[ISN] A Dozen Security Patches and Several Related Exploits

InfoSec News isn at c4i.org
Thu Jun 22 03:29:18 EDT 2006


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 



Scalable Software


1. In Focus: A Dozen Security Patches and Several Related Exploits

2. Security News and Features
   - Recent Security Vulnerabilities
   - Microsoft Takes Security to the Forefront
   - Will Ethereal Be Devoured by Wireshark?
   - SmartLine DeviceLock Minireview

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread
   - Instant Poll
   - Share Your Security Tips

4. New and Improved
   - Virtual Security Gateway


==== Sponsor: CrossTec ====

Just Released - New NetOp Remote Control v9.0
   Work at blazing speeds with new NetOp Remote Control v9.0. NetOp, 
already one of the fastest remote control tools on the market, has 
gotten even faster. You won't even realize you are working remotely! 
With more than 40 new features, NetOp 9.0 lets you work smarter and 
offers a higher ROI. Complete central administration with the NetOp 
Security Server means that v9.0 is the most secure remote control 
product on the market and new Smart Card support keeps your remote 
technology cutting edge. Click to download the latest version of NetOp 


==== 1. In Focus: A Dozen Security Patches and Several Related Exploits 
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

As you hopefully know by now, Microsoft released a dozen security 
patches last week. Microsoft rated eight of the patches as critical, 
meaning that the related problems could be exploited without user 
interaction to possibly spread a worm. The remaining four patches are 
rated important, meaning that the related problem could be exploited to 
compromise sensitive information, hinder access to data, or affect 
availability and integrity of processing resources. 

After Microsoft releases security patches, intruders often quickly 
release exploits that take advantage of the vulnerabilities or 
researchers sometimes discover that previously known security problems 
still exist and that the latest batch of patches left problems unfixed. 
This past week was no different. 

Reading the Handler's Diary blog at SANS Internet Storm Center (at the 
URL below) last week, I learned that the day after Microsoft released 
its security patches, there were at least six new exploits. 
Fortunately, two of those exploits, which affect Microsoft Windows 
Media Player and RRAS, were released by a security vendor to its 
customers, so those weren't floating around in the wild. Another 
exploit, which affects TCP/IP networking, was released privately, so it 
wasn't in the wild either. Yet another exploit, which affects Microsoft 
Word, was already in the wild before the related patch was released. 
That leaves at least two new exploits that are in the wild, both of 
which affect Server Message Block (SMB) and could be used to elevate 
privileges or hide a running process.

These last two exploits caught my attention because installing the 
patch in the related Microsoft Security Bulletin MS06-030: 
Vulnerability in Server Message Block Could Allow Elevation of 
Privilege doesn't completely fix the security problems. Even with the 
patch installed, vulnerability remains, although to an arguably lesser 

Ruben Santamarta, who runs the reversemode.com Web site, posted a 
message to SecurityFocus's BugTraq mailing list (at the URL below) in 
which he stated in reference to MS06-030, "Microsoft has not fixed the 
NtClose/ZwClose DeadLock vulnerability.... I think that the Driver 
Developer community should be informed that using NtClose/ZwClose, the 
driver will be exposed to a security issue by default."

Santamarta published a document on his Web site that discusses the 
problem in considerable technical detail (at the URL below). If I 
understand correctly, Santamarta has found that a malware writer could 
use the still existing vulnerability to essentially hide a process. As 
demonstrated in one of his published exploits, even if you try to 
terminate the process, it will disappear but not actually stop running. 
This of course gives the malware writer a great way to avoid malware 
removal. Santamarta's proof of concept points out that Microsoft needs 
to fix this problem sooner rather than later. 

Finally, another exploit you need to be aware of, which isn't related 
to Microsoft's June release of patches, is a zero-day exploit released 
last week that affects Microsoft Excel. At the time of this writing, no 
patch was available from Microsoft to correct the problem. The problem 
is serious in that it allows the execution of arbitrary code when 
someone opens an affected Excel document. Security vendors are working 
to provide detection of this exploit, so hopefully you'll have the 
protection you need by the time you read this newsletter.


==== Sponsor: Faxback ====

Maximize your VoIP environment by integrating FoIP technology to 
increase ROI, and streamline processes.


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Microsoft's Takes Security to the Forefront
   At TechEd 2006 last week in Boston, Microsoft announced its 
Forefront brand and the launch of ISA Server 2006. Forefront will 
include solutions for clients, servers, and the network boundary. Find 
out what products will be included and when you can expect to see them. 

Will Ethereal Be Devoured by Wireshark?
   Ethereal has long been the tool of choice among countless network 
administrators for robust packet capturing and protocol analysis. Now 
the hugely popular open source tool has a new name, Wireshark, and a 
new sponsor to go along with it. 

SmartLine DeviceLock Minireview
   SmartLine's DeviceLock lets you manage device security for portable 
devices by assigning users access levels to network devices and 
interfaces, such as USB and infrared ports, wireless network adapters, 
and removable storage devices. Read Trisha Pendley's minireview on our 
Web site. 


==== Resources and Events ====

Special Offer: Download any white paper from Windows IT Pro before June 
30, and you could win a pair of Bose Triport Headphones. View the full 
selection of papers today at http://list.windowsitpro.com/t?ctl=2F243:4FB69

Learn to differentiate between alternative solutions to disaster 
recovery for your Windows-based applications and how to ensure seamless 
recovery of your key systems whether a disaster strikes just one server 
or the whole site. On-demand Web seminar. 

Any unscheduled downtime--especially of your Exchange systems--can 
quickly affect a company's bottom line. Learn essential skills for 
reducing downtime to minutes instead of hours.  

Get all you need to know about today's most popular security protocols, 
including SSL-TLS, for Web-based communications. 

Learn the key requirements of an effective internal network security 
solution and whether your approach protects you against worms, BotNets, 
Trojan horses, and hackers. On-demand Web seminar 


==== Featured White Paper ====

Test-drive the Starter PKI program and learn how companies that need to 
secure multiple domains and host names can benefit. 
   Bonus: Whenever you download a white paper from Windows IT Pro 
before June 30, you'll be entered to win Bose Triport Headphones. See 
the full selection of papers today at


==== Hot Spot ====

How much are you spending on IT compliance? Streamline and automate the 
compliance life cycle with this FREE white paper, and reduce your costs 


==== 3. Security Toolkit ==== 

Security Matters Blog: 100GB in My Pocket!
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2F242:4FB69

   I found a super-affordable portable disk that gives me 100GB to 
store whatever I need, like bunches of security tools and even an 
alternative OS. Plus I can carry it around in my pocket. 

   by John Savill, http://list.windowsitpro.com/t?ctl=2F241:4FB69

Q: Why does the Windows Server 2003 R2 File Server Resource Manager 
(FSRM) file screen audit report contain three entries for file screen 

Find the answer at http://list.windowsitpro.com/t?ctl=2F236:4FB69

Security Forum Featured Thread: Using Administrator Account Is a 
Security Offense
   A forum participant wonders why it's a serious security offense in 
some organizations for a network administrator to use the Administrator 
account for routine work. Join the discussion at

New Instant Poll
   Is your company using Microsoft's antispyware tool, Windows Defender 
Beta 2, on its systems?
   - Yes, it's the only antispyware tool we use
   - Yes, we use it along with other antisypware programs
   - No, we use another antispyware program
   Go to the Security Hot Topic and submit your vote

Share Your Security Tips and Get $100
   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Announcements ====
   (from Windows IT Pro and its partners)

Monthly Online Pass--only $14.95! 
   Includes instant online access to every article ever written in the 
Windows IT Security newsletter. Order now: 

June Special--Save $80 off the Windows Scripting Solutions newsletter 
   Get endless scripting techniques and expert-reviewed code. Subscribe 
to Windows Scripting Solutions today and save $80: 


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Virtual Security Gateway
   Astaro announced the general availability of Astaro Security Gateway 
for VMware, which lets customers run Astaro Security Gateway software 
on a VMware infrastructure. A new Astaro Command Center will allow for 
one integrated view and unified control of any number of Astaro 
Security Gateways for VMware and/or Astaro Security Gateway physical 
appliances. Suggested pricing for a sample configuration of 250 active 
users, 512,000 connections, and one year of maintenance is $11, 885. For 
more information or to download a trial copy of the software, go to

Tell Us About a Hot Product and Get a Best Buy Gift Card!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a Best Buy Gift Card if we write about the product in a 
Windows IT Pro What's Hot column. Send your product suggestion with 
information about how the product has helped you to 
whatshot at windowsitpro.com.


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=2F244:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list