This Patch Tuesday – Worm Worthy (non-critical vulnerabilities especially)

this patch tuesday is very disturbing. there are two critical vulnerabilities announced, both with high worm/spyware abuse probability… but what about those marked as important?

it is true the media player code execution is critical, as are the internet explorer fixes, and yet:

wmf image parsing memory corruption (ms06-004)
one note about this vulnerability is that it is not the renowned 0day, it is the other one disclosed on the funsec mailing list by hd moore this january.

windows media player plug-in for non-microsoft browsers remote code execution (ms06-006)
this vulnerability may not seem critical, as most of the world uses internet explorer. still, according to this advisory non-microsoft browsers will be vulnerable… the bad guys love exploits to use against open source browser user who are usually pretty smug about being safe(er).

tcp/ip igmp dos (ms06-007)
in my personal opinion this is the most critical vulnerability of the bunch. it makes me remember the days of winnuke + land + teardrop when the dos packets would fly all over the net. this is a tcp/ip vulnerability which means that if you or someone upstream from you does not block igmp, you will be affected unless patched.

i am almost sure that this will not affect other systems as no other announcements have been made and microsoft is a responsible organization with these things, but tcp/ip vulnerabilities always make me sweat as pretty much every os and their sister uses the bsd tcp stack implementation.

i call a vulnerability of this type opk (one packet killer). such one packet killers are extremely dangerous to the internet infrastructure.
as an example simple scenario check out this blog entry about router worms and international infrastructure.

web client service remote code execution (ms06-008)
this is a full-blown remote code execution. one suggestion by microsoft is to block ports 139 and 445 as a work around. i wonder, does anyone still have these open?
understanding exact vulnerability details from microsoft bullet-ins is not easy, but this seems quite [network] worm “worthy”.

korean input method editor privileges elevation (ms06-009)
this vulnerability may be limited to korean users, but what a list of affected products/versions. i don’t envy the koreans today. to them this is the most critical of all these vulnerabilities.

gadi evron,
ge@beyondsecurity.com.

Share
  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    MS06-009 is a local vulnerability — that is, it could only be abused by an attacker who was interactively logged on to the system.

    MS06-008 is also a local vulnerability — it requires an attacker to be able to log on to the system. The biggest area of concern is XP with its “Simple File Sharing” whereby all users authenticate as Guest.

    Thankfully, MS06-007 is just a DoS not some kind of exploitable buffer overflow, or we’d really be in trouble.

    I have to agree though about MS06-006 and MS06-004. Either vulnerability could potentially be used to execute arbitrary code with a minimum of user interaction. I suspect that MS06-004 being downgraded was MS’ way of squeezing out of free patches for 9x/Me. I wish they would just cut support for that kludge already and get back to being honest about severity ratings.

  • http://aviv.raffon.net Aviv Raff

    According to the iDefense advisory: “Due to unicode translations, shellcode characters are somewhat limited to character code values below 0×80″
    I think this is the reason for MS06-006 severity not being critical.

  • http://www.BeyondSecurity.com aviram

    Aviv, I would really be surprised if that’s the reason.

    Character limitation in exploit code has long since stopped being a real limitation to any experienced shell code writer, and I’m sure Microsoft knows that.

  • http://aviv.raffon.net Aviv Raff

    Well, it depends on the kind of limitation you are referring.
    Common limitations are by size or by very specific characters (e.g. no nulls).
    In this case the limitation is very strict (only bytes less that 0×80), so exploitation might not be feasible.

  • http://aviv.raffon.net Aviv Raff

    I admit, my assumptions was wrong.

  • Pingback: SecuriTeam Blogs » Windows Media Exploit: Lesson Learned Yet?