Microsoft on Tuesday released seven patches, five classified as critical, for July’s Patch Tuesday event. The seven patches fix at least 10 vulnerabilities in consumer and enterprise software.
Security bulletin MS06-035 addresses a critical vulnerability in Windows Server 2003, as well as in Windows XP and Windows 2000. A security flaw in these programs could allow remote code execution.
MS06-036, another critical bulletin, covers a hole in the DHCP Client Service of both servers, as well as Windows XP and Windows 2000. This vulnerability could prevent systems from connecting to the Internet. Meanwhile, MS06-037 fixes a vulnerability that could permit attackers to send malformed Excel files that later could be executed to take control of a system.
Respond Quickly
“Enterprises should move to address two of these vulnerabilities quickly — [those covered by] MS06-035 and MS06-036 — because they impact important enterprise servers, are remote code executable and could potentially be used to facilitate the spread of a new worm,” said Amol Sarwate, manager of the vulnerability research lab at Qualys.
The other three critical updates — MS06-037, MS06-038 and MS06-039 — reflect a growing trend toward exploiting client-side vulnerabilities that prey on user inexperience to spread malicious code, Sarwate noted.
Office Flaws
These types of vulnerabilities affect applications, such as Microsoft Office, that businesses rely on every day for productivity. There are no workarounds for these types of vulnerabilities short of eliminating the use of these programs, so organizations should aim for timely patching.
“The purveyors of malicious code that aim to take advantage of these application vulnerabilities rely on end-user naivete for their success,” Sarwate pointed out. “By creating more security-aware users, organizations can eliminate an important attack vector and reduce their overall risk.”
Two of the critical patches affect Office users: MS06-038 addresses two vulnerabilities in Office 2000, Service Pack 3. The most serious flaw permits remote code execution, while the second affects Project 2000 users. MS06-039 addresses a vulnerability in the way Office handles portable network grahpics and GIF files.
Microsoft also released two patches designated as “important”: MS06-033 addresses a vulnerability in ASP.NET that could allow an attacker to gain access to system information. This flaw could not allow intruders to execute remove-code or raise user rights, however. MS06-034 fixes a flaw that exploses Web servers that allow users to upload new content.
Busy Summer
It’s been an active summer so far for security professionals, according to iDefense Senior Engineer Ken Dunham. Last month alone, Microsoft issued 12 security bulletins.
The past few months have been challenging for those attempting to understand, test and then implement Microsoft’s various patches into their environments, he told TechNewsWorld.
“With … the aggressive updates that we see, it’s going to make for a busy summer,” Dunham said.
If MS06-035 is really a good candidate for a worm because there
is no authentication, no user interaction needed and can
exploited over UDP. It’s another story for MS06-036. It would
be interesting to hear the technical explanation from Sarawate
to understand why he thinks it could be exploited by a worm.
"An attacker could exploit the vulnerability by answering a
client’s DHCP request on the local subnet with a specially
crafted DHCP response."
Let’s try to imagine i would like to create a worm based on
this MS information assuming that I know how to exploit the
flaw:
1- What would be the impact ?
–> Local subnet, it doesn’t look fun.
2- So the DHCP client makes a request to get a new IP address,
i need to send the malformed answer
–> The vulnerable client should have selected my "malicious"
server first in order to recieve some answer from it. I could
flood the network with DHCPOFFER…
3- Is there a way to force the dhcp clients to renew their ip
so i could spread more quickly ?
–> Clients are using lease that can be very long, so it’s not
good for a worm.
The ultimate question behind this: are you trying to scare
people or because of technical lack you published this
mistake ?