九月份資訊安全公告 Sep 14, 2006 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security,...

九月份資訊安全公告九月份資訊安全公告Sep 14, 2006Sep 14, 2006

Richard Chen Richard Chen 陳政鋒陳政鋒(Net+, Sec+, MCSE2003+Security, CISSP)(Net+, Sec+, MCSE2003+Security, CISSP)

資深技術支援工程師資深技術支援工程師台灣微軟技術支援處台灣微軟技術支援處

Questions last timeQuestions last time

• When will XPSP3 release?When will XPSP3 release?• Answer:Answer:

SP3 for Windows XP Professional is currently planned for 2H 2007. SP3 for Windows XP Professional is currently planned for 2H 2007.

This date is preliminary.This date is preliminary. • Check the following:Check the following:

http://www.microsoft.com/windows/lifecycle/servicepacks.mspxhttp://www.microsoft.com/windows/lifecycle/servicepacks.mspx

What We Will CoverWhat We Will Cover

• Review Sep.Review Sep. releasesreleases– Re-released bulletinsRe-released bulletins– New security bulletinsNew security bulletins– High-priority non-security updatesHigh-priority non-security updates

• Other security resourcesOther security resources– Windows Malicious Software Removal ToolWindows Malicious Software Removal Tool

• ResourcesResources• Questions and answersQuestions and answers

Questions and AnswersQuestions and Answers

• Submit text questions using the Submit text questions using the “Ask a Question” button “Ask a Question” button

Sep 2006 Security BulletinsSep 2006 Security BulletinsSummarySummary

• 3 New Security Bulletins for September3 New Security Bulletins for September– 1 new critical1 new critical– 1 new moderate1 new moderate– 1 new important 1 new important

• 2 Re-released Bulletins2 Re-released Bulletins– both criticalboth critical

• 2 Security Advisories2 Security Advisories

Sep 2006 Security Bulletins Sep 2006 Security Bulletins OverviewOverviewBulletin Bulletin NumberNumber

Title Title Maximum Severity Maximum Severity RatingRating

Products AffectedProducts Affected

MS06-040v2 Vulnerability in Server Service Could Allow Remote Code Execution (921883)

Critical All currently supported versions of Windows

MS06-042v3 Cumulative Security Update for Internet Explorer (918899)

Critical Internet Explorer on all currently supported versions of Windows

MS06-052 Pragmatic General Multicast (PGM) (919007)

Important Windows XP SP1/SP2 with MSMQ installed

MS06-053 Indexing Service (920685) Moderate All currently supported versions of Windows

MS06-054 Office Publisher (910729) Critical Office 2000/2002/2003

MS06-040v2: Windows - CriticalMS06-040v2: Windows - CriticalTitleTitle Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)

The Problem:The Problem: A remote code execution vulnerability is exposed in the Server service, which could A remote code execution vulnerability is exposed in the Server service, which could allow an attacker to take complete control of the an unprotected system by sending an allow an attacker to take complete control of the an unprotected system by sending an unauthenticated, specially crafted message to the Server service.unauthenticated, specially crafted message to the Server service.

Vulnerabilities:Vulnerabilities: Server Service Vulnerability - CVE-2006-3439Server Service Vulnerability - CVE-2006-3439

Affected Versions:Affected Versions: All supported versions of Windows:All supported versions of Windows:

•• Microsoft Windows 2000 Service Pack 4Microsoft Windows 2000 Service Pack 4

•• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 22

•• Microsoft Windows XP Professional x64 EditionMicrosoft Windows XP Professional x64 Edition

•• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1Pack 1

•• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based SystemsWindows Server 2003 with SP1 for Itanium-based Systems

•• Microsoft Windows Server 2003 x64 EditionMicrosoft Windows Server 2003 x64 Edition


Attack Attack Vectors/Impact:Vectors/Impact:

•Any unpatched system with the Server service’s listening port (TCP 139, 445) exposed Any unpatched system with the Server service’s listening port (TCP 139, 445) exposed to a potentially compromised network is susceptible to an unauthenticated attack.to a potentially compromised network is susceptible to an unauthenticated attack.•Systems compromised by this vulnerability could be used to propagate a Blaster-style Systems compromised by this vulnerability could be used to propagate a Blaster-style internet worminternet worm

The Fix:The Fix: The update removes the vulnerability by modifying the way that Server service The update removes the vulnerability by modifying the way that Server service validates the length of a message it receives in RPC communications before it passes validates the length of a message it receives in RPC communications before it passes the message to the allocated buffer.the message to the allocated buffer.

Mitigations:Mitigations: Systems with the Server service disabled will not be exposed Systems with the Server service disabled will not be exposed (NOTE: this is an extremely rare case in most enterprise environments)(NOTE: this is an extremely rare case in most enterprise environments)

Workaround:Workaround: Block TCP 139 and TCP 445 at perimeter and on hosts connected to untrusted Block TCP 139 and TCP 445 at perimeter and on hosts connected to untrusted networksnetworks

MS06-040v2: Windows - CriticalMS06-040v2: Windows - Critical

TitleTitle Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)Vulnerability in Server Service Could Allow Remote Code Execution (KB 921883)

Detection and Detection and Deployment:Deployment:

• Detectable via MBSA 1.2Detectable via MBSA 1.2**, MBSA 2.0, SMS 2.0, MBSA 2.0, SMS 2.0**, SMS 2003, SMS 2003• Deployable via WU, MU, SUSDeployable via WU, MU, SUS**, WSUS, SMS 2.0*, SMS 2003, WSUS, SMS 2.0*, SMS 2003 * * does not support x64 and ia64 versions of Windowsdoes not support x64 and ia64 versions of Windows

Does this Does this supersede any supersede any updates? updates?

• NoNo

Publicly Disclosed Publicly Disclosed (?)(?)

• This vulnerability was initially reported through responsible disclosure, but was later This vulnerability was initially reported through responsible disclosure, but was later disclosed publiclydisclosed publicly

• MSRC was made aware of public exploitation prior to bulletin releaseMSRC was made aware of public exploitation prior to bulletin release

Reboot and Reboot and Uninstall Uninstall Information:Information:

• Installing the update requires a reboot of the systemInstalling the update requires a reboot of the system• This update is uninstallableThis update is uninstallable


What is this reason What is this reason for this re-release? for this re-release?

• Initial building of WS03 SP1 updates for MS06-040 required netapi32.dll be loaded at Initial building of WS03 SP1 updates for MS06-040 required netapi32.dll be loaded at a different base address in memory due to increase in code sizea different base address in memory due to increase in code size

• Re-basing can cause applications that reserve large amounts of contiguous memory Re-basing can cause applications that reserve large amounts of contiguous memory to fail.to fail.

• Subsequent code changes allowed the base address for netapi32.dll to be changed Subsequent code changes allowed the base address for netapi32.dll to be changed back to its original location.back to its original location.

• 921883 has been updated to include the original pre- 921883 has been updated to include the original pre- MS06-040 base address that was included in hotfix 924054MS06-040 base address that was included in hotfix 924054..

Other information:Other information: • 921883 v2 will automatically upgrade systems requiring the new update (ie. uninstall 921883 v2 will automatically upgrade systems requiring the new update (ie. uninstall of 921883 v1 is not required)of 921883 v1 is not required)

• Only WS03 SP1 systems (and systems that use the WOW64 components from that Only WS03 SP1 systems (and systems that use the WOW64 components from that OS) are affected:OS) are affected:

– WS03 SP1 (x86/x64/ia64)WS03 SP1 (x86/x64/ia64)– WinXP x64WinXP x64

More Information:More Information: • For more Information, please review the FAQ at:For more Information, please review the FAQ at:http://support.microsoft.com/kb/921883http://support.microsoft.com/kb/921883http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-040.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-040.mspx

Questions about MS06-040v2?Questions about MS06-040v2?

MS06-042v3: IE Cumulative (Critical)MS06-042v3: IE Cumulative (Critical)

TitleTitle MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-releaserelease

The Problem:The Problem: • This update resolves several newly discovered, publicly and privately This update resolves several newly discovered, publicly and privately reported vulnerabilities. reported vulnerabilities.

• An attacker who successfully exploited the most severe of these An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. vulnerabilities could take complete control of an affected system.

• An attacker could then install programs; view, change, or delete data; An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. or create new accounts with full user rights.

• Users whose accounts are configured to have fewer user rights on the Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative system could be less impacted than users who operate with administrative user rights. user rights.

New VulnerabilitiesNew Vulnerabilities • Long URL Buffer Overflow Vulnerability CVE-2006-3869Long URL Buffer Overflow Vulnerability CVE-2006-3869• Long URL Buffer Overflow Vulnerability CVE-2006-3873Long URL Buffer Overflow Vulnerability CVE-2006-3873

MS06-042v3: IE Cumulative (Critical)MS06-042v3: IE Cumulative (Critical)

TitleTitle MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-releaserelease

Affected SoftwareAffected Software •• Microsoft Windows 2000 Service Pack 4Microsoft Windows 2000 Service Pack 4

•• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

•• Microsoft Windows XP Professional x64 EditionMicrosoft Windows XP Professional x64 Edition

•• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 SP1Microsoft Windows Server 2003 and Microsoft Windows Server 2003 SP1

•• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based SystemsWindows Server 2003 with SP1 for Itanium-based Systems

•• Microsoft Windows Server 2003 x64 EditionMicrosoft Windows Server 2003 x64 Edition

MS06-042v3: IE Cumulative (Critical)MS06-042v3: IE Cumulative (Critical)TitleTitle MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-MS06-042v3 Cumulative Security Update for Internet Explorer (918899) Re-

releaserelease

Who needs to Who needs to install MS06-install MS06-042v3?042v3?

• If v1 or v2 is NOT installed: All Affected Software (above) … If v1 or v2 is NOT installed: All Affected Software (above) … • If v1 or v2 is installed, the following still need to install MS06-042:If v1 or v2 is installed, the following still need to install MS06-042:

– IE 5.01 SP4 on Windows 2000 SP4 IE 5.01 SP4 on Windows 2000 SP4 – IE 6 SP1 for Windows XP SP1 and Windows 2000 SP4IE 6 SP1 for Windows XP SP1 and Windows 2000 SP4– IE 6 for Windows Server 2003IE 6 for Windows Server 2003

Who does NOT Who does NOT needs to install needs to install MS06-042v3?MS06-042v3?

• If v1 or v2 is installed, the following does NOT need to install MS06-042:If v1 or v2 is installed, the following does NOT need to install MS06-042:– IE 6 for Windows XP SP2IE 6 for Windows XP SP2– IE 6 for Windows Server 2003 SP1IE 6 for Windows Server 2003 SP1

MS06-042v3: New VulnerabilitiesMS06-042v3: New Vulnerabilities

VulnerabilityVulnerability Long URL Buffer Overflow Vulnerability - CVE-2006-3869Long URL Buffer Overflow Vulnerability - CVE-2006-3869

Possible Attack Possible Attack VectorsVectors

Remote code Execution: From a malicious web site with a specially crafted Remote code Execution: From a malicious web site with a specially crafted Web page (via Email attachment or IM request etc)Web page (via Email attachment or IM request etc)

Impact of AttackImpact of Attack Attackers could take complete control of an affected systemAttackers could take complete control of an affected system

The FixThe Fix: Modified the way IE handles long URLs when navigating to : Modified the way IE handles long URLs when navigating to websites using the HTTP 1.1 protocol and compression.websites using the HTTP 1.1 protocol and compression.

VulnerabilityVulnerability Long URL Buffer Overflow Vulnerability CVE-2006-3873 Long URL Buffer Overflow Vulnerability CVE-2006-3873

Possible Attack Possible Attack VectorsVectors

Remote code Execution: From a malicious web site with a specially crafted Remote code Execution: From a malicious web site with a specially crafted Web page (via Email attachment or IM request etc)Web page (via Email attachment or IM request etc)

Impact of AttackImpact of Attack Attackers could take complete control of an affected systemAttackers could take complete control of an affected system

The FixThe Fix: Modified the way IE handles long URLs when navigating to : Modified the way IE handles long URLs when navigating to websites using the HTTP 1.1 protocol and compression.websites using the HTTP 1.1 protocol and compression.


releaserelease

MitigationsMitigations • Web based attacks require user to visit malicious websWeb based attacks require user to visit malicious webs• Html email is opened in restricted zone: OE6, OL2002,Html email is opened in restricted zone: OE6, OL2002,

OL2003, and OL2002 w/OL email security updateOL2003, and OL2002 w/OL email security update• LUA: Attackers who successfully exploited these vulns could gainLUA: Attackers who successfully exploited these vulns could gain

the same user rights as the local user. the same user rights as the local user. • IE on Windows Server 2003 – Enhanced Security ConfigurationIE on Windows Server 2003 – Enhanced Security Configuration

WorkaroundWorkaround • (New) Disable the HTTP 1.1 protocol in Internet Explorer.(New) Disable the HTTP 1.1 protocol in Internet Explorer.• Disable caching of your Web site’s contentDisable caching of your Web site’s content• Set Active Scripting to Disabled or Prompt in the Internet ZoneSet Active Scripting to Disabled or Prompt in the Internet Zone• Set Internet and Local intranet security zone settings to “High” Set Internet and Local intranet security zone settings to “High” • Add Trusted sites to the trusted site zoneAdd Trusted sites to the trusted site zone• Read email in plain text formatRead email in plain text format• Disable Com Object instantiation (set kill bit)Disable Com Object instantiation (set kill bit)

Detection and Detection and DeploymentDeployment

• Next Page…Next Page…


releaserelease


•MS06-021MS06-021

Other information:Other information: •Is a Restart required? YESIs a Restart required? YES•Is there an uninstall option? YESIs there an uninstall option? YES•Are the new vulnerabilities publicly known?Are the new vulnerabilities publicly known?

– CVE-2006-3869:CVE-2006-3869:•Publicly KnownPublicly Known: : YESYES•Publicly Exploited: Publicly Exploited: NONO

– CVE-2006-3873:CVE-2006-3873:•Publicly Known: Publicly Known: NONO•Publicly Exploited: Publicly Exploited: NONO

More Information:More Information: •FAQ: FAQ: •http://support.microsoft.com/kb/918899http://support.microsoft.com/kb/918899•http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-042.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-042.mspx

Questions about MS06-042v3?Questions about MS06-042v3?

MS06-052: Pragmatic General Multicast (PGM) -MS06-052: Pragmatic General Multicast (PGM) -ImportantImportant

TitleTitle Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Code Execution KB919007Code Execution KB919007

The ProblemThe Problem This update resolves a newly discovered, privately reported, vulnerability which is This update resolves a newly discovered, privately reported, vulnerability which is documented in the "Vulnerability Details" section of this bulletin.documented in the "Vulnerability Details" section of this bulletin.

An attacker who successfully exploited the vulnerability could take complete control An attacker who successfully exploited the vulnerability could take complete control of the affected system of the affected system

VulnerabilitiesVulnerabilities PGM Code Execution Vulnerability - PGM Code Execution Vulnerability - CVE-2006-3442CVE-2006-3442

Affected versionsAffected versions Microsoft Windows XP Service Pack 1 Microsoft Windows XP Service Pack 1

Microsoft Windows XP Service Pack 2 Microsoft Windows XP Service Pack 2

Attack Attack Vectors/ImpactVectors/Impact

There is a remote code execution vulnerability that could allow an attacker to send a There is a remote code execution vulnerability that could allow an attacker to send a specially crafted multicast message to an affected system and execute code on the specially crafted multicast message to an affected system and execute code on the affected system. affected system.


TitleTitle Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Code Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Code Execution KB919007Execution KB919007

The FixThe Fix The update removes the vulnerability by modifying the way that the MSMQ Service The update removes the vulnerability by modifying the way that the MSMQ Service validates a PGM message before it passes the message to the allocated buffer. validates a PGM message before it passes the message to the allocated buffer.

MitigationsMitigations •For customers who require the affected component, firewall best practices and For customers who require the affected component, firewall best practices and standard default firewall configurations can help protect networks from attacks that standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.are connected to the Internet have a minimal number of ports exposed.•Pragmatic General Multicast (PGM) is only supported when Microsoft Message Pragmatic General Multicast (PGM) is only supported when Microsoft Message Queuing (MSMQ) 3.0 is installed. The MSMQ service is not installed by default.Queuing (MSMQ) 3.0 is installed. The MSMQ service is not installed by default.

WorkaroundWorkaround We have not identified any workarounds for this vulnerability.We have not identified any workarounds for this vulnerability.


TitleTitle Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Vulnerability in Pragmatic General Multicast (PGM) Could Result in Remote Code Execution KB919007Code Execution KB919007


NoNo

Other informationOther information • Was the vulnerability publicly known? NoWas the vulnerability publicly known? No• Are there any known exploits? NoAre there any known exploits? No• Is a Restart required? YesIs a Restart required? Yes• Is there an uninstall option? Yes Is there an uninstall option? Yes

More InformationMore Information • For more Information, please review the FAQ at:For more Information, please review the FAQ at:•http://support.microsoft.com/?id=919007http://support.microsoft.com/?id=919007•http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-052.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-052.mspx

Questions on MS06-052?Questions on MS06-052?

MS06-053: Indexing Service - ModerateMS06-053: Indexing Service - ModerateTitleTitle Vulnerability in Indexing Service Could Allow Cross-Site Scripting (KB920685)Vulnerability in Indexing Service Could Allow Cross-Site Scripting (KB920685)

The ProblemThe Problem •There is an information disclosure vulnerability in Indexing Service because of the way There is an information disclosure vulnerability in Indexing Service because of the way that it handles query validation, creating the possibility of cross-site scripting.that it handles query validation, creating the possibility of cross-site scripting.•The vulnerability could allow an attacker to run client-side script on behalf of a user. The vulnerability could allow an attacker to run client-side script on behalf of a user. The script could spoof content, disclose information, or take any action that the user The script could spoof content, disclose information, or take any action that the user could take on the affected web sitecould take on the affected web site

VulnerabilitiesVulnerabilities Microsoft Indexing Service Vulnerability - Microsoft Indexing Service Vulnerability - CVE-2006-0032CVE-2006-0032

Affected versionsAffected versions • Microsoft Windows 2000 Service Pack 4Microsoft Windows 2000 Service Pack 4• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 • Microsoft Windows XP Professional x64 EditionMicrosoft Windows XP Professional x64 Edition• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack

1 1 • Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows

Server 2003 with SP1 for Itanium-based SystemsServer 2003 with SP1 for Itanium-based Systems• Microsoft Windows Server 2003 x64 EditionMicrosoft Windows Server 2003 x64 Edition

MS06-053: Indexing Service - ModerateMS06-053: Indexing Service - Moderate

TitleTitle Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685

Attack Vectors Attack Vectors /Impact:/Impact:

A user would have to be enticed to click on a URL which goes to a malicious web site A user would have to be enticed to click on a URL which goes to a malicious web site which hosts the exploit.which hosts the exploit.

The Fix:The Fix: The update removes the vulnerability by modifying the way that Indexing Service The update removes the vulnerability by modifying the way that Indexing Service validates the length of a message before it passes the message to the allocated buffer.validates the length of a message before it passes the message to the allocated buffer.

Mitigations:Mitigations: •By default, Internet Information Services 6.0 is not enabled on Windows Server By default, Internet Information Services 6.0 is not enabled on Windows Server •On Windows Server 2003, if the Internet Information Services (IIS) has been enabled, On Windows Server 2003, if the Internet Information Services (IIS) has been enabled, the Indexing Service is not enabled by default. the Indexing Service is not enabled by default. •When Indexing Service is installed, web-based query pages must be created or When Indexing Service is installed, web-based query pages must be created or installed manually that will allow IIS to receive queries from anonymous users and pass installed manually that will allow IIS to receive queries from anonymous users and pass those queries to the Indexing Service.those queries to the Indexing Service.•(Continued on the next slide)(Continued on the next slide)

MS06-053: Indexing Service - ModerateMS06-053: Indexing Service - ModerateTitleTitle Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685

Mitigations Mitigations (Continued):(Continued):

•The attacker would have to persuade users to visit the Web site, typically by getting The attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.to the attacker's Web site.•Firewall best practices and standard default firewall configurations (E.g. systems that Firewall best practices and standard default firewall configurations (E.g. systems that connected to the Internet have a minimal number of ports) can help protect networks connected to the Internet have a minimal number of ports) can help protect networks from attacks that originate outside the enterprise perimeter.from attacks that originate outside the enterprise perimeter.

Workarounds:Workarounds: •Firewall best practices and standard default firewall configurations (E.g. systems that Firewall best practices and standard default firewall configurations (E.g. systems that connected to the Internet have a minimal number of ports) can help protect networks connected to the Internet have a minimal number of ports) can help protect networks from attacks that originate outside the enterprise perimeter. Block at the firewall: from attacks that originate outside the enterprise perimeter. Block at the firewall: UDP UDP ports 137 and 138 and TCP ports 139 and 44.ports 137 and 138 and TCP ports 139 and 44.•To help protect from network-based attempts to exploit this vulnerability, use a personal To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the firewall, such as the Internet Connection FirewallInternet Connection Firewall, enable advanced TCP/IP filtering on , enable advanced TCP/IP filtering on systems that support this feature, block the affected ports by using IPSec on the affected systems that support this feature, block the affected ports by using IPSec on the affected systems.systems.•Remove the Indexing ServiceRemove the Indexing Service

MS06-053: Indexing Service - ModerateMS06-053: Indexing Service - Moderate

TitleTitle Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685Vulnerability in Indexing Service Could Allow Cross-Site Scripting KB920685


NoNo

Other informationOther information • Was the vulnerability publicly known? NoWas the vulnerability publicly known? No• Are there any known exploits? NoAre there any known exploits? No• Is a Restart required? NoIs a Restart required? No• Is there an uninstall option? YesIs there an uninstall option? Yes

More InformationMore Information • For more Information, please review the FAQ at: http://support.microsoft.com/?For more Information, please review the FAQ at: http://support.microsoft.com/?id=920685id=920685http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-053.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-053.mspx

Questions about MS06-053?Questions about MS06-053?

MS06-054: Office - CriticalMS06-054: Office - CriticalTitleTitle Vulnerability in Microsoft Publisher Could Allow Remote Code ExecutionVulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)(910729)

The ProblemThe Problem A remote code execution vulnerability exists in Publisher, and could be exploited when A remote code execution vulnerability exists in Publisher, and could be exploited when a malformed string included in a Publisher file is parsed. An attacker could exploit the a malformed string included in a Publisher file is parsed. An attacker could exploit the vulnerability by constructing a specially crafted Publisher file that could allow remote vulnerability by constructing a specially crafted Publisher file that could allow remote code execution. code execution.

VulnerabilitiesVulnerabilities Microsoft Publisher Vulnerability - CVE-2006-0001Microsoft Publisher Vulnerability - CVE-2006-0001

Affected versionsAffected versions Office Publisher 2000Office Publisher 2000

Office Publisher 2002Office Publisher 2002

Office Publisher 2003Office Publisher 2003

Attack Attack Vectors/ImpactVectors/Impact

For an attack to be successful a user must open an attachment that is sent in an e-mail For an attack to be successful a user must open an attachment that is sent in an e-mail message or visit a Web site that contains a Web page that is used to exploit this message or visit a Web site that contains a Web page that is used to exploit this vulnerability . An attacker who successfully exploited this vulnerability could take vulnerability . An attacker who successfully exploited this vulnerability could take complete control of an affected system.complete control of an affected system.

The FixThe Fix The update removes the vulnerability by modifying the way that Publisher parses the The update removes the vulnerability by modifying the way that Publisher parses the file and validates the length of a string before passing it to the allocated buffer. file and validates the length of a string before passing it to the allocated buffer.

MS06-054: Office - CriticalMS06-054: Office - CriticalTitleTitle Vulnerability in Microsoft Publisher Could Allow Remote Code ExecutionVulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)(910729)

MitigationsMitigations •Users whose accounts are configured to have fewer user rights on the system could be Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. less impacted than users who operate with administrative user rights. •an attacker would have to persuade users to visit the Web site an attacker would have to persuade users to visit the Web site •The vulnerability cannot be exploited automatically through e-mail The vulnerability cannot be exploited automatically through e-mail •For Office 2000, you may install the For Office 2000, you may install the Office Document Open Confirmation ToolOffice Document Open Confirmation Tool for Office for Office 2000 and you will then be prompted with Open, Save, or Cancel before opening a 2000 and you will then be prompted with Open, Save, or Cancel before opening a document. Office 2002 and 2003 include this feature by default. document. Office 2002 and 2003 include this feature by default.

WorkaroundWorkaround • Do not open or save Publisher files that you receive from un-trusted sources or that you Do not open or save Publisher files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources receive unexpectedly from trusted sources

Detection and Detection and DeploymentDeployment

SoftwareSoftware MBSA 1.2.1 MBSA 2.0 SMS 2.0 SMS 2003 MBSA 1.2.1 MBSA 2.0 SMS 2.0 SMS 2003

Microsoft Publisher 2000 Yes No YesMicrosoft Publisher 2000 Yes No Yes Yes Yes

Microsoft Publisher 2002 Yes Yes YesMicrosoft Publisher 2002 Yes Yes Yes Yes Yes

Microsoft Publisher 2003 Yes Yes YesMicrosoft Publisher 2003 Yes Yes Yes Yes Yes

MS06-054: Office - CriticalMS06-054: Office - Critical

TitleTitle Vulnerability in Microsoft Publisher Could Allow Remote Code ExecutionVulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)(910729)


•NoneNone

Other informationOther information • Was the vulnerability publicly known? NOWas the vulnerability publicly known? NO• Are there any known exploits? NOAre there any known exploits? NO• Is a Restart required? YES, this update changes shared Office dll files in addition to Is a Restart required? YES, this update changes shared Office dll files in addition to Publisher files. Although the security vulnerability only exists in Publisher a reboot is Publisher files. Although the security vulnerability only exists in Publisher a reboot is required to complete the installation of all files in the update. required to complete the installation of all files in the update. • Is there an uninstall option? NOIs there an uninstall option? NO

More InformationMore Information • For more Information, please review the FAQ at: For more Information, please review the FAQ at: •http://support.microsoft.com/?id=910729http://support.microsoft.com/?id=910729•http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-054.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-054.mspx

Questions about MS06-054?Questions about MS06-054?

Security Advisory (1 of 2)Security Advisory (1 of 2)

Security Advisory 922582 - Minifilter can block AU and WSUSSecurity Advisory 922582 - Minifilter can block AU and WSUS• Non-security updateNon-security update• This update addresses an error that could result when using a minifilter-based application on a This update addresses an error that could result when using a minifilter-based application on a

system. system. • Specific Error Code: Specific Error Code: 0x800700020x80070002• This error code could occur when updating any of the following Microsoft tools: This error code could occur when updating any of the following Microsoft tools:

– Automatic UpdatesAutomatic Updates– WU Web siteWU Web site– MU Web siteMU Web site– Inventory Tool for Microsoft Updates (ITMU) for Microsoft Systems Management Server (SMS) Inventory Tool for Microsoft Updates (ITMU) for Microsoft Systems Management Server (SMS)

2003 2003 – SUSSUS– WSUSWSUS

• Windows Server 2003 R2 is the only version of Windows that ships with a minifilter-based Windows Server 2003 R2 is the only version of Windows that ships with a minifilter-based application, but it is not installed by default. application, but it is not installed by default.

• ISVs are building new applications using the minifilter technology; this error could affect any systems ISVs are building new applications using the minifilter technology; this error could affect any systems in the future.in the future.

• Customers should evaluate and deploy the update.Customers should evaluate and deploy the update.• More information:More information:

http://support.microsoft.com/?id=922582http://support.microsoft.com/?id=922582

Security Advisory (2 of 2)Security Advisory (2 of 2)

Security Advisory 925143 – Adobe Security Bulletin: APSB06-11 FlashSecurity Advisory 925143 – Adobe Security Bulletin: APSB06-11 FlashPlayer Update to Address Security VulnerabilitiesPlayer Update to Address Security Vulnerabilities• Recent security vulnerabilities in Macromedia Flash Player from Adobe redistributed with Microsoft Recent security vulnerabilities in Macromedia Flash Player from Adobe redistributed with Microsoft

Windows XP SP1 & SP2.Windows XP SP1 & SP2.• The Microsoft Security Response Center is in communication with Adobe.The Microsoft Security Response Center is in communication with Adobe.• Adobe has made updates available on their Web site.Adobe has made updates available on their Web site.• Customers who use Flash Player should follow the Adobe guidance.Customers who use Flash Player should follow the Adobe guidance.• For more information please see Adobe Security Bulletin located at:For more information please see Adobe Security Bulletin located at:

http://www.adobe.com/go/apsb06-11/http://www.adobe.com/go/apsb06-11/ • KB925143:KB925143:

http://www.microsoft.com/technet/security/advisory/925143.mspxhttp://www.microsoft.com/technet/security/advisory/925143.mspx

Sep 2006 Non-Security UpdatesSep 2006 Non-Security Updates

NUMBERNUMBER TITLETITLE DistributionDistribution

922582922582 Update for WindowsUpdate for Windows MU, WUMU, WU

920872920872 Update for Windows XPUpdate for Windows XP MU, WUMU, WU

912580912580 Update for Outlook 2003 Junk E-mail FilterUpdate for Outlook 2003 Junk E-mail Filter MUMU

Detection and DeploymentDetection and Deployment

SUSSUS

MUMUWSUSWSUSMBSA2MBSA2 MBSA MBSA ESTEST CSACSA SMSSMS

MS06-040 Server ServiceMS06-040 Server Service ●● ●● ●● ●●

MS06-042 IE CumulativeMS06-042 IE Cumulative ●● ●● ●● ●● ●●

MS06-052 PGMMS06-052 PGM ●● ●● ●● ●●

MS06-053 Index ServerMS06-053 Index Server ●● ●● ●● ●●

MS06-054 PublisherMS06-054 Publisher ●●** ●● ●●

•MU does MU does notnot support detection for vulnerable Office 2000 products support detection for vulnerable Office 2000 products•For Office 2000, use SMS/WSUS/MBSA1.2/OfficeUpdateToolFor Office 2000, use SMS/WSUS/MBSA1.2/OfficeUpdateTool

Other Update InformationOther Update Information

BulletinBulletin RestartRestart UninstallUninstall ReplacesReplaces On productsOn products

MS06-040v2MS06-040v2 Required YesYes NoneNone All productsAll products

MS06-042v3MS06-042v3 Required YesYes MS06-021MS06-021 All products All products

MS06-052MS06-052 Required YesYes NoneNone Windows XP SP1/XP2Windows XP SP1/XP2

MS06-053MS06-053 No YesYes NoneNone All productsAll products

MS06-054MS06-054 Required NoNo NoneNone Office Publisher 2000/2002/2003Office Publisher 2000/2002/2003

Windows Malicious Software Removal Windows Malicious Software Removal ToolTool

• Twenty-first monthly incremental update. Twenty-first monthly incremental update. • The September update adds the ability to remove:The September update adds the ability to remove:

– Win32/BancosWin32/Bancos– Win32/HaxdoorWin32/Haxdoor– Win32/SinteriWin32/Sinteri

• Available as priority update through Windows Update or Available as priority update through Windows Update or Microsoft Update for Windows XP usersMicrosoft Update for Windows XP users– Offered through WSUS; not offered through SUS 1.0Offered through WSUS; not offered through SUS 1.0

• Also as an ActiveX control or download at Also as an ActiveX control or download at www.microsoft.com/www.microsoft.com/malwareremovemalwareremove

Lifecycle Support InformationLifecycle Support Information

• End of public security support for Windows XP SP 1End of public security support for Windows XP SP 1– 10 October 200610 October 2006

• Support EOL for Software Update Services (SUS) 1.0Support EOL for Software Update Services (SUS) 1.0– 6 December 20066 December 2006

• www.microsoft.com/windowsserversystem/updateswww.microsoft.com/windowsserversystem/updateservices/evaluation/previous/default.mspxervices/evaluation/previous/default.mspx

– Public security support for Windows 98, 98 SE, and Public security support for Windows 98, 98 SE, and Millennium Edition HAS ENDED as of 11 July 2006.Millennium Edition HAS ENDED as of 11 July 2006.

• See See www.microsoft.com/lifecyclewww.microsoft.com/lifecycle for more information for more information

ResourcesResources

• September Security Bulletin Webcast (US) September Security Bulletin Webcast (US) http://http://msevents.microsoft.com/CUI/EventDetail.aspx?EventIDmsevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032305653&Culture=en-US=1032305653&Culture=en-US

• Security Bulletins SummarySecurity Bulletins Summaryhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-aug.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms06-aug.mspx

• Security Bulletins SearchSecurity Bulletins Searchwww.microsoft.com/technet/security/current.aspxwww.microsoft.com/technet/security/current.aspx

• Security AdvisoriesSecurity Advisorieswww.microsoft.com/www.microsoft.com/taiwan/technet/security/advisorytaiwan/technet/security/advisory//

• MSRC BlogMSRC Bloghttp://blogs.technet.com/msrchttp://blogs.technet.com/msrc

• NotificationsNotificationswww.microsoft.com/technet/security/bulletin/notify.mspxwww.microsoft.com/technet/security/bulletin/notify.mspx

• TechNet RadioTechNet Radiowww.microsoft.com/tnradiowww.microsoft.com/tnradio

• SearchSecurity ColumnSearchSecurity Columnhttp://searchsecurity.techtarget.com/news/0,289141,sid14,00.htmlhttp://searchsecurity.techtarget.com/news/0,289141,sid14,00.html

• IT Pro Security NewsletterIT Pro Security Newsletterwww.microsoft.com/technet/security/secnews/www.microsoft.com/technet/security/secnews/

• TechNet Security CenterTechNet Security Centerwww.microsoft.com/www.microsoft.com/taiwan/technet/securitytaiwan/technet/security

Questions and AnswersQuestions and Answers

• Submit text questions using the Submit text questions using the “Ask a Question” button “Ask a Question” button

• Don’t forget to fill out the surveyDon’t forget to fill out the survey• For upcoming and previously recorded For upcoming and previously recorded

webcasts: webcasts: http://www.microsoft.com/taiwan/technet/webcashttp://www.microsoft.com/taiwan/technet/webcast/default.aspxt/default.aspx

• Got webcast content ideas?Got webcast content ideas?E-mail us at: E-mail us at: [email protected]@microsoft.com

九月份資訊安全公告 Sep 14, 2006 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security,...

Documents

Transcript of 九月份資訊安全公告 Sep 14, 2006 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security,...