Introduction

During the last patch update cycle of this year, Microsoft has released seven security updates for its line of products. This makes the total count of security updates released during this year to 78 which is the highest number of security bulletin that Microsoft has released in any given year. But the bad news is that I still expect the number to go up next year.

Details

Bulletin MS06-072: This is a cumulative update for Internet explorer 6 and 5.01 with SP4 running on Windows 2000 SP4. This is aimed at fixing four vulnerabilities that could result in remote code execution or information disclosure. The vulnerabilities are documented in the CVE database.

Script Error Handling Memory Corruption Vulnerability - CVE-2006-5579: This is still in the candidacy stage in the CVE database. A remote code execution vulnerability exists in Internet Explorer due to attempts to access previously freed memory when handling script errors in certain situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page. If a user viewed the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. This is rated as critical.

DHTML Script Function Memory Corruption Vulnerability - CVE-2006-5581: A remote code execution vulnerability exists in the way Internet Explorer interprets certain DHTML script function calls to incorrectly created elements. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. This is rated as critical.

TIF Folder Information Disclosure Vulnerability - CVE-2006-5578: An information disclosure vulnerability exists in Internet Explorer in the way that drag and drop operations are handled in certain situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed and interacted with the Web page. An attacker who successfully exploited this vulnerability would be able to retrieve files from the Temporary Internet Files (TIF) folder on a user’s system. This is rated as Important.

TIF Folder Information Disclosure Vulnerability - CVE-2006-5577: An information disclosure vulnerability exists in Internet Explorer in certain scenarios where the path to the cached content in the TIF folder could be disclosed. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability would be able to retrieve files from the Temporary Internet Files (TIF) folder on a user’s system. However, user interaction is required to exploit this vulnerability. This is rated as Important.

All of these vulnerabilities can be prevented by practicing safe browsing habits like disabling script execution on untrusted site (To enable script processing for certain websites, add them to Trusted Sites from Internet Options --> Security) or disable unsigned ActiveX controls etc.

My recommendation: You could probably get by with not installing the update as long as you practice safe browsing and use the work around. Also if you upgrade to IE7.0, these vulnerabilities will not affect your computer.

Bulletin MS06-73: This update resolves the publicly reported vulnerability with Microsoft Visual Studio 2005. The vulnerability affects the WMI Object Broker ActiveX Control. This update is rated as critical.

WMI Object Broker Vulnerability - CVE-2006-4704: A remote code execution vulnerability exists in the WMI Object Broker control (WmiScriptUtils.dll) that the WMI Wizard uses in Visual Studio 2005.An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

By default this control is active in IE7 and in the event of the web based attack, the attacker will gain the privileges of local user. You could probably protect yourselves by NOT logging in as Administrator.

You can also protect yourself by disabling attempts to instantiate the WMI Object Broker Control by setting the kill bit for the control in the registry.  To set the kill bit for a CLSID with a value of {7F5B7F63-F06F-4331-8A26-339E03C0AE3D} paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}]
"Compatibility Flags"=dword:00000400

You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy.

My recommendation: Although there exists a work-around and prevention by using safe browsing habits, I recommend strongly that you apply this patch.

Bulletin MS06-74: This update resolves a newly discovered, privately reported, vulnerability arising from an unchecked buffer in the SNMP service. This update is rated as Important.

SNMP Memory Corruption Vulnerability - CVE-2006-5583: A remote code execution vulnerability exists in SNMP Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

Although there exists the possibility of remote code execution should the attacker exploit it successfully, it is still not critical as SNMP service is not installed by default in any supported version of Windows. To verify whether SNMP service is running on your computer or not:

1. Click Start, and then click Run.
2. In the Open box, type services.msc and then click OK.
3. Search for the SNMP Service in the list of Services.

If the SNMP service is listed, then it is installed on your computer.

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. 

• Restrict the IP addresses that are allowed to manage the computer.

1. Click Start, and then click Run.
2. In the Open box, type services.msc and then click OK.
3. Click SNMP Service and select Properties.
4. Click the Security tab and select Accept SNMP packets from these hosts.
5. Add the approved management station's IP address by clicking Add, typing in the IP address or host name, and clicking Add.
   

• Block the following at the firewall:
• UDP port 161
  

This port is used to initiate a connection with the affected component. Blocking it at the firewall will help protect systems that are behind  that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured SNMP port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.

• To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Windows Firewall, which is included with Windows XP.

By default, the Windows Firewall feature in Windows XP helps protect your Internet connection by blocking unsolicited incoming traffic. I suggest that you block all unsolicited incoming communication from the Internet.
To enable the Windows Firewall feature by using the Network Setup Wizard, follow these steps:

• Click Start, and then click Control Panel.
• Double-click Network Connections and then click Change Windows Firewall settings.
• On the General tab, ensure that the On (recommended) value is selected. This will enable the Windows Firewall.
• Once the Windows Firewall is enabled, select Don’t allow exceptions to prohibit all incoming traffic.

If you want to enable certain programs and services to communicate through the firewall, de-select Don’t allow exceptions and click the Exceptions tab. On the Exceptions tab, select the programs, protocols, and services you want to enable. To help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPSec on the affected systems. Use Internet Protocol security (IPSec) to help protect network communications.

Disable the SNMP service
Disabling the SNMP service will help protect the affected system from attempts to exploit this vulnerability. To disable the SNMP service, follow these steps:
Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.

1. Double-click Administrative Tools.
2. Double-click Services.
3. Double-click SNMP Service.
4. In the Startup type list, click Disabled.
5. Click Stop, and then click OK.

You can also stop and disable the SNMP service by using the following command at the command prompt:

sc stop SNMP & sc config SNMP start= disabled

Impact of Workaround: If you disable the SNMP service, you cannot print locally or remotely. Therefore, we recommend this workaround only on systems that do not require printing.

My recommendations: Although workarounds exists for this vulnerability, I would recommend you apply this patch if you are using SNMP. If you don't use SNMP then you can safely ignore this update.

Bulletin MS06-75: This update resolves a privately identified vulnerability arising out of improper processing and management of file manifests by the Client-Server Run-time Subsystem. A privilege elevation vulnerability exists in the way that Microsoft Windows starts applications with specially crafted file manifests. This vulnerability could allow a logged on user to take complete control of the system. For an attacker to exploit this vulnerability, th attacker must have valid logon credentials and be able to log on locally. The vulnerability could not be exploited remotely or by anonymous users. This update is rated important.

My recommendation: You could probably get by without applying this patch.

Bulleting MS06-76: This update resolves a newly discovered, privately reported vulnerability affecting Windows Address Book contact record caused by an unchecked buffer in the Windows Address Book (WAB) functions within Outlook Express. This update is rated as Important.

Windows Address Book Contact Record Vulnerability - CVE-2006-2386: A remote code execution vulnerability in a component of Outlook Express could allow an attacker who sent a Windows Address Book file to a user of an affected system to take complete control of the system.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

You could protect yourself by NOT running as an administrator to limit the damage or by removing the .wab file association from the registry. In any case, only in rare scenarios Outlook Express is used and in enterprise environments, Outlook express is not installed at all.

My recommendation: Although conventional wisdom says that you should apply the patch, I would suggest that you could probably get by without installing the patch. In the event that you are not using Outlook express and don't have it installed you can safely ignore this update.

Bulletin MS06-77: This update resolves a privately reported vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This update is rated as Important. This vulnerability is caused by allowing anonymous access to the file structure of a hosted operating system build through the RIS TFTP service. This vulnerability affects only Windows 2000 SP4.

RIS Writable Path Vulnerability - CVE-2006-5584: The Remote Installation Service enables a TFTP service on the server which by default could allow an anonymous user to potentially overwrite existing operating system files or upload a specially crafted file. This could allow an attacker to compromise operating system installs offered by the RIS server. By default, the RIS service is not installed on Windows 2000 SP4.

My recommendation: You can probably ignore this update if you don't have any Windows 2000 installation in your environment. Otherwise you install this update.

Bulletin MS06-78: This update resolves two newly discovered vulnerabilities. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. This update is rated as Critical.

Windows Media Format ASF Parsing Vulnerability CVE-2006-4702: A remote code execution vulnerability exists in Windows Media Format Runtime due to the way it handles Advanced Systems Format (ASF) files. An attacker could exploit the vulnerability by constructing specially crafted Windows Media Player content that could potentially allow remote code execution if a user visits a malicious Web site or opens an e-mail message with malicious content. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Windows Media Format ASX Parsing Vulnerability CVE-2006-6134: A remote code execution vulnerability exists in Windows Media Format Runtime due to the way it handles certain elements contained in Advanced Stream Redirector (ASX) files. An attacker could exploit the vulnerability by constructing a specially crafted ASX file that could allow remote code execution if a user visits a malicious Web site, where specially crafted ASX files are used to launch Windows Media player, or if a user clicks on a URL pointing to a specially crafted ASX file. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

My recommendation:Although workarounds exist with little or no impact for these vulnerabilities, I would strongly recommend applying this security update.