[ISN] A Dozen Security Patches and Several Related Exploits
isn at c4i.org
Thu Jun 22 03:29:18 EDT 2006
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
1. In Focus: A Dozen Security Patches and Several Related Exploits
2. Security News and Features
- Recent Security Vulnerabilities
- Microsoft Takes Security to the Forefront
- Will Ethereal Be Devoured by Wireshark?
- SmartLine DeviceLock Minireview
3. Security Toolkit
- Security Matters Blog
- Security Forum Featured Thread
- Instant Poll
- Share Your Security Tips
4. New and Improved
- Virtual Security Gateway
==== Sponsor: CrossTec ====
Just Released - New NetOp Remote Control v9.0
Work at blazing speeds with new NetOp Remote Control v9.0. NetOp,
already one of the fastest remote control tools on the market, has
gotten even faster. You won't even realize you are working remotely!
With more than 40 new features, NetOp 9.0 lets you work smarter and
offers a higher ROI. Complete central administration with the NetOp
Security Server means that v9.0 is the most secure remote control
product on the market and new Smart Card support keeps your remote
technology cutting edge. Click to download the latest version of NetOp
==== 1. In Focus: A Dozen Security Patches and Several Related Exploits
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
As you hopefully know by now, Microsoft released a dozen security
patches last week. Microsoft rated eight of the patches as critical,
meaning that the related problems could be exploited without user
interaction to possibly spread a worm. The remaining four patches are
rated important, meaning that the related problem could be exploited to
compromise sensitive information, hinder access to data, or affect
availability and integrity of processing resources.
After Microsoft releases security patches, intruders often quickly
release exploits that take advantage of the vulnerabilities or
researchers sometimes discover that previously known security problems
still exist and that the latest batch of patches left problems unfixed.
This past week was no different.
Reading the Handler's Diary blog at SANS Internet Storm Center (at the
URL below) last week, I learned that the day after Microsoft released
its security patches, there were at least six new exploits.
Fortunately, two of those exploits, which affect Microsoft Windows
Media Player and RRAS, were released by a security vendor to its
customers, so those weren't floating around in the wild. Another
exploit, which affects TCP/IP networking, was released privately, so it
wasn't in the wild either. Yet another exploit, which affects Microsoft
Word, was already in the wild before the related patch was released.
That leaves at least two new exploits that are in the wild, both of
which affect Server Message Block (SMB) and could be used to elevate
privileges or hide a running process.
These last two exploits caught my attention because installing the
patch in the related Microsoft Security Bulletin MS06-030:
Vulnerability in Server Message Block Could Allow Elevation of
Privilege doesn't completely fix the security problems. Even with the
patch installed, vulnerability remains, although to an arguably lesser
Ruben Santamarta, who runs the reversemode.com Web site, posted a
message to SecurityFocus's BugTraq mailing list (at the URL below) in
which he stated in reference to MS06-030, "Microsoft has not fixed the
NtClose/ZwClose DeadLock vulnerability.... I think that the Driver
Developer community should be informed that using NtClose/ZwClose, the
driver will be exposed to a security issue by default."
Santamarta published a document on his Web site that discusses the
problem in considerable technical detail (at the URL below). If I
understand correctly, Santamarta has found that a malware writer could
use the still existing vulnerability to essentially hide a process. As
demonstrated in one of his published exploits, even if you try to
terminate the process, it will disappear but not actually stop running.
This of course gives the malware writer a great way to avoid malware
removal. Santamarta's proof of concept points out that Microsoft needs
to fix this problem sooner rather than later.
Finally, another exploit you need to be aware of, which isn't related
to Microsoft's June release of patches, is a zero-day exploit released
last week that affects Microsoft Excel. At the time of this writing, no
patch was available from Microsoft to correct the problem. The problem
is serious in that it allows the execution of arbitrary code when
someone opens an affected Excel document. Security vendors are working
to provide detection of this exploit, so hopefully you'll have the
protection you need by the time you read this newsletter.
==== Sponsor: Faxback ====
Maximize your VoIP environment by integrating FoIP technology to
increase ROI, and streamline processes.
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
Microsoft's Takes Security to the Forefront
At TechEd 2006 last week in Boston, Microsoft announced its
Forefront brand and the launch of ISA Server 2006. Forefront will
include solutions for clients, servers, and the network boundary. Find
out what products will be included and when you can expect to see them.
Will Ethereal Be Devoured by Wireshark?
Ethereal has long been the tool of choice among countless network
administrators for robust packet capturing and protocol analysis. Now
the hugely popular open source tool has a new name, Wireshark, and a
new sponsor to go along with it.
SmartLine DeviceLock Minireview
SmartLine's DeviceLock lets you manage device security for portable
devices by assigning users access levels to network devices and
interfaces, such as USB and infrared ports, wireless network adapters,
and removable storage devices. Read Trisha Pendley's minireview on our
==== Resources and Events ====
Special Offer: Download any white paper from Windows IT Pro before June
30, and you could win a pair of Bose Triport Headphones. View the full
selection of papers today at http://list.windowsitpro.com/t?ctl=2F243:4FB69
Learn to differentiate between alternative solutions to disaster
recovery for your Windows-based applications and how to ensure seamless
recovery of your key systems whether a disaster strikes just one server
or the whole site. On-demand Web seminar.
Any unscheduled downtime--especially of your Exchange systems--can
quickly affect a company's bottom line. Learn essential skills for
reducing downtime to minutes instead of hours.
Get all you need to know about today's most popular security protocols,
including SSL-TLS, for Web-based communications.
Learn the key requirements of an effective internal network security
solution and whether your approach protects you against worms, BotNets,
Trojan horses, and hackers. On-demand Web seminar
==== Featured White Paper ====
Test-drive the Starter PKI program and learn how companies that need to
secure multiple domains and host names can benefit.
Bonus: Whenever you download a white paper from Windows IT Pro
before June 30, you'll be entered to win Bose Triport Headphones. See
the full selection of papers today at
==== Hot Spot ====
How much are you spending on IT compliance? Streamline and automate the
compliance life cycle with this FREE white paper, and reduce your costs
==== 3. Security Toolkit ====
Security Matters Blog: 100GB in My Pocket!
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2F242:4FB69
I found a super-affordable portable disk that gives me 100GB to
store whatever I need, like bunches of security tools and even an
alternative OS. Plus I can carry it around in my pocket.
by John Savill, http://list.windowsitpro.com/t?ctl=2F241:4FB69
Q: Why does the Windows Server 2003 R2 File Server Resource Manager
(FSRM) file screen audit report contain three entries for file screen
Find the answer at http://list.windowsitpro.com/t?ctl=2F236:4FB69
Security Forum Featured Thread: Using Administrator Account Is a
A forum participant wonders why it's a serious security offense in
some organizations for a network administrator to use the Administrator
account for routine work. Join the discussion at
New Instant Poll
Is your company using Microsoft's antispyware tool, Windows Defender
Beta 2, on its systems?
- Yes, it's the only antispyware tool we use
- Yes, we use it along with other antisypware programs
- No, we use another antispyware program
Go to the Security Hot Topic and submit your vote
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
==== Announcements ====
(from Windows IT Pro and its partners)
Monthly Online Pass--only $14.95!
Includes instant online access to every article ever written in the
Windows IT Security newsletter. Order now:
June Special--Save $80 off the Windows Scripting Solutions newsletter
Get endless scripting techniques and expert-reviewed code. Subscribe
to Windows Scripting Solutions today and save $80:
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Virtual Security Gateway
Astaro announced the general availability of Astaro Security Gateway
for VMware, which lets customers run Astaro Security Gateway software
on a VMware infrastructure. A new Astaro Command Center will allow for
one integrated view and unified control of any number of Astaro
Security Gateways for VMware and/or Astaro Security Gateway physical
appliances. Suggested pricing for a sample configuration of 250 active
users, 512,000 connections, and one year of maintenance is $11, 885. For
more information or to download a trial copy of the software, go to
Tell Us About a Hot Product and Get a Best Buy Gift Card!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Best Buy Gift Card if we write about the product in a
Windows IT Pro What's Hot column. Send your product suggestion with
information about how the product has helped you to
whatshot at windowsitpro.com.
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=2F244:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All rights reserved.
More information about the ISN