Home
Resources
Training
About Us
eStore
<a href="http://www.isdecisions.com/en/software/userlock/?xtor=SEC-230"><img src="http://www.isdecisions.com/images/pubs/Randy/userlock.gif" alt="UserLock" border="0" /></a>

>

resources > newsletter > archive > issue #5

 

 

 

 

 

 

 

Latest Blog: WinReporter 4.0 Makes It Easy to Assess Attack Surface

  

Ultimate Windows Security Newsletter:

Issue #5, 07/12/05

In this issue:
- New, Free Security Service From Randy Smith
- Today's Security Updates from Microsoft
- Upcoming Public Courses
- Logparser Script: Report All Programs Executed
- Subscribe, Unsubscribe and Usage Information


New, Free Security Service from Randy Smith

Today begins Randy Franklin Smith's expert commentary on security bulletins released by Microsoft on the 2nd Tuesday of each month. Within hours of Microsoft's release I will give you my independent take on each bulletin from Microsoft. Much more than a mere rehash of Microsoft's bulletins, I will endeavor to provide you with an independent analysis of each month's vulnerabilities that cuts to the chase with informed observations about the risk and possible mitigating controls, as well as practical guidance for determining if your systems are at risk and deploying work-arounds or updates. Tell me what you think.


Today's Security Updates from Microsoft

Today is "Patch Tuesday" and Microsoft released 3 security bulletins - all of them classified as critical. The one I view most dangerous is MS05-036 - Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214). (http://tinyurl.com/8ba96) All versions of Windows have this vulnerability, there are no work-arounds, it allows arbitrary code execution and can be exploited by any method where the attacker can get a user to open or view an image such as from a web page or even previewing an email message. While this vulnerability doesn't appear to have been widely known about prior to today, Microsoft does report that there have been instances of it being exploited in recent attacks. I expect the bad guys are already hard at work building this new infection vector into the next big worm. Because of the omnipresence, fairly low prerequisites and lack of work-arounds this is a bad one folks. The good news is that you can install this update using any of Microsoft's update technologies including the Microsoft Update service, Software Update Services (SUS), Windows Server Update Services (WSUS) or Systems Management Server (SMS). I've written 2 articles on SUS at http://www.ultimatewindowssecurity.com/articles_sectools.html which is WSUS's predecessor and have an article coming out on WSUS shortly. If you manage more than a few systems and aren't already using WSUS, you are falling behind. You can scan for vulnerable installations with MBSA 1.2.1 and 2.0.

It's a toss-up between the other 2 bulletins as to which is worse. MS05-037 - Vulnerability in JView Profiler Could Allow Remote Code Execution (903235) (http://tinyurl.com/7pbyx) only affects systems that have a COM object, the JView Profiler (javaprxy.dll), installed which isn't common on servers or end-user workstations even if you have the java virtual machine and java applications installed. Like the other 2 bulletins released today, this one opens a way for an attacker to run arbitrary code under the authority of the user. Making the situation worse, the bad guys have known about this vulnerability for some time and Microsoft reports that attackers have been exploiting it already. JView Profiler is a debugging interface to the MS Java Virtual Machine. To determine if your systems are vulnerable you can download the Diagnostic Tool for the Microsoft VM and scan your network for the presence of javaprxy.dll. This shouldn't be a vulnerability for most email client installations since Outlook and others default to displaying html emails under the restricted sites zone which prevents ActiveX controls from running however an attacker could target users by sending an email with a link back to a malicious web page that exploits the JView Profiler. If you are concerned about systems that may be vulnerable but would like to avoid installing the update or wish to mitigate the risk while testing the update, there are 2 work-arounds that can be easily implemented through group policy. You can either deploy a policy that sets a permission on %windir%\system32\javaprxy.dll that denies Everyone Read & Execute access or you can create a Software Restriction policy that prevents the dll from loading. The update for this vulnerability can be installed via Microsoft Update, SUS, WSUS and SMS. You can scan for vulnerable installations with MBSA 1.2.1 and 2.0.

The third bulletin, MS05-035 Vulnerability in Microsoft Word Could Allow Remote Code Execution (903672) (http://tinyurl.com/b2fe2), details a vulnerability in Microsoft Word 2000, Word 2002 (part of Office XP) and, for what it's worth, Microsoft Works Suite 2000-2004. The vulnerability exploits a buffer overflow in Word's font parsing logic that allows the attacker who creates a specially crafted Word document to run arbitrary code under the user's authority. There are any good work-arounds for mitigating this threat. Microsoft's recommendation to only open Word attachments from trusted senders doesn't take into account the problem of viruses and worms that propagate via a victim's address book. For Windows 2002 (Office XP) you can deploy this update via the Microsoft Update service, WSUS and SMS but not through SUS. You can use MBSA 2.0 to scan your network for vulnerable Windows 2002 installations but MBSA 2.0 doesn't support Word 2000. To detect vulnerable Word 2000 installations you can use MBSA 1.2.1 locally or you scan many systems automatically using the Office Detection Tool (ODT) and a simple script. See my article at http://www.windowsitpro.com/Article/ArticleID/46623/46623.html.

In summary, the color management vulnerability update needs to be deployed to all workstations ASAP. If you follow best practice and avoid viewing email, web pages or content from any untrusted source while logged on at a server interactively or through Terminal Services/Remote Desktop you may choose to defer deploying this update to servers until you are satisfied it doesn't introduce any stability or compatibility problems. As far as the Java and Word vulnerabilities, determine which systems if any are vulnerable. For systems vulnerable to the Java Profiler exploit, you can put off deploying the update by implementing one of the work-arounds. But systems with Word 2000 or Word 2002 definitely need the font parser update as soon as possible.


Upcoming Public Courses

http://www.ultimatewindowssecurity.com/register.asp

Security Log Secrets
- Cincinnati, September 15, 16
Complete Windows Security
- Atlanta, Next Week!
- San Francisco, October 24-28

Save $100 if you register 30 days in advance


Logparser Script: Report All Programs Executed

This month's log parser script analyzes occurrences of event ID 592 (A new process has been created) and produces a list of each program executed during the specified time frame and provides the total number of times each program was started. You need to enable "Audit process tracking" for success events in order to get event ID 592 in your security logs.

logparser "SELECT EXTRACT_TOKEN(Strings,1,`|') as Program,
COUNT(*) AS [Times Executed]
FROM SECURITY
WHERE EventID 592
GROUP BY Program

Here's a sample of the script's output:

Program

Times Executed

------------------------------------------------------------- ----------------
   

C:\WINDOWS\system32\mmc.exe

 1

C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

 1

C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

 1

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

 1

C:\WINDOWS\system32\userinit.exe

 2

C:\WINDOWS\system32\notepad.exe

 1

C:\junk\Log Parser 2.2\LogParser.exe

 3

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

 1

You could easily limit the report to a time range by adding an expression to the Where clause.

If you would like to understand the "nitty gritty" details of the security log and log parser please join us in Cincinnati on September 15 and 16. Seats are filling up. To register or for more information please email info@ultimatewindowssecurity.com or visit http://www.ultimatewindowssecurity.com/register.asp.

Regards,
Randy Franklin Smith
CISA, SSCP, Microsoft Security VIP
CEO, Monterey Technology Group, Inc.


Subscribe, Unsubscribe and Usage Information

- subscribe to this newsletter
- unsubscribe from this newsletter
- usage information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go).

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Monterey Technology Group, Inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention in any way, just email me: mailto:rsmith@montereytechgroup.com. I endeavor to respond to everyone who emails.

Thanks for reading!

Additional Links

A
D
V

Sick of LimitLogin? Get UserLock for real logon control

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.

Get Randy's Security Log Resource Kit


Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2007 Monterey Technology Group, All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.

Site Map