十二月份资讯安全公告Dec.ppt

十二月份资讯安全公告Dec Still waters run deep.流静水深流静水深,人静心深人静心深 Where there is life,there is hope。有生命必有希望。有生命必有希望十二月份資訊安全公告十二月份資訊安全公告Dec 14,2006Dec 14,2006Richard Chen Richard Chen 陳政鋒陳政鋒(Net+,Sec+,MCSE2003+Security,CISSP)(Net+,Sec+,MCSE2003+Security,CISSP)資深技術支援工程師資深技術支援工程師台灣微軟技術支援處台灣微軟技術支援處Questions and AnswersSubmit text questions using the Submit text questions using the“Ask a Question”button “Ask a Question”button What We Will CoverRecap Nov.releases known issuesRecap Nov.releases known issuesReview Dec.Review Dec.releasesreleasesOther security resourcesOther security resources Prepare for new WSUSSCAN.CAB architecturePrepare for new WSUSSCAN.CAB architecture IE 7 over AU IE 7 over AU Lifecycle InformationLifecycle Information Windows Malicious Software Removal ToolWindows Malicious Software Removal ToolResourcesResourcesQuestions and answersQuestions and answersRecap Nov.Known issues and MS06-066 NetwareMS06-066 Netware Get offering even no CSNW is installed:Normal proactive Get offering even no CSNW is installed:Normal proactive patchingpatching MS06-067 IE patchMS06-067 IE patch 3rd party AP compatibility issue,see KB9227603rd party AP compatibility issue,see KB922760 MS06-069 Adobe Flash PlayerMS06-069 Adobe Flash Player Re-offering,install the latest Flash Player to solve the issueRe-offering,install the latest Flash Player to solve the issue MS06-070 Workstation serviceMS06-070 Workstation service Worm vulnerability,install the patch immediatelyWorm vulnerability,install the patch immediately MS06-071 MSXMLMS06-071 MSXML WSUS category/description error,fixing now.WSUS category/description error,fixing now.MSXML4 install failure,see KB927978MSXML4 install failure,see KB927978Dec 2006 Security BulletinsSummaryOn Dec 13:On Dec 13:7 New Security Bulletins7 New Security Bulletins 5 Windows(1 critical,4 important)5 Windows(1 critical,4 important)1 Visual Studio(critical)1 Visual Studio(critical)1 Media Player(critical)1 Media Player(critical)1 re-release MS06-059(critical)1 re-release MS06-059(critical)5 High-priority non-security updates5 High-priority non-security updatesNovember 2006 Security Bulletins OverviewBulletin Bulletin NumberNumberTitle Title Maximum Maximum Severity RatingSeverity RatingProducts AffectedProducts AffectedMS06-072Cumulative Security Update for Internet Explorer(925454)CriticalInternet Explorer 5.01&6MS06-073Vulnerability Visual Studio 2005 Could Allow Remote Code Execution(925674)CriticalVisual Studio 2005MS06-074Vulnerability in SNMP Could Allow Remote Code Execution(926247)ImportantWindows 2000,XP,2003MS06-075Vulnerability in Windows Could Allow Elevation of Privilege(926255)ImportantWindows XP,2003MS06-076Cumulative Security Update for Outlook Express(923694)ImportantOutlook Express on Windows 2000,XP,2003MS06-077Vulnerability in Remote Installation Service Could Allow Remote Code Execution(926121)ImportantWindows 2000MS06-078Vulnerability in Windows Media Format Could Allow Remote Code Execution(923689)CriticalWindows Media Format 7.1 9.5 and Windows Media Player 6.4 on Windows 2000,XP,2003December 2006 Security BulletinsSeverity SummaryBulletin Bulletin NumberNumberWindows 2000 SP4 Windows 2000 SP4 Windows XP SP2 Windows XP SP2 Windows Windows Server 2003Server 2003Windows Windows Server 2003 Server 2003 SP1SP1MS06-072MS06-072CriticalCriticalCriticalCriticalModerateModerateCriticalCriticalWindows 2000 SP4 Windows 2000 SP4 Windows XP SP2 Windows XP SP2 Windows Windows Server 2003Server 2003Windows Windows Server 2003 Server 2003 SP1SP1MS06-074MS06-074ImportantImportantImportantImportantImportantImportantImportantImportantMS06-075MS06-075Not AffectedNot AffectedImportantImportantImportantImportantNot AffectedNot AffectedMS06-077MS06-077ImportantImportantNot AffectedNot AffectedNot AffectedNot AffectedNot AffectedNot AffectedVisual Studio 2005Visual Studio 2005MS06-073MS06-073CriticalCriticalWindows Media Player Windows Media Player 6.46.4Windows 2000 SP4 Windows 2000 SP4 Windows XP Windows XP SP2 SP2 Windows Windows Server 2003&Server 2003&SP1SP1MS06-078MS06-078CriticalCriticalCriticalCriticalCriticalCriticalCriticalCriticalOutlook Express 5.5Outlook Express 5.5Outlook Express 6Outlook Express 6Windows VistaWindows VistaMS06-076MS06-076ImportantImportantImportantImportantNot AffectedNot AffectedMS06-072:Internet Explorer CriticalTitle&KB Article:Title&KB Article:Cumulative Security Update for Internet Explorer(925454)Cumulative Security Update for Internet Explorer(925454)Affected Software:Affected Software:IE 5.01 SP4 on Windows 2000 SP4IE 5.01 SP4 on Windows 2000 SP4 IE 6 SP1 on Windows 2000 SP4 IE 6 SP1 on Windows 2000 SP4 IE 6 for Windows XP SP2 IE 6 for Windows XP SP2 IE 6 for Windows Server 2003 RTM and SP1 IE 6 for Windows Server 2003 RTM and SP1 IE 6 for Windows Server 2003 RTM ia64 and SP1 ia64 IE 6 for Windows Server 2003 RTM ia64 and SP1 ia64 IE 6 for Windows Server 2003 x64 IE 6 for Windows Server 2003 x64 IE 6 for Windows XP Pro x64 IE 6 for Windows XP Pro x64 Replaced Updates:Replaced Updates:MS06-067 and all previous Cumulative Security Updates for Internet Explorer MS06-067 and all previous Cumulative Security Updates for Internet Explorer Vulnerabilities:Vulnerabilities:CVE-2006-5577-TIF Folder Information Disclosure VulnCVE-2006-5577-TIF Folder Information Disclosure Vuln CVE-2006-5578-TIF Folder Information Disclosure VulnCVE-2006-5578-TIF Folder Information Disclosure Vuln CVE-2006-5579-Script Error Handling Memory Corruption Vuln CVE-2006-5579-Script Error Handling Memory Corruption Vuln CVE-2006-5581-DHTML Script Function Memory Corruption VulnCVE-2006-5581-DHTML Script Function Memory Corruption VulnPublicly Disclosed:Publicly Disclosed:NoNoKnown Exploits:Known Exploits:NoNoMS06-072:Internet Explorer CriticalIssue Summary:Issue Summary:Two“Remote Code Exploit”vulnerabilities and two“Information Disclosure”Two“Remote Code Exploit”vulnerabilities and two“Information Disclosure”vulnerabilities exist in IE that could allow an attacker to run arbitrary codevulnerabilities exist in IE that could allow an attacker to run arbitrary codeFix Description:Fix Description:The fix modifies the handling of DHTML script function calls and script error The fix modifies the handling of DHTML script function calls and script error exceptions.It also restricts OBJECT tags from exposing sensitive paths to scripts exceptions.It also restricts OBJECT tags from exposing sensitive paths to scripts and access to cached content in the TIF folderand access to cached content in the TIF folderAttack Vectors:Attack Vectors:Malicious Web PageMalicious Web Page Malicious Email Malicious EmailMitigations:Mitigations:A user would have to be persuaded to visit a malicious Web siteA user would have to be persuaded to visit a malicious Web site Exploitation only allows the privilege level of the logged on userExploitation only allows the privilege level of the logged on user By default,IE on Windows 2003 runs in a restricted mode By default,IE on Windows 2003 runs in a restricted mode Outlook Express 6,Outlook 2002,and Outlook 2003 open HTML e-mail Outlook Express 6,Outlook 2002,and Outlook 2003 open HTML e-mail messages in the Restricted sites zonemessages in the Restricted sites zone Internet Explorer 7 is not affectedInternet Explorer 7 is not affectedWorkaround:Workaround:Disable“Drag and Drop or copy and paste files”Disable“Drag and Drop or copy and paste files”Disable Active Scripting or set to“Prompt”Disable Active Scripting or set to“Prompt”Set IE security to High for Internet and Intranet zonesSet IE security to High for Internet and Intranet zones Open HTML e-mail messages in the Restricted sites zone,apply update 235309 Open HTML e-mail messages in the Restricted sites zone,apply update 235309 for Outlook 2000for Outlook 2000Restart Requirement:Restart Requirement:NONOInstallation and Installation and Removal:Removal:Add/Remove Programs Add/Remove Programs Command line uninstall option Command line uninstall option Scriptable Deployment Scriptable DeploymentMore Information:More Information:http:/ Object Broker-Critical Title&KB Article:Title&KB Article:Vulnerability Visual Studio 2005 Could Allow Remote Code Execution(925674)Vulnerability Visual Studio 2005 Could Allow Remote Code Execution(925674)Affected Software:Affected Software:Microsoft Visual Studio 2005 Microsoft Visual Studio 2005Replaced Updates:Replaced Updates:NONE NONEVulnerabilities:Vulnerabilities:WMI Object Broker Vulnerability-CVE-2006-4704:WMI Object Broker Vulnerability-CVE-2006-4704:A remote code execution vulnerability exists in the WMI Object Broker control that A remote code execution vulnerability exists in the WMI Object Broker control that the WMI Wizard uses in Visual Studio 2005.An attacker could exploit the the WMI Wizard uses in Visual Studio 2005.An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page.An attacker who successfully remote code execution if a user viewed the Web page.An attacker who successfully exploited this vulnerability could take complete control of an affected system.exploited this vulnerability could take complete control of an affected system.Publicly Disclosed:Publicly Disclosed:YesYesKnown Exploits?:Known Exploits?:Yes.CVE-2006-4704.Yes.CVE-2006-4704.MS06-073:WMI Object Broker-CriticalIssue Summary:Issue Summary:This update resolves a public vulnerability.This update resolves a public vulnerability.An attacker who has successfully exploited this vulnerability could take complete An attacker who has successfully exploited this vulnerability could take complete control of an affected system.An attacker could then install programs;view,control of an affected system.An attacker could then install programs;view,change,or delete data;or create new accounts with full user rights.change,or delete data;or create new accounts with full user rights.If a user is logged on with administrative user rights,an attacker who has If a user is logged on with administrative user rights,an attacker who has successfully exploited this vulnerability could take complete control of an affected successfully exploited this vulnerability could take complete control of an affected system.Users whose accounts are configured to have fewer user rights on the system.Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user system could be less impacted than users who operate with administrative user rights.rights.Fix Description:Fix Description:The update removes the vulnerability by modifying the way that the WMI Object The update removes the vulnerability by modifying the way that the WMI Object Broker instantiates other controls.Broker instantiates other controls.Attack Vectors:Attack Vectors:Malicious Web PageMalicious Web Page Emails with Malicious Components Emails with Malicious ComponentsMS06-073:WMI Object Broker-Critical Mitigations:Mitigations:A user would have to be persuaded to visit a malicious Web siteA user would have to be persuaded to visit a malicious Web site This ActiveX control is not in the default allow-list for ActiveX controls in Internet This ActiveX control is not in the default allow-list for ActiveX controls in Internet Explorer 7.Only customers who have explicitly approved this control by using the Explorer 7.Only customers who have explicitly approved this control by using the ActiveX Opt-in Feature are at risk to attempts to exploit this vulnerability.ActiveX Opt-in Feature are at risk to attempts to exploit this vulnerability.Exploitation only allows the same privileges as the logged on userExploitation only allows the same privileges as the logged on user The Restricted sites zone helps reduce attacks that could try to exploit this The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting/ActiveX controls from being used vulnerability by preventing Active Scripting/ActiveX controls from being used when reading HTML e-mail.when reading HTML e-mail.The vulnerability could not be exploited automatically through e-mail.For an The vulnerability could not be exploited automatically through e-mail.For an attack to be successful a user must open an attachment that is sent in an e-mail attack to be successful a user must open an attachment that is sent in an e-mail message or must click on a link within an e-mail.message or must click on a link within an e-mail.By default,Internet Explorer on Windows Server 2003 runs in a restricted mode By default,Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as that is known as Enhanced Security ConfigurationEnhanced Security Configuration.Workaround:Workaround:Disable attempts to instantiate the WMI Object Broker control within Internet Disable attempts to instantiate the WMI Object Broker control within Internet Explorer(see Explorer(see Microsoft Knowledge Base Article 240797Microsoft Knowledge Base Article 240797.).)Configure Internet Explorer to prompt before running ActiveX Controls or disable Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zoneActiveX Controls in the Internet and Local intranet security zone Set Internet and Local intranet security zone settings to“High”to prompt before Set Internet and Local intranet security zone settings to“High”to prompt before running ActiveX Controls and Active Scripting in these zonesrunning ActiveX Controls and Active Scripting in these zones For Outlook 2000,install Outlook E-mail Security Update so that Outlook 2000 For Outlook 2000,install Outlook E-mail Security Update so that Outlook 2000 opens HTML e-mail messages in the Restricted sites zone.opens HTML e-mail messages in the Restricted sites zone.For Outlook Express 5.5 Service Pack 2,install Microsoft Security Bulletin For Outlook Express 5.5 Service Pack 2,install Microsoft Security Bulletin MS04-MS04-018018 so that Outlook Express 5.5 opens HTML e-mail messages in the Restricted so that Outlook Express 5.5 opens HTML e-mail messages in the Restricted sites zone.sites zone.MS06-073:WMI Object Broker-Critical Restart Requirement:Restart Requirement:This update does not require a restart unless the required services cannot be This update does not require a restart unless the required services cannot be stopped by the installer.stopped by the installer.Installation and Installation and Removal:Removal:Add/Remove Programs Add/Remove Programs Command line install/uninstall option Command line install/uninstall option Scriptable Deployment Scriptable DeploymentMore Information:More Information:http:/ Article:Title&KB Article:Vulnerability in SNMP Could Allow Remote Code Execution(