Microsoft fixes critical vulnerabilities in IE and Media Player

On the final planned patch day of 2006 Microsoft slipped in one extra update on top of the six patches previously announced. However patches for the zero day exploit in Word were not forthcoming.

Microsoft describe 11 security vulnerabilities in seven bulletins, which these latest patches should fix. The most important and most critical affect Internet Explorer, which, following installation of the update, should be four vulnerabilities lighter, and Windows Media Player 9 and 10, which until now could be injected with malicious code when parsing crafted ASX and ASF files. Two of the vulnerabilities in Internet Explorer 6 could also be exploited to infect visitors to websites with malware. One of these made use of a memory error when the browser attempted to deal with a number of simultaneous script errors. The other was based on specific DHTML scripting functions with incorrectly created elements. The remaining two errors in IE could merely enable an attacker to gain access to the "Temporary Internet Files" folder, possibly gaining access to confidential information. Internet Explorer 7 is not affected by any of these vulnerabilities.

Likewise, the six week old vulnerability in the WMI broker object ActiveX control in Visual Studio 2005 is now fixed. The vulnerability was not present in all versions of the development environment, only in Visual Studio 2005 Standard Edition, Visual Studio 2005 Professional Edition, Visual Studio 2005 Team Suite, Visual Studio 2005 Team Edition for Developers, for Architects and for Testers.

Prior to the patch day, Windows 2000, XP and 2003 (all service packs for all versions) were vulnerable to attacks via the SNMP network management protocol, where installed. It is probably for this reason that Microsoft categorises the error as merely "important". A buffer overflow permits attackers to inject code using crafted SNMP packets and to execute it with system privileges. The software group also categorises a further vulnerability, affecting XP and 2003, as merely "important" - using crafted file manifests a user who is logged on locally, can elevate their access privileges. Manifest files are XML files which define how Windows should display a program.

Back in April, Windows users were confronted with a vulnerability in address book management in Outlook Express 5.5 and 6. When importing crafted Windows Address Books (.wab) a buffer overflow could occur with the usual consequences. Apparently there was also a second, unchecked buffer overflow when importing a .wab file, which has now been fixed. And finally Microsoft has remedied a further vulnerability in the Remote Installation Service (RIS) in Windows 2000, a method for distributing and installing software in the Pre-boot Execution Environment (PXE). Apparently this involved starting a TFTP server, which allowed anonymous access to the system. An attacker could place their own files onto the system at arbitrary points. This should no longer be possible following the update.

Users should install at least the update for Internet Explorer as soon as possible - or upgrade to Internet Explorer 7.

See also:

• Microsoft Security Bulletin Summary for December, 2006, summary from Microsoft
• Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution, bulletin from Microsoft
• Vulnerability in Windows Media Format Could Allow Remote Code Execution, bulletin from Microsoft
• Vulnerability in SNMP Could Allow Remote Code Execution, bulletin from Microsoft
• Vulnerability in Windows Could Allow Elevation of Privilege, bulletin from Microsoft
• Cumulative Security Update for Outlook Express, bulletin from Microsoft
• Vulnerability in Remote Installation Service Could Allow Remote Code Execution, bulletin from Microsoft

(trk)