Results 1 to 10 of 10

Thread: May 06 security patches

  1. #1
    Senior Member
    Join Date
    Oct 2001
    Posts
    748

    May 06 security patches

    This one is pretty severe for the other Exchange admins out there. Get this patched quickly, or use the workarounds. http://www.microsoft.com/technet/sec.../MS06-019.mspx



    New Security Bulletins

    Microsoft is releasing the following security bulletins for newly discovered vulnerabilities:

    • Moderate MS06-018 Microsoft Windows Denial of Service
    • Critical MS06-019 Microsoft Exchange Remote Code Execution
    • Critical MS06-020 Microsoft Windows Remote Code Execution

    The Summary for these new bulletins may be found at the following page:

    http://www.microsoft.com/technet/sec.../ms06-May.mspx

    Customers are advised to review the information in the bulletins, test and deploy the updates immediately in their environments, if applicable.

    Microsoft Windows Malicious Software Removal Tool

    Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU) and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS). Information on the Microsoft Windows Malicious Software Removal Tool can be located here:

    http://go.microsoft.com/fwlink/?LinkId=40573

    High-Priority Non-Security Updates on Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS) and Software Update Services (SUS)

    Microsoft is today also making the following High-Priority NON-SECURITY updates available on WU, MU, SUS and/or WSUS:

    • 917148 Update for OneNote 2003 KB917148
    • 916521 Update for Outlook 2003 Junk E-Mail Filter KB916521

    TechNet Webcast: Information about Microsoft May 2006 Security Bulletins

    • Wednesday, 10 May 2006 11:00 AM (GMT-08:00) Pacific Time (US & Canada)
    http://msevents.microsoft.com/CUI/We...&culture=en-US

    The on-demand version of the Webcast will be available 24 hours after the live Webcast at:

    http://msevents.microsoft.com/CUI/We...tID=1032294228

    **********************************************************************
    MS06-018

    Title: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)

    Affected Software:
    • Microsoft Windows 2000 Service Pack 4
    • Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
    • Microsoft Windows Server 2003
    • Microsoft Windows Server 2003 for Itanium-based Systems

    Non-Affected Software:
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003 Service Pack 1
    • Microsoft Windows Server 2003 x64 Edition
    • Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
    • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me)

    Note: The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site: http://support.microsoft.com/default.aspx?scid=fh;[ln];lifecycle.

    Impact of Vulnerability: Denial of Service

    Maximum Severity Rating: Moderate

    Restart requirement: In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a reboot will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.

    Update can be uninstalled: Yes. To remove this security update, use the Add or Remove Programs tool in Control Panel

    More information on this vulnerability is available at: http://www.microsoft.com/technet/sec.../MS06-018.mspx

    ******************************************************************

    MS06-019

    Title: Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)

    Affected Software:
    • Microsoft Exchange Server 2000 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004(870540)
    • Microsoft Exchange Server 2003 Service Pack 1
    • Microsoft Exchange Server 2003 Service Pack 2

    Note: The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site: http://support.microsoft.com/default.aspx?scid=fh;[ln];lifecycle.

    Impact of Vulnerability: Remote Code Execution

    Maximum Severity Rating: Critical

    Restart requirement: This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a reboot will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.

    Update can be uninstalled: Yes. To remove this security update, use the Add or Remove Programs tool in Control Panel

    More information on this vulnerability is available at: http://www.microsoft.com/technet/sec.../MS06-019.mspx

    ******************************************************************

    MS06-020

    Title: Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (913433)

    Affected Software:
    • Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
    • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) - Review the FAQ section of the bulletin for details about these operating systems.

    Non-Affected Software:
    • Microsoft Windows 2000 Service Pack 4
    • Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
    • Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

    • Microsoft Windows Server 2003 x64 Edition
    • Windows XP Professional x64 Edition

    Note: The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site: http://support.microsoft.com/default.aspx?scid=fh;[ln];lifecycle.

    Note: Flash Player does not ship with the versions of Microsoft Windows in the not affected software list. Customers who have installed Flash Player on these versions of Windows are encouraged to follow the guidance in the Adobe Security Bulletin ASPB06-03.

    Caveats:
    • This bulletin is for customers using Macromedia Flash Player from Adobe version 6 or earlier. Customers that have followed the guidance in Adobe Security Bulletin APSB06-03 (http://go.microsoft.com/fwlink/?LinkId=62431) are not at risk from the vulnerability.

    • Vulnerable versions of Macromedia Flash Player from Adobe are included with Windows XP and Internet Explorer 6 Service Pack 1 when installed on Windows ME, Windows 98, and Windows 98 Second Edition. Other versions of Windows are not affected or not supported by this security update. Customers with Flash Player installed on other versions of the operating system or customers who have upgraded to Flash Player 7 or higher are encouraged to follow the guidance in the Adobe Security Bulletin APSB06-03 (http://go.microsoft.com/fwlink/?LinkId=62431).

    • Microsoft Knowledge Base Article 913433 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 913433 (http://support.microsoft.com/kb/913433).

    Impact of Vulnerability: Remote Code Execution

    Maximum Severity Rating: Critical

    Restart requirement: This update does not require a restart.

    Update can be uninstalled: Yes. To remove this security update, use the Add or Remove Programs tool in Control Panel

    More information on this vulnerability is available at: http://www.microsoft.com/technet/sec.../MS06-020.mspx

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Careful....

    Quote from the Storm Center:

    As announced by Microsoft last week, today's patches will include a patch for Microsoft Exchange. RIM (Research in Motion / Blackberry) announced that todays patch will break some functionality required by its Enterprise Server. Other third party products may be affected as well.


    "this update affects user mailbox permissions by revoking the 'Send As' permission in Exchange which has an impact on third party products such as BlackBerry Enterprise Server for Microsoft Exchange. Once applied, this update will prevent users on BlackBerry Enterprise Server from sending email from a BlackBerry or BlackBerry-enabled device, however users will still receive emails on their BlackBerry device. This is due to the BlackBerry service sending emails on behalf of a user when a message is sent via the BlackBerry device."

    For a workaround, see: http://support.microsoft.com/kb/912918.
    Cheers:
    DjM

  3. #3
    Senior Member
    Join Date
    Jul 2001
    Posts
    343
    New M$ Patches.....
    Maybe it is to fix their darn WgaTray.exe file

    Well I am now fixing several legit XP boxes
    that have the license tag and ID with
    that damm pop up that says this box is
    running an illegal operating system.

    I have to look to the underground to fix it....
    What a pain......
    Delete several files
    Modify 1
    and run another.....

    Why would M$ flag a legit system... only God knows!!!!

    PAIN in the A%%
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  4. #4
    For the MS06-019 Exchange vulnerability, does anyone know if this is exploitable by simply sending an email (with iCal/vCal) into a mailbox on the Exchange server? Does Exchange process the iCal/vCal enough to exploit the vulnerability even before the user accesses it in their mailbox?

    If YES, I would expect a major worm coming.

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    ric-o: There hasn't been any good information on exactly what this vulnerability is. I've talked to some of my MS support folks and they seem to have only what is in the kb article.

    My understanding of the vulnerability is that you could potentially just email this into an exchange server and have a problem... There are some configurations that could cause an email message to be processed without a user opening the message, so that has to be taken into consideration. Also, MS has not said how much processing of the message needs to occur in order for the vulnerability to be exploited.

    The important wording- "when an Exchange Server processes an email."

    To me, that reads sometime between when exchange receives it and starts to push it through SMTP into the store, and finally to disk and waiting on the user to open it.

    So there are two ways to make exchange process an email, send the message into the server, or connect to a mailbox or public folder and put that message into either one of these items.

    The two workarounds seem to each try to protect from one of those two attack vectors. Even if you implemented both of these work arounds I believe you would still be vulnerable without patching. Block anonymous users from opening a mailbox or PF(doesn't protect against authenticated users), and block vcal and ical. But then an authenticated user could still place a message onto the server that could cause the problem to occur if you are not patched. One of the first patches in a while that did not have a really effective workaround that didn't also cripple the system.

    My gut feel is that this is definitely a problem in the store and could have something to do with the message conversion process. If I were going to try to find flaws in exchange that is where I would look first. Exchange has to be able to process thousands of different file types and mime types and make all of those play nice with RTF and HTML, and it has to do it quickly. Also think about all of the different implementations on SMTP itself. MS is not the only one that can't follow RFCs. I've come across some lotus notes system and MVS systems that really botch SMTP, but exchange will still try to process it. It also has to be able to read all of the different exchange proprietary features such is ical, vcal, exchange NDRs, custom forms, and present those logically to the end user. There are a lot of inputs, and a lot of outputs that happen very quickly. I bet they are not performing boundary checks on each and every different conversion that could happen.

    I think a lot of buffer overflows and denial of service vulnerabilities exist in this portion of exchange. In production I've randomnly hit on atleast 5 bugs related to the store and message conversion/display in the last 4 years. I don't think any of them were this severe to give out full control, but a lot of issues where you could hang or crash the store depending on the load of the server.

    I had to install a 2003 post SP2 patch in February that fixed an issue with message conversion hanging the store. It was at this time that the version of store incremented enough to cause the problem with Goodlink and Blackberry(the send on behalf of change.) This current security patch contains a lot of other fixes for the store post SP2.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Highlander

    Why would M$ flag a legit system... only God knows!!!!
    Possibly because the software is still in Beta? It certainly seemed to be a few days ago, at least according to the EULA.


  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    According to Microsoft it's as soon as exchange processes the attachment... Which as
    mohaughn mentioned would lead you to believe that it happens without user interaction... However there are some rumors going around that it requires user interaction... I tend to believe this based on my experience... at this point that's all I can say though...

    Immunity has released a CANVAS module that will DoS Exchange based on iCal/vCal attachments, however it is only available to people in their Partner Program at this time... There's been some speculation about whether this exploits the patched MS06-019, or whether it's a new 0-Day that's yet to be patched...

    Peace,
    HT

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    well guess what I am doing this weekend.....


    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    Originally posted here by morganlefay
    well guess what I am doing this weekend.....
    Yeah, we are doing some servers this weekend too and did our main ones this past Thursday.

    Will be watching to see what folks say about whether this patch fixes the issue or if there is a new related 0-day vuln released/discussed.

    Thanks for the note Morgan.

  10. #10
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Well on the last server.....

    But have to come back tomorrow...cause the backup failed last night

    What a great way to spend a sunny Saturday.....

    Got myself a chocolate extreme blizzard to make me feel better.....it worked..

    No issues so far.

    Well see how the whinning is on Monday
    How people treat you is their karma- how you react is yours-Wayne Dyer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •