|
|
|
|
| |
Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS06-041.mspx
|
| |
Affected Software:
* Microsoft Windows 2000 Service Pack 4 - Download the update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update
* Microsoft Windows XP Professional x64 Edition - Download the update
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 - Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems - Download the update
* Microsoft Windows Server 2003 x64 Edition - Download the update
Winsock Hostname Vulnerability - CVE-2006-3440:
There is a remote code execution vulnerability in Winsock that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. For an attack to be successful the attacker would have to force the user to open a file or visit a website that is specially crafted to call the affected Winsock API.
Mitigating Factors for Winsock Hostname Vulnerability - CVE-2006-3440:
The vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file or view a specially crafted website. There is no way for an attacker to force a user to open a specially crafted file, except potentially through previewing an e-mail message.
Workarounds for Winsock Hostname Vulnerability - CVE-2006-3440:
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Modify the Autodial DLL
Modifying the Autodial DLL within the Windows registry will prevent an application, specially crafted website or e-mail message from calling the affected API and exploiting the vulnerability. If the Autodial DLL registry value is not found by default in the specified location we recommend that customers create the REG_SZ value accordingly.
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
Note We recommend backing up the registry before you edit
* Click Start, click Run, type "regedt32 " (without the quotation marks), and then click OK
* In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters
* Double click the REG_SZ value AutodialDLL
* Set the data value to kernel32.dll
* Close the regedt32 utility and reboot
FAQ for Winsock Hostname Vulnerability - CVE-2006-3440:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
What causes the vulnerability?
An unchecked buffer in the Winsock API.
What is Winsock?
Windows Sockets 2 (Winsock) enables programmers to create advanced Internet, intranet, and other network-capable applications to transmit application data across the wire, independent of the network protocol being used. With Winsock, programmers are provided access to advanced Microsoft Windows networking capabilities such as multicast and Quality of Service (QOS). For more information about Winsock, please see the following MSDN Article.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
How could an attacker exploit the vulnerability?
The vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file or view a specially crafted website. There is no way for an attacker to force a user to open a specially crafted file, except potentially through previewing an e-mail message. Additionally, if an application uses the affected API it is possible that it could be exploited during regular usage scenarios that may not require user action.
What systems are primarily at risk from the vulnerability?
Servers and workstations are primarily at risk from this vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way that the affected function validates the message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:
There is a remote code execution vulnerability in the DNS Client service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
Mitigating Factors DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:
For an attack to be successful the attacker would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server.
Workarounds for DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* For an attack to be successful the attackers would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server.
* Block DNS related records at network gateways
Blocking the following DNS record types at network gateways will help protect the affected system from attempts to exploit this vulnerability.
* ATMA
* TXT
* X25
* HINFO
* ISDN DNS
FAQ DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
What causes the vulnerability?
An unchecked buffer in the DNS client layer.
What is DNS?
The Domain Name System (DNS) client service resolves and caches DNS names. The DNS client service must be running on every computer that will perform DNS name resolution. The ability to resolve DNS names is crucial for locating domain controllers in Active Directory domains. The DNS client service is also critical for locating devices identified using DNS name resolution. For more information on the DNS client service please see the following Microsoft TechNet Article.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
How could an attacker exploit the vulnerability?
An anonymous user could exploit the vulnerability by sending a specially crafted DNS communication to an affected client. For an attack to be successful the attacker would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server.
What systems are primarily at risk from the vulnerability?
Servers and workstations are primarily at risk from this vulnerability.
What does the update do?
The update removes the vulnerability by validating the way that the DNS client handles DNS related communications.
Could the vulnerability be exploited over the Internet?
An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.
What does the update do?
The update removes the vulnerability by validating the way that the DNS client handles DNS related communications.
Would disabling the DNS client service or configuring the client to use a specific DNS server mitigate the vulnerability?
No. The vulnerability cannot be mitigated by disabling the DNS client service or configuring the use of a specific trusted DNS server.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|
|
