139 and 44.ports 137 and 138 and TCP ports 139 and 44.•To help protect from network-based attempts to exploit this vulnerability, use a personal To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the firewall, such as the Internet Connection FirewallInternet Connection Firewall, enable advanced TCP/IP filtering on , enable advanced TCP/IP filtering on systems that support this feature, block the affected ports by using IPSec on the affected systems that support this feature, block the affected ports by using IPSec on the affected systems.systems.•Remove the Indexing ServiceRemove the Indexing Service
MS06-053: Indexing Service - ModerateMS06-053: Indexing Service - Moderate
TitleTitle Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685
Does this Does this supersede any supersede any updates? updates?
NoNo
Other informationOther information • Was the vulnerability publicly known? NoWas the vulnerability publicly known? No• Are there any known exploits? NoAre there any known exploits? No• Is a Restart required? NoIs a Restart required? No• Is there an uninstall option? YesIs there an uninstall option? Yes
More InformationMore Information • For more Information, please review the FAQ at: http://support.microsoft.com/?For more Information, please review the FAQ at: http://support.microsoft.com/?id=920685id=920685http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-053.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-053.mspx
Questions about MS06-053?Questions about MS06-053?
MS06-054: Office - CriticalMS06-054: Office - CriticalTitleTitle Vulnerability in Microsoft Publisher Could Allow Remote Code ExecutionVulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)(910729)
The ProblemThe Problem A remote code execution vulnerability exists in Publisher, and could be exploited when A remote code execution vulnerability exists in Publisher, and could be exploited when a malformed string included in a Publisher file is parsed. An attacker could exploit the a malformed string included in a Publisher file is parsed. An attacker could exploit the vulnerability by constructing a specially crafted Publisher file that could allow remote vulnerability by constructing a specially crafted Publisher file that could allow remote code execution. code execution.
VulnerabilitiesVulnerabilities Microsoft Publisher Vulnerability - CVE-2006-0001Microsoft Publisher Vulnerability - CVE-2006-0001
Affected versionsAffected versions Office Publisher 2000Office Publisher 2000
Office Publisher 2002Office Publisher 2002
Office Publisher 2003Office Publisher 2003
Attack Attack Vectors/ImpactVectors/Impact
For an attack to be successful a user must open an attachment that is sent in an e-mail For an attack to be successful a user must open an attachment that is sent in an e-mail message or visit a Web site that contains a Web page that is used to exploit this message or visit a Web site that contains a Web page that is used to exploit this vulnerability . An attacker who successfully exploited this vulnerability could take vulnerability . An attacker who successfully exploited this vulnerability could take complete control of an affected system.complete control of an affected system.
The FixThe Fix The update removes the vulnerability by modifying the way that Publisher parses the The update removes the vulnerability by modifying the way that Publisher parses the file and validates the length of a string before passing it to the allocated buffer. file and validates the length of a string before passing it to the allocated buffer.
MS06-054: Office - CriticalMS06-054: Office - CriticalTitleTitle Vulnerability in Microsoft Publisher Could Allow Remote Code ExecutionVulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)(910729)
MitigationsMitigations •Users whose accounts are configured to have fewer user rights on the system could be Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. less impacted than users who operate with administrative user rights. •an attacker would have to persuade users to visit the Web site an attacker would have to persuade users to visit the Web site •The vulnerability cannot be exploited automatically through e-mail The vulnerability cannot be exploited automatically through e-mail •For Office 2000, you may install the For Office 2000, you may install the Office Document Open Confirmation ToolOffice Document Open Confirmation Tool for Office for Office 2000 and you will then be prompted with Open, Save, or Cancel before opening a 2000 and you will then be prompted with Open, Save, or Cancel before opening a document. Office 2002 and 2003 include this feature by default. document. Office 2002 and 2003 include this feature by default.
WorkaroundWorkaround • Do not open or save Publisher files that you receive from un-trusted sources or that you Do not open or save Publisher files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources receive unexpectedly from trusted sources
Detection and Detection and DeploymentDeployment
SoftwareSoftware MBSA 1.2.1 MBSA 2.0 SMS 2.0 SMS 2003 MBSA 1.2.1 MBSA 2.0 SMS 2.0 SMS 2003
Microsoft Publisher 2000 Yes No YesMicrosoft Publisher 2000 Yes No Yes Yes Yes
Microsoft Publisher 2002 Yes Yes YesMicrosoft Publisher 2002 Yes Yes Yes Yes Yes
Microsoft Publisher 2003 Yes Yes YesMicrosoft Publisher 2003 Yes Yes Yes Yes Yes
MS06-054: Office - CriticalMS06-054: Office - Critical
TitleTitle Vulnerability in Microsoft Publisher Could Allow Remote Code ExecutionVulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)(910729)
Does this Does this supersede any supersede any updates? updates?
•NoneNone
Other informationOther information • Was the vulnerability publicly known? NOWas the vulnerability publicly known? NO• Are there any known exploits? NOAre there any known exploits? NO• Is a Restart required? YES, this update changes shared Office dll files in addition to Is a Restart required? YES, this update changes shared Office dll files in addition to Publisher files. Although the security vulnerability only exists in Publisher a reboot is Publisher files. Although the security vulnerability only exists in Publisher a reboot is required to complete the installation of all files in the update. required to complete the installation of all files in the update. • Is there an uninstall option? NOIs there an uninstall option? NO
More InformationMore Information • For more Information, please review the FAQ at: For more Information, please review the FAQ at: •http://support.microsoft.com/?id=910729http://support.microsoft.com/?id=910729•http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-054.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-054.mspx
Questions about MS06-054?Questions about MS06-054?
Security Advisory (1 of 2)Security Advisory (1 of 2)
Security Advisory 922582 - Minifilter can block AU and WSUSSecurity Advisory 922582 - Minifilter can block AU and WSUS• Non-security updateNon-security update• This update addresses an error that could result when using a minifilter-based application on a This update addresses an error that could result when using a minifilter-based application on a
system. system. • Specific Error Code: Specific Error Code: 0x800700020x80070002• This error code could occur when updating any of the following Microsoft tools: This error code could occur when updating any of the following Microsoft tools:
– Automatic UpdatesAutomatic Updates– WU Web siteWU Web site– MU Web siteMU Web site– Inventory Tool for Microsoft Updates (ITMU) for Microsoft Systems Management Server (SMS) Inventory Tool for Microsoft Updates (ITMU) for Microsoft Systems Management Server (SMS)
2003 2003 – SUSSUS– WSUSWSUS
• Windows Server 2003 R2 is the only version of Windows that ships with a minifilter-based Windows Server 2003 R2 is the only version of Windows that ships with a minifilter-based application, but it is not installed by default. application, but it is not installed by default.
• ISVs are building new applications using the minifilter technology; this error could affect any systems ISVs are building new applications using the minifilter technology; this error could affect any systems in the future.in the future.
• Customers should evaluate and deploy the update.Customers should evaluate and deploy the update.• More information:More information:
http://support.microsoft.com/?id=922582http://support.microsoft.com/?id=922582
Security Advisory (2 of 2)Security Advisory (2 of 2)
Security Advisory 925143 – Adobe Security Bulletin: APSB06-11 FlashSecurity Advisory 925143 – Adobe Security Bulletin: APSB06-11 FlashPlayer Update to Address Security VulnerabilitiesPlayer Update to Address Security Vulnerabilities• Recent security vulnerabilities in Macromedia Flash Player from Adobe redistributed with Microsoft Recent security vulnerabilities in Macromedia Flash Player from Adobe redistributed with Microsoft
Windows XP SP1 & SP2.Windows XP SP1 & SP2.• The Microsoft Security Response Center is in communication with Adobe.The Microsoft Security Response Center is in communication with Adobe.• Adobe has made updates available on their Web site.Adobe has made updates available on their Web site.• Customers who use Flash Player should follow the Adobe guidance.Customers who use Flash Player should follow the Adobe guidance.• For more information please see Adobe Security Bulletin located at:For more information please see Adobe Security Bulletin located at:
http://www.adobe.com/go/apsb06-11/http://www.adobe.com/go/apsb06-11/ • KB925143:KB925143:
http://www.microsoft.com/technet/security/advisory/925143.mspxhttp://www.microsoft.com/technet/security/advisory/925143.mspx
Sep 2006 Non-Security UpdatesSep 2006 Non-Security Updates
NUMBERNUMBER TITLETITLE DistributionDistribution
922582922582 Update for WindowsUpdate for Windows MU, WUMU, WU
920872920872 Update for Windows XPUpdate for Windows XP MU, WUMU, WU
912580912580 Update for Outlook 2003 Junk E-mail FilterUpdate for Outlook 2003 Junk E-mail Filter MUMU
Detection and DeploymentDetection and Deployment
SUSSUS
MUMUWSUSWSUSMBSA2MBSA2 MBSA MBSA ESTEST CSACSA SMSSMS
MS06-040 Server ServiceMS06-040 Server Service ●● ●● ●● ●●
MS06-042 IE CumulativeMS06-042 IE Cumulative ●● ●● ●● ●● ●●
MS06-052 PGMMS06-052 PGM ●● ●● ●● ●●
MS06-053 Index ServerMS06-053 Index Server ●● ●● ●● ●●
MS06-054 PublisherMS06-054 Publisher ●●** ●● ●●
•MU does MU does notnot support detection for vulnerable Office 2000 products support detection for vulnerable Office 2000 products•For Office 2000, use SMS/WSUS/MBSA1.2/OfficeUpdateToolFor Office 2000, use SMS/WSUS/MBSA1.2/OfficeUpdateTool
Other Update InformationOther Update Information
BulletinBulletin RestartRestart UninstallUninstall ReplacesReplaces On productsOn products
MS06-040v2MS06-040v2 Required YesYes NoneNone All productsAll products
MS06-042v3MS06-042v3 Required YesYes MS06-021MS06-021 All products All products
MS06-052MS06-052 Required YesYes NoneNone Windows XP SP1/XP2Windows XP SP1/XP2
MS06-053MS06-053 No YesYes NoneNone All productsAll products
MS06-054MS06-054 Required NoNo NoneNone Office Publisher 2000/2002/2003Office Publisher 2000/2002/2003
Windows Malicious Software Removal Windows Malicious Software Removal ToolTool
• Twenty-first monthly incremental update. Twenty-first monthly incremental update. • The September update adds the ability to remove:The September update adds the ability to remove:
– Win32/BancosWin32/Bancos– Win32/HaxdoorWin32/Haxdoor– Win32/SinteriWin32/Sinteri
• Available as priority update through Windows Update or Available as priority update through Windows Update or Microsoft Update for Windows XP usersMicrosoft Update for Windows XP users– Offered through WSUS; not offered through SUS 1.0Offered through WSUS; not offered through SUS 1.0
• Also as an ActiveX control or download at Also as an ActiveX control or download at www.microsoft.com/www.microsoft.com/malwareremovemalwareremove
Lifecycle Support InformationLifecycle Support Information
• End of public security support for Windows XP SP 1End of public security support for Windows XP SP 1– 10 October 200610 October 2006
• Support EOL for Software Update Services (SUS) 1.0Support EOL for Software Update Services (SUS) 1.0– 6 December 20066 December 2006
• www.microsoft.com/windowsserversystem/updateswww.microsoft.com/windowsserversystem/updateservices/evaluation/previous/default.mspxervices/evaluation/previous/default.mspx
– Public security support for Windows 98, 98 SE, and Public security support for Windows 98, 98 SE, and Millennium Edition HAS ENDED as of 11 July 2006.Millennium Edition HAS ENDED as of 11 July 2006.
• See See www.microsoft.com/lifecyclewww.microsoft.com/lifecycle for more information for more information
ResourcesResources
• September Security Bulletin Webcast (US) September Security Bulletin Webcast (US) http://http://msevents.microsoft.com/CUI/EventDetail.aspx?EventIDmsevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032305653&Culture=en-US=1032305653&Culture=en-US
• Security Bulletins SummarySecurity Bulletins Summaryhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-aug.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-aug.mspx
• Security Bulletins SearchSecurity Bulletins Searchwww.microsoft.com/technet/security/current.aspxwww.microsoft.com/technet/security/current.aspx
• Security AdvisoriesSecurity Advisorieswww.microsoft.com/www.microsoft.com/taiwan/technet/security/advisorytaiwan/technet/security/advisory//
• MSRC BlogMSRC Bloghttp://blogs.technet.com/msrchttp://blogs.technet.com/msrc
• NotificationsNotificationswww.microsoft.com/technet/security/bulletin/notify.mspxwww.microsoft.com/technet/security/bulletin/notify.mspx
• TechNet RadioTechNet Radiowww.microsoft.com/tnradiowww.microsoft.com/tnradio
• SearchSecurity ColumnSearchSecurity Columnhttp://searchsecurity.techtarget.com/news/0,289141,sid14,00.htmlhttp://searchsecurity.techtarget.com/news/0,289141,sid14,00.html
• IT Pro Security NewsletterIT Pro Security Newsletterwww.microsoft.com/technet/security/secnews/www.microsoft.com/technet/security/secnews/
• TechNet Security CenterTechNet Security Centerwww.microsoft.com/www.microsoft.com/taiwan/technet/securitytaiwan/technet/security
Questions and AnswersQuestions and Answers
• Submit text questions using the Submit text questions using the “Ask a Question” button “Ask a Question” button
• Don’t forget to fill out the surveyDon’t forget to fill out the survey• For upcoming and previously recorded For upcoming and previously recorded
webcasts: webcasts: http://www.microsoft.com/taiwan/technet/webcashttp://www.microsoft.com/taiwan/technet/webcast/default.aspxt/default.aspx
• Got webcast content ideas?Got webcast content ideas?E-mail us at: E-mail us at: [email protected]@microsoft.com