Status Tracking Note TRTA06-220A

Microsoft Products Contain Multiple Vulnerabilities

Overview

Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Office, Works Suite, Visual Basic for Applications, and Internet Explorer. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.
Event Information


Date (UTC)Description
2006-09-21
MS Windows (Windows Kernel) Privilege Escalation Exploit (MS06-049)
a proof-of-concept code for this vulnerability (CVE-2006-3444,MS06-049)
#Cid: ms06-049.c
#Cid: 19388.c
#Tested: Windows 2000 PRO SP4 [CN]
#Tested: Windows 2000 PRO SP4 Rollup 1 [CN]
#Tested: Windows 2000 PRO SP4 [EN]
#Tested: Windows 2000 PRO SP4 Rollup 1 [EN]
2006-09-13
Microsoft Windows NetpIsRemote() Remote Overflow (Exploit, MS06-040, Windows 2003)
a proof-of-concept code for this vulnerability
#Tested: Windows Server 2003 SP0
#Cid: netapi_win2003.pm
2006-09-12 22:45 US-CERT
Microsoft Re-Releases Windows Server Service Security Bulletin MS06-040
Microsoft has released a new version of Security Bulletin MS06-040 and the associated security updates.
2006-09-12 Microsoft
MS06-042: Cumulative Security Update for Internet Explorer (918899)
Bulletin and Internet Explorer 6 Service Pack 1, Internet Explorer 5.01 Service Pack 4, and Internet Explorer 6 for Microsoft Windows Server 2003 security updates have been re-released to address a vulnerability documented in the Vulnerability Details section as Long URL Buffer Overflow - CVE-2006-3873.
2006-09-12 Microsoft
MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)
The update has been revised and re-released for Microsoft Windows 2003 and Microsoft Windows XP Professional x64 Edition to address the issues identified in Microsoft Knowledge Base Article 924054 (Programs that request lots of contiguous memory may fail after you install security update 921883 (MS06-040) on a Windows Server 2003 Service Pack 1-based computer or a Windows XP Professional x64 Edition-based computer).
2006-08-27
Microsoft Windows NetpIsRemote() Remote Overflow (Exploit, MS06-040)
a proof-of-concept code for this vulnerability
#Tested: Windows XP SP1
#Tested: Windows 2000 SP4
#Cid: ms06_040_remote_overflow_082706
2006-08-24 05:39 JPCERT/CC
JPCERT-AT-2006-0012: Increase in TCP Port 139 scanning activity
2006-08-24 eEye Digital Security
EEYEB-AD20060912: Internet Explorer Compressed Content URL Heap Overflow Vulnerability #2
Long URL Buffer Overflow Vulnerability(CVE-2006-3873,MS06-042)
Vulnerability Reported
2006-08-24 Microsoft
MS06-042: Cumulative Security Update for Internet Explorer (918899)
Bulletin reissued and updated with additional information and vulnerability details affecting Internet Explorer 6 Service Pack 1 customers.
2006-08-22 07:52 Symantec
ThreatCON (2) => (1)
2006-08-22 Microsoft
Microsoft Security Advisory (923762): Long URLs to sites using HTTP 1.1 and compression Could Cause Internet Explorer 6 Service Pack 1 to Unexpectedly Exit
Long URL Buffer Overflow Vulnerability(CVE-2006-3869,MS06-042)
2006-08-21 16:25 Internet Security Systems
AlertCon (2) => (1)
2006-08-19
Microsoft Windows CanonicalizePathName() Remote Code Execution (Exploit, MS06-040)
a proof-of-concept code for this vulnerability
#Cid: netapi_ms06_040.c
2006-08-17 eEye Digital Security
EEYEB-AD20060824: Internet Explorer Compressed Content URL Heap Overflow Vulnerability
Long URL Buffer Overflow Vulnerability(CVE-2006-3869,MS06-042,VU#821156)
Vulnerability Reported
2006-08-15 Microsoft
MS06-042: Cumulative Security Update for Internet Explorer (918899)
Bulletin caveats updated with additional information affecting some Internet Explorer 6 Service Pack 1 customers.
2006-08-15 LURHQ Corporation
Mocbot Spam Analysis
The recent Mocbot variant found exploiting the vulnerability described in MS06-040 is not especially unique. Many different malware variants use IRC as a command-and-control (C&C) channel. In this article we explore the Mocbot C&C in order to gain a better understanding of the reason for Mocbot's existence.
2006-08-14 23:00 Cisco Systems
Cisco Security Response Document ID: 70997: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability
Cisco devices provide several countermeasures for the MS06-040 leavingcisco.com vulnerability. The most preventative control is provided by Cisco Security Agent (CSA) at the end host level.
2006-08-14 17:48 SANS
MS06-040: BOLO -- Be On the LookOut
Over the weekend there was a botnet doing fairly wide scale scanning for hosts affected by the vulnerabilities in the MS06-040 advisory.
2006-08-14 03:42 Microsoft
Microsoft Security Advisory (922437): Exploit Code Published Affecting the Server Service
Exploit for MS06-040
Advisory updated to detail activity related to Win32/Graweg.
Microsoft is aware of public reports regarding an attack known as Win32/Graweg exploiting the vulnerability addressed by security update MS06-040. Microsoft's initial investigation of Win32/Graweg verified that it only affects users running Windows 2000 that have not applied the update detailed in MS06-040. Microsoft has activated its emergency response process and is continuing to investigate this issue.
2006-08-13 13:37 SANS
MS06-040 wgareg / wgavm update
We have received samples and infection reports from several sources.
2006-08-12 LURHQ Corporation
Mocbot/MS06-040 Analysis
LURHQ's Threat Intelligence Group has detected a Mocbot variant in the wild utilizing the MS06-040 vulnerability in order to spread in a worm-like fashion.
2006-08-12 McAfee
IRC-Mocbot!MS06-040
2006-08-12 Symantec
W32.Wargbot
Exploit for MS06-040
2006-08-12 Trend Micro
WORM_IRCBOT.JL
Exploit for MS06-040
2006-08-12 Trend Micro
WORM_IRCBOT.JK
Exploit for MS06-040
2006-08-11 20:57 Microsoft
Microsoft Security Advisory (922437): Exploit Code Published Affecting the Server Service
Exploit for MS06-040
2006-08-11 LURHQ Corporation
MS06-040 Exploit: More Hype Than Threat
Multiple sources are sounding alarms based on the MS06-040 exploit, predicting an imminent worm outbreak of Blaster-like proportions.
2006-08-11 SANS
MS06-040 exploit(s) publicly available
As almost everyone predicted, it didn't take long to have MS06-040 (vulnerability in the Server service) publicly available.
2006-08-11 Trend Micro
TROJ_MDROPPER.BI
Exploit for MS06-047
2006-08-10 15:48 NISCC
20060810-00546: Exploit for MS06-040 (vulnerability in the Server service) publicly available
A vulnerability in the Microsoft Server service, addressed in Microsoft Security Bulletin MS06-040, is being exploited.
2006-08-10 07:57 Full-disclosure
RE: [Full-disclosure] Exploit for MS06-040 Out?
a proof-of-concept code for this vulnerability (CVE-2006-3439,MS06-040)
#Cid: netapi_ms06_040.pm
2006-08-10 06:19 eEye Digital Security
Retina MS06-040 NetApi32 Scanner
eEye Digital Security has created a standalone vulnerability scanner to help identify systems vulnerable to this flaw. This scanner will identify the vulnerability on all systems with the exception of Windows NT.
2006-08-10 NSFocus Corporation
NSFOCUS Security Advisory(SA2006-08): Microsoft IE6 urlmon.dll Long URL Buffer Overflow vulnerability
Long URL Buffer Overflow Vulnerability(CVE-2006-3869,MS06-042)
Vulnerability Reported
2006-08-10 US-CERT
Public Exploit Code for a Vulnerability in Microsoft Server Service
US-CERT is aware of publicly available exploit code for a buffer overflow vulnerability in the Microsoft Windows Server service. This vulnerability can be exploited by sending a specially crafted packet to an affected system.
2006-08-09 18:24 Full-disclosure
RE: [Full-disclosure] Exploit for MS06-040 Out?
a proof-of-concept code for this vulnerability (CVE-2006-3439,MS06-040)
#Cid: ms06_040.tgz
2006-08-09 11:55 SANS Internet Storm Center
Microsoft exploits on Reboot Wednesday
2006-08-09 02:38 JPCERT/CC
JPCERT-AT-2006-0011: Microsoft Products Vulnerabilities
2006-08-09 Department of Homeland Security
DHS Recommends Security Patch to Protect Against a Vulnerability Found In Windows Operating Systems
The Department of Homeland Security (DHS) is recommending that Windows Operating Systems users apply Microsoft security patch MS06-040 as quickly as possible. This security patch is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights.
2006-08-08 21:07 US-CERT
TA06-220A: Microsoft Products Contain Multiple Vulnerabilities
Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Office, Works Suite, Visual Basic for Applications, and Internet Explorer. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.
2006-08-08 20:00 Internet Security Systems
AlertCon (1) => (2)
2006-08-08 US-CERT
Active Exploitation of a Vulnerability in Microsoft Server Service
US-CERT is aware of active exploitation of a buffer overflow vulnerability in the Microsoft Windows Server service. If a remote attacker sends a specially crafted packet to a vulnerable Windows system, that attacker may be able to execute arbitrary code with SYSTEM privileges.
2006-08-08 Internet Security Systems
Microsoft DNS Client Integer Overflow Vulnerability
X-Force has discovered a flaw in the Microsoft DNS client software. By sending malicious DNS responses to a Windows machine, attackers can trigger a heap corruption and gain control of the affected host.
2006-08-08 Internet Security Systems
Microsoft DNS Client ATMA Buffer Overflow Vulnerability
X-Force has discovered a flaw in the Microsoft DNS client software. By sending malicious DNS responses to a Windows machine, attackers can trigger a heap corruption and gain control of the affected host.
2006-08-08 Internet Security Systems
Microsoft DNS Client Character String Buffer Overflow Vulnerability
X-Force has discovered a flaw in the Microsoft DNS client software. By sending malicious DNS responses to a Windows machine, attackers can trigger a heap corruption and gain control of the affected host.
2006-08-08 Internet Security Systems
Microsoft Server Service Buffer Overflow Vulnerability
The Microsoft Server Service is vulnerable to remote code execution. By sending malicious requests to the named pipe for the Server Service, attackers can trigger a stack overflow and gain control of the affected host.
2006-08-08 Microsoft
MS06-AUG: Microsoft Security Bulletin Summary for August, 2006
Included in this advisory are updates for newly discovered vulnerabilities.
2006-07-14 Sowhat of Nevis Labs
Microsoft PowerPoint Malformed Record Memory Corruption Vulnerability
Microsoft PowerPoint Malformed Records Vulnerability(CVE-2006-3449,MS06-048)
Vulnerability Reported
This vulnerability allows remote attackers to execute arbitrary code in the context of the logged in user. An array boundary condition may be violated by a malicious .PPT file in order to redirect execution into attacker-supplied data. Exploitation requires that the attacker coerce or persuade the victim to open a malicious .PPT file.
2006-06-14 Zero Day Initiative (ZDI)
ZDI-06-027: Microsoft Internet Explorer CSS Class Ordering Memory Corruption Vulnerability
HTML Layout and Positioning Memory Corruption Vulnerability(CVE-2006-3450,MS06-042)
Vulnerability Reported
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
2006-06-14 Zero Day Initiative (ZDI)
ZDI-06-026: Microsoft Internet Explorer Multiple CSS Imports Memory Corruption Vulnerability
CSS Memory Corruption Vulnerability(CVE-2006-3451,MS06-042)
Vulnerability Reported
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
2006-04-27 TippingPoint
TSRT-06-09: Microsoft DirectAnimation COM Object Memory Corruption Vulnerability
COM Object Instantiation Memory Corruption Vulnerability(CVE-2006-3638,MS06-042)
Vulnerability Reported
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
2006-04-27 TippingPoint
TSRT-06-08: Microsoft Internet Help COM Object Memory Corruption Vulnerability
Buffer Overrun in HTML Help Vulnerability(CVE-2006-3357,MS06-046)
Vulnerability Reported
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
2006-02-28 TippingPoint
TSRT-06-10: Microsoft HLINK.DLL Hyperlink Object Library Buffer Overflow Vulnerability
Hyperlink Object Buffer Overflow Vulnerability(CVE-2006-3086,MS06-050)
Vulnerability Reported
This vulnerability allows remote attackers to execute arbitrary code on vulnerable applications that utilize Microsoft Hyperlink Component Object Model (COM) objects. Specifically, this includes at least Microsoft Word, PowerPoint and Excel. Exploitation over the web is doable via Office Web Components (OWC). It is not required for the target to have OWC installed.

Reference

Date first published (UTC): 2006-08-09T22:11+00:00
Date last updated (UTC): 2006-11-25T03:24+00:00
Valid HTML 4.01!