Patches
Thursday 10th August, 2006 10:20 Comments: 1
Wow, there were a lot of them recently from Microsoft. I'm quite "pro" Microsoft, as someone called me recently, but I can admit when they do something wrong, and there are a lot of problems this month. Perhaps this is partly why Vista features a new SMB protocol (SMB2, the Samba people are apparently doing a good job at keeping on top of things for Linux users) and IP stack, as it can be easier to start again from scratch than try and audit and/or fix bad legacy code.
Anyway, I've stolen this from Alun's blog, but it's a pretty good summary.
06-040 - install this sucker unless you block the usual RPC ports internally and externally.
06-041 - install this unless you never use DNS to external servers, or can apply the workarounds.
06-042 - install this on any machine that runs Internet Explorer. Then install it on the ones that don't yet.
06-043 - if you use OE6, install it. What the heck, it doesn't cause a restart, so (make sure you're not running OE6 right now, and then) install it anyway.
06-044 - install on any machine that runs Internet Explorer - see 06-042.
06-045 - install on any machine - don't be fooled by the "Important" rating, derived from the requirement that a user must click on an email or attachment or web page - users click on anything.
06-046 - install this. HTML Help is everywhere (thanks, Microsoft!)
06-047 - install this if you use Office, or anything that runs VBA.
06-048 - install this if you use Powerpoint.
06-049 - install this if your users are really sneaky and horrible. Do you trust your users?
06-050 - install this - it's all about protecting against users clicking on hyperlinks. see 06-049.
06-051 - install this.
I see that US-CERT have made a bit thing about applying MS06-040, and Susan has mentioned it in her blog, but Microsoft's blog says:
While we were aware of very, very limited exploitation of the vulnerability addressed by MS06-040 at the time of bulletin release yesterday we have not seen signs widespread malicious activity so far. But, be assured that, like we always do, we've got our Emergency Response process teams watching for any possible malicious activity along with our partners in the MSRA. If we see anything, we'll respond as quickly as possible and work to provide customers with guidance and assistance. And of course, like we did with Sasser and Zotob, should a malicious attack occur, our teams are ready to assist our partners in law enforcement with their investigations.
Did you see that? They said "very, very limited exploitation". Apply it quickly, but try not to be paranoid. Until a patch can be applied, the following actions may reduce the chances of exploitation:
Block access to SMB services (139/tcp, 445/tcp) from untrusted networks such as the Internet. Most people will block these ports from the internet, especially as Microsoft have been saying for years that these ports should be blocked, but that won't stop an internal attack.
Disable anonymous SMB access. This will not prevent authenticated users from exploiting this vulnerability, and may have adverse affects in mixed-mode domains. Again, if someone attacks you internally (either on purpose or via a naive user running a virus), it won't stop the attack.
Other workarounds are available in Microsoft Security Bulletin MS06-040.
Anyway, I've stolen this from Alun's blog, but it's a pretty good summary.
06-040 - install this sucker unless you block the usual RPC ports internally and externally.
06-041 - install this unless you never use DNS to external servers, or can apply the workarounds.
06-042 - install this on any machine that runs Internet Explorer. Then install it on the ones that don't yet.
06-043 - if you use OE6, install it. What the heck, it doesn't cause a restart, so (make sure you're not running OE6 right now, and then) install it anyway.
06-044 - install on any machine that runs Internet Explorer - see 06-042.
06-045 - install on any machine - don't be fooled by the "Important" rating, derived from the requirement that a user must click on an email or attachment or web page - users click on anything.
06-046 - install this. HTML Help is everywhere (thanks, Microsoft!)
06-047 - install this if you use Office, or anything that runs VBA.
06-048 - install this if you use Powerpoint.
06-049 - install this if your users are really sneaky and horrible. Do you trust your users?
06-050 - install this - it's all about protecting against users clicking on hyperlinks. see 06-049.
06-051 - install this.
I see that US-CERT have made a bit thing about applying MS06-040, and Susan has mentioned it in her blog, but Microsoft's blog says:
While we were aware of very, very limited exploitation of the vulnerability addressed by MS06-040 at the time of bulletin release yesterday we have not seen signs widespread malicious activity so far. But, be assured that, like we always do, we've got our Emergency Response process teams watching for any possible malicious activity along with our partners in the MSRA. If we see anything, we'll respond as quickly as possible and work to provide customers with guidance and assistance. And of course, like we did with Sasser and Zotob, should a malicious attack occur, our teams are ready to assist our partners in law enforcement with their investigations.
Did you see that? They said "very, very limited exploitation". Apply it quickly, but try not to be paranoid. Until a patch can be applied, the following actions may reduce the chances of exploitation:
Block access to SMB services (139/tcp, 445/tcp) from untrusted networks such as the Internet. Most people will block these ports from the internet, especially as Microsoft have been saying for years that these ports should be blocked, but that won't stop an internal attack.
Disable anonymous SMB access. This will not prevent authenticated users from exploiting this vulnerability, and may have adverse affects in mixed-mode domains. Again, if someone attacks you internally (either on purpose or via a naive user running a virus), it won't stop the attack.
Other workarounds are available in Microsoft Security Bulletin MS06-040.
Robert - Thursday 10th August, 2006 11:55
I just noticed that an exploit's available for this through Metasploit, but it looks like it will result in a denial of service on Windows XP SP2 or Windows 2003 SP1 (which everyone should be using, otherwise they almost deserve to be compromised). A failed exploit attempt will likely result in a complete reboot on Windows 2000 (not very subtle) and the termination of all SMB-related services on Windows XP (eek).