Patch Tuesday Analysis for January 2006

MS06-001 - Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)

Microsoft reversed its original stance on releasing this patch next Tuesday and published it yesterday.  As you should already be aware this patch addresses the highly publicized WMF vulnerability that caught Microsoft unawares due to irresponsible disclosure.  The published workaround of disabling the Windows Picture and Fax Viewer (“regsvr32 %windir%\system32\shimgvw.dll”) has limited effectiveness since it only blocks attack vectors that depend on the viewer such as a *link* to a WMF file in an email or web page.  My tests indicate the workaround does not address embedded WMF files in the above.

Bottom line: load this patch on workstations and terminal services servers that deliver end-user applications.  As always, avoid browsing the web, reading email or other “user” activities while logged on interactively or via RDP to servers.  Some organizations may delay loading this patch if they have a comprehensive anti-malware strategy that scans emails, files retrieved via internal web browsers and other vectors through which infected files can enter arrive on workstations.  Ultimately this requires enabling the full Auto-Protect feature of Norton Antivirus and corresponding features in other AV products that enforce scanning of every file as it is opened.

MS06-002 - Vulnerability in Embedded Web Fonts Could Allow Remote
Code Execution (908519)

This is a particularly bad vulnerability for workstations and any
computers where users browse the web or read HTML email or otherwise
view HTML content from untrusted or insecure sources.  Attackers can
exploit this vulnerability by embedding a specially crafted web font
into HTML content and then waiting or maneuvering victims to view the
content.  Most organizations will want to install this patch to
workstations and terminal services servers as soon as possible or
implement a workaround in which you configure Internet Explorer to
refrain from downloading embedded web fonts.  This workaround will
affect the user experience for legitimate websites that use embedded web
fonts.

For a demonstration of the workaround and to compare how a web page with
embedded fonts looks with and without the font download enabled, follow
these steps.  First open Internet Explorer and maneuver to
Tools\Internet Options\Security.  Select the Internet Zone and then
click Custom Level.  Scroll the Settings list till you find "Font
download" and select Prompt.  Click OK twice.  Now direct the browser to
http://www.microsoft.com/typography/web/embedding/default.htm and click
on the links provided such as Typographic Ornament.  IE will prompt you
to allow the font download or not.  Try it both ways for a comparison.

You can centrally configure the "Font download" setting for all
workstations in your domain using Group Policy.  Edit a group policy
object and explore User Configuration\Windows Settings\Internet Explorer
Maintenance\Security\Security Zones and Content Ratings.

Randy Franklin Smith's Complete Windows Security teaches you how to
leverage the largest operating system in the world to manage its
inherent weaknesses and defend against information security risks in
general using technology you already own. 

MS06-003 - Vulnerability in TNEF Decoding in Microsoft Outlook and
Microsoft Exchange Could Allow Remote Code Execution (902412)

This is another bad vulnerability that affects both workstations and
Exchange 5 and 2000 Servers.  (Exchange Server 2003 is not affected.)
With this vulnerability the attacker sends a specially crafted email in
rich text format which overflows a buffer and causes arbitrary code to
run in the context of the server or user depending on where the attack
occurs.  This is particularly bad since it can directly impact servers
and since it allows the attacker to take the offensive with direct,
targeted attacks instead of "bait-and-wait" attacks common to the recent
spate of graphics rendering engine attacks.  Most organizations will
want to load this patch on all systems with Office 2000, XP or 2003.
Note that there are additional patches for Multilanguage Packs and
Multilingual User Interface Packs for Office.  (See the bulletin for
more information on these packs.)

Some organizations may choose to block incoming application/ms-tnef MIME
type (aka rich text) emails as a viable workaround.  Unfortunately the
only workarounds detailed in the bulletin assume the availability of ISA
Server 2000 or 2004.  Your third-party e-mail filters may provide the
needed functionality.

See the bulletin for other vectors through which Outlook and Exchange
can be attacked with this vulnerability including X.400 and NNTP.

Interestingly, and no doubt because of this discovery coinciding so
closely with the end of security patch support for pre Exchange 2003
servers, Microsoft extended support till today for Exchange 5 and 2000
with this security update.  No one likes to be forced into rolling out a
software developers latest upgrade but this exploit increases the
urgency to migrate to Exchange Server 2003 since one exploit for a given
product or feature area is often followed by more in the same area. 
 

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS06-003

902412
Arbitrary code

/ Outlook, Exchange, Office
Workstations
Terminal Servers
Exchange Servers
No/NoNoCritical Office 2000
Office XP
Office 2003
Exchange 2000
Office 2002
This is another bad vulnerability that affects both workstations and Exchange 5 and 2000 Servers. (Exchange Server 2003 is not affected.Most organizations will want to load this patch on all systems with Office 2000, XP or 2003. Note that there are additional patches for Multilanguage Packs and Multilingual User Interface Packs for Office.
MS06-002

908519
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Server 2003
Server 2000
Datacenter Server 2000
Small Business Server 2003
Advance Server 2000
Small Business Server 2000
This workaround will affect the user experience for legitimate websites that use embedded web fonts.Most organizations will want to install this patch to workstations and terminal services servers as soon as possible or implement a workaround in which you configure Internet Explorer to refrain from downloading embedded web fonts.
MS06-001

912919
Arbitrary code

/ Windows
Workstations
Terminal Servers
Yes/NoYesCritical Win2000
XP
Server 2003
Server 2000
Datacenter Server 2000
Advance Server 2000
Small Business Server 2000
My tests indicate the workaround does not address embedded WMF files in the above. Bottom line: load this patch on workstations and terminal services servers that deliver end-user applications.

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.