Patch Tuesday - 2 more from MS

[Relyt]

Well thought I was all done after WMF patchin's, however there are two more put out today:

Patch Tuesday: January '06
January 10, 2006
By Pedro Hernandez

Microsoft released two more updates this month, including one for Windows that carries a 'critical' rating.

Windows contains a flaw in the way it handles embedded web fonts (MS06-002), making it possible for malware coders to create an exploit that leads to a remote attack or theft of data if a user is logged in with administrator rights. Affected versions of Windows include 2000 SP4, XP SP1/SP2, XP Pro x64, and Server 2003 SP1/x64/Itanium/Itanium SP1.

Separately, both Microsoft Office and Exchange suffer from a critical TNEF decoding flaw (MS06-003) that can eventually lead to a remote attack. TNEF (Transport Neutral Encapsulation Format) packages message attributes, such as formatting and embedded images, for use by Outlook.

According to the advisory, some versions of Outlook and affected Office (2000, XP SP3, and 2003) language modules are susceptible to a bug that can lead to a client system takeover. Similarly, the bug can also allow an attacker to hack an Exchange 5.0, 5.5 or 2000 SP3 server.

These follow an out-of-schedule update that the software giant issued last week to fix the WMF flaw and render useless the subsequent zero-days that cropped up online. During that gap, sites hosting unofficial patches and workarounds were surging in popularity as administrators weighed their options. Feedback coupled with a quick patch development period prompted Microsoft to issue the fix early.

New WMF flaws have surfaced since, but the Microsoft Security Response Center is filing them under performance issues. While they may cause a WMF application to crash, they do no otherwise affect the OS or grant access to a hacker.

The company's Malicious Software Removal Tool also gets an update this month. New signatures allow the software to detect the Parite virus along with the Maslan and Bofra worms.

Individual downloads are available by following the links contained within the security bulletins or by using Windows Update.

Source or click on the link in EIT Planet's Security News Section

Off to MS...


cheers

[morganlefay]

Also there is a critical security patch for Exchange and Outlook 2000\2003

http://www.microsoft.com/technet/sec.../MS06-003.mspx

Has to do with email using MS RTF (rich text file)....you can block .dat attachments til you can patch your exchange server.

By blocking .dat you may render some email unreadable....

MLF

[Relyt]

Thanks MLF,

Gotta admit I have been booted to Linux for quite awhile so when I visited MS for the updates on XP, well... it took quite a while to patch even with dsl

[spamdies]

the wmf fix got pushed forward due to public demand/news spolight, from what i understand.
for what its worth todays patch is the rest of the scheduled monthly patch. [sarcasm] yeah go team[/sarcasm]

[dynamoo]

For the Exchange / RTF / TNEF thing, there's a set of patches for client PCs (Outlook 2000, 2002 and 2003) and a set of patches for Exchange (5.0, 5.5 and 2000).

I've read the bulletin and I'm unclear as to whether you just need to patch the server OR the client or the server AND the client. Does anyone have any thoughts on this?

[dynamoo]

Urrrggghhh... I've done some poking around and it appears that the SERVER can be infected with the TNEF attack hence the patch - so an update would be required for both. The fact that it appears that an Exchange server can be vulnerable is particularly worrying.

[morganlefay]

I've read the bulletin and I'm unclear as to whether you just need to patch the server OR the client or the server AND the client. Does anyone have any thoughts on this?

That is why you should block the .dat attachment ...until you can patch the server.

I would patch both client and server!!!

MLF

[dynamoo]

That is why you should block the .dat attachment ...until you can patch the server.

I would patch both client and server!!!

MLF [/B]

I hate to think what that might break though. Isn't the .dat file an integral part of an RTF formatted message?

Not one to put off patching though - although you don't need to reboot servers, the patch DOES restart the information store.

Not quite sure on how the exploit would be triggered, but because Exchange happily accepts ALL messages and gives an asynchronous bounce I guess that you might not even need a valid email address on the target system. So (and just speculating here) you could have some sort of worm rip through Exchange servers globally *very* quickly.

Remember the Witty worm?

[morganlefay]

Well we blocked the .dat file at the server level..til the weekend when I can patch.

We also recieve email from many different countries...and email clients and so far I have heard of no issues....

Most clients use HTML or text now..dont they???

MLF

[RoadClosed]

I have three flat screens on my desk with real time traffic analysis of my perimeter firewalls. The one used for Exchange and general internet access started acting weird on Monday. At about 8am the traffic pattern shifted. I watch it everyday and it completely went 180 on me. A few minutes later the phone rang with Administrators saying they are getting errors accessing the web. FRUCK ME, I said and went to work. Not knowing about this patch until this morning I had to isolate the problem which appeared to be a DOS attack or Spam attack on Exchange. The SMTP traffic would build in about 5 minutes to gobble up the ENTIRE T1 every time I turned on the virtual SMTP server. Long boring story short... any way I worked all night tearing down the firewall tracking all sorts of DNS items and generally reconfiguring and changing passwords etc and tracking and blocking potential bad IPs. Then all day yesterday reconfiguring and checking exchange and the whole system so... FU MS. I stopped it got it all back up to find a patch ready. ACK!