This Patch Tuesday – Worm Worthy (non-critical vulnerabilities especially)
this patch tuesday is very disturbing. there are two critical vulnerabilities announced, both with high worm/spyware abuse probability… but what about those marked as important?
it is true the media player code execution is critical, as are the internet explorer fixes, and yet:
wmf image parsing memory corruption (ms06-004)
one note about this vulnerability is that it is not the renowned 0day, it is the other one disclosed on the funsec mailing list by hd moore this january.
windows media player plug-in for non-microsoft browsers remote code execution (ms06-006)
this vulnerability may not seem critical, as most of the world uses internet explorer. still, according to this advisory non-microsoft browsers will be vulnerable… the bad guys love exploits to use against open source browser user who are usually pretty smug about being safe(er).
tcp/ip igmp dos (ms06-007)
in my personal opinion this is the most critical vulnerability of the bunch. it makes me remember the days of winnuke + land + teardrop when the dos packets would fly all over the net. this is a tcp/ip vulnerability which means that if you or someone upstream from you does not block igmp, you will be affected unless patched.
i am almost sure that this will not affect other systems as no other announcements have been made and microsoft is a responsible organization with these things, but tcp/ip vulnerabilities always make me sweat as pretty much every os and their sister uses the bsd tcp stack implementation.
i call a vulnerability of this type opk (one packet killer). such one packet killers are extremely dangerous to the internet infrastructure.
as an example simple scenario check out this blog entry about router worms and international infrastructure.
web client service remote code execution (ms06-008)
this is a full-blown remote code execution. one suggestion by microsoft is to block ports 139 and 445 as a work around. i wonder, does anyone still have these open?
understanding exact vulnerability details from microsoft bullet-ins is not easy, but this seems quite [network] worm “worthy”.
korean input method editor privileges elevation (ms06-009)
this vulnerability may be limited to korean users, but what a list of affected products/versions. i don’t envy the koreans today. to them this is the most critical of all these vulnerabilities.