Home
Resources
Training
About Us
eStore
<a href="http://www.isdecisions.com/en/software/userlock/?xtor=SEC-230"><img src="http://www.isdecisions.com/images/pubs/Randy/userlock.gif" alt="UserLock" border="0" /></a>

>

resources > newsletter > archive > issue #14

 

 

 

 

 

 

 

Latest Blog: WinReporter 4.0 Makes It Easy to Assess Attack Surface

  

Ultimate Windows Security Newsletter:

Issue #14, 04/12/06

In this issue:
- Randy's Independent Insights on Yesterday's 5 Security Bulletins
- Upcoming courses
- New release of EventTracker
- Comments from Windows Connections 2006 spring

Yesterday afternoon Microsoft released 5 security bulletins. The first 4 of these bulletins are primarily workstation risks. I recommend deploying
MS06-013 and MS06-015 as soon as possible. MS06-013 is especially urgent since the details of this exploit and attackers are already using it. You may consider the published workaround MS06-014 and a workaround I developed for MS06-016 rather than deploying the updates for these 2 bulletins.

The final bulletin, MS06-017, impacts IIS servers running FrontPage Server Extensions or Sharepoint Team Services. Although Microsoft rates the severity of this bulletin as only moderate, I recommend loading this update on all affected servers as soon as possible.

Keep reading for more analysis of each bulletin.

*************************
Upcoming Classes
*************************
Security Log Secrets
- New York, May 1, 2
- Las Vegas, June 19, 20

Complete Windows Security
- London, May 22-26
- Atlanta, July 17-21

MS06-013 - Cumulative Security Update for Internet Explorer (912812)

This update contains fixes for a slew of newly discovered critical IE vulnerabilities affecting all supported versions of Windows. These vulnerabilities eight remote code exploits some of which are public and already being exploited. Most organizations will want to deploy this update to all workstations as soon as possible. Be aware that this update includes the change to ActiveX handling in IE released last month (MSKB 917425). If you need more time to prepare for the ActiveX change you can install the "compatibility patch" which delays activation of the ActiveX change until next month. Be sure to read MSKB 917425 before deciding what to do about this update and test this update in a limited rollout.

*******************************************************************
Do you have Microsoft Operations Manager?
Do you need to monitor the Windows Security Log?
*******************************************************************
SCMP for MOM 2005 provides comprehensive auditing and reporting services for Windows Server Security. The SCMP enables detailed event collection with parameter extraction, pre-defined controls to address scenarios like administrative account membership changes, over 50 operational views, auditing tasks and comprehensive reporting services. In addition the MPs Knowledge content is integrated with Randy Franklin Smith's Security Log Encyclopedia. Leveraging the MOM 2005 infrastructure this solution greatly improves security operations and supports regulatory auditing requirements for SOX, FISMA, GLBA and others in relation to Windows Server Security.

MS06-014 - Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)

This update fixes a critical remote code vulnerability in Remote Data Services that can be exploited by malicious html content in a web page or e-mail and most organizations will want to deploy this update to all workstations and end-user accessible Terminal Services servers as soon as possible or use the workaround provided in the bulletin which disables use of the RDS.Dataspace ActiveX control by Internet Explorer. This workaround will disable web based applications that directly access ODBC databases from the client web browser. Most web based applications perform all database access from the server in ASP but some intranet applications such as data access pages created through Access use client side scripts to access databases. If you choose to use the workaround you should test it against all web based applications that are important to your users.

******************************************
Benefits of Security Log Secrets
******************************************
- Finally get real ROI from your security log management solution
- Comply with SOX, HIPAA, GLBA (et al) monitoring and reporting requirements

- Establish audit trails for change control
- Detect suspicious behavior and intrusion attempts
- Enforce accountability over administrators
- Conduct better investigations and forensic analysis

www.ultimatewindowssecurity.com/sls.html

MS06-015 - Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)

This critical update addresses a remote code vulnerability in Windows Explorer in which an attacker, who successfully directs Windows Explorer to access a rogue or compromised file server, succeeds in getting Windows Explorer to execute arbitrary code under the authority of the current user.
The file server could be on the local network or on the Internet. The attacker would probably attempt this attack through a link to the rogue file server embedded in an email or web page. The workarounds and mitigating factors on this bulletin are confusing and/or incomplete but I believe you could prevent this vulnerability from being exploited by remote file servers on the Internet by disabling the Web Client service on desktop workstations and blocking outgoing connections to TCP ports 139 and 445 at the firewall.
Disabling the Web Client disables WebDAV functionality which is used by some Sharepoint sites. Blocking outgoing connections to TCP ports 139 and 445 will only protect computers when they are behind your firewall. Most home, hot spot or other Internet accessible networks where your laptop users may connect will not be blocking any type of outgoing connections. Most organizations will want to take steps to protect against this exploit as soon as possible.

MS06-016 - Cumulative Security Update for Outlook Express (911567)

This important update fixes a remote code vulnerability in Outlook Express and should be deployed to all systems using Outlook Express. It would be preferable to simply disable Outlook Express for the typical environment that uses Outlook instead. However Outlook 2000 and Outlook 2002 both require Outlook Express. Outlook 2003 does not appear to share this requirement and I have verified basic Outlook 2003 functionality after adding a Deny Everyone Full Control permission entry to c:\program files\outlook express. Most organizations will want to deploy this update or test my workaround as soon as possible for workstations and user accessible Terminal Services computers.

MS06-017 - Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting (917627)

This is a weird vulnerability. I expect to receive clarifying information on this which I will pass on to you in a special update. For now my understanding is this: This vulnerability allows an attacker to execute arbitrary client-side script against an IIS server with FrontPage Server Extensions or Sharepoint Team Services. Microsoft rates this as a moderate risk but for vulnerable servers I rate it critical. If you have run servers with FPSE or SPTS, load this patch.

*****************************************************************
Comments from Windows Connections 2006 spring
*****************************************************************
I just got back last night from Windows Connections 2006 in Orlando where I did 3 sessions on Windows security. We had a packed house for "Leveraging the Windows Security Log for Compliance". I'm adding an expanded version of that session to my Security Log Secrets course starting in New York on May 1 and 2. This compliance specific content provides detailed guidance on complying with specific requirements in SOX, HIPAA, GLBA and FISMA complete with event IDs and more. There's a few seats left if you can make it.
Visit http://www.ultimatewindowssecurity.com/reg to register.

You can check out my other 2 session slides at http://www.ultimatewindowssecurity.com/winconnections2006.html

Until next time, happy patching!

 

List address: MonthlySecurityTip@ultimatewindowssecurity.com
Subscribe: MonthlySecurityTip-subscribe@ultimatewindowssecurity.com
Unsubscribe: MonthlySecurityTip-unsubscribe@ultimatewindowssecurity.com

 

Additional Links

A
D
V

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.

Get Randy's Security Log Resource Kit

Sick of LimitLogin? Get UserLock for real logon control


Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2007 Monterey Technology Group, All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.

Site Map