Microsoft has published a new security advisory about a COM
object vulnerability that could pose a critical threat. In addition, the
software vendor released six security bulletins for August, three of which are
critical. The remaining three bulletins, however, still pose a threat if
you’re running affected systems.

Details

On August 18, Microsoft
published Security Advisory 906267: “A
COM Object (Msdds.dll) Could Cause Internet Explorer to Unexpectedly Exit,”
about which the company’s security team has recently received reports.
Microsoft Knowledge Base
article 906267 addresses this threat (CAN-2005-2127).
According
to silicon.com, some online sources are reporting exploit code is available
and potentially circulating around the hacker nets.

The security advisory is an early notification step. Although
it includes possible workarounds, Microsoft says it’s still
investigating the possible threat and that the company has no knowledge of
any attacks based on this potential vulnerability.

Applicability

This vulnerability could apply to all Internet Explorer
versions after 5.01 on most or all operating platforms. Although the bulletin
includes some specific versions, keep in mind that it’s a preliminary report.

Risk level – Critical

The vulnerability could pose a denial of service threat. The
security advisory includes a statement about the potential for an attacker
exploiting it to run arbitrary code, which would raise the threat rating to
critical.

Mitigating factors

Msdds.dll doesn’t ship with Windows by default. If you don’t
have the DLL on your system, you aren’t at any risk from this threat. In
addition, users would have to open a malicious Web site to initiate the attack.
However, the necessary code to modify a Web site is apparently already
available on the Web.

Fix

Microsoft is still investigating the threat and plans to
include a fix in an upcoming security bulletin. In the meantime, the software
giant has published workarounds to protect against this vulnerability. In IE,
set security zones to High and configure the browser to prompt users before
running a new ActiveX control. In addition, disable or unregister Msdss.dll on
systems.

Meanwhile, let’s get back to our coverage of Microsoft’s
August security bulletins. Last time, I ran through the three critical
bulletins. Now, let’s get up to speed on the three remaining threats.

MS05-040

Microsoft
Security Bulletin MS05-040, “Vulnerability in Telephony Service Could
Allow Remote Code Execution” is a newly discovered threat that someone privately
reported to the vendor (CAN-2005-0058).
Microsoft updated this bulletin to version 1.1 on August 17 to include
information about Windows 98, Windows SE, and Windows ME. I haven’t seen any
examples of exploits in the wild.

Applicability

  • Windows
    2000 Service Pack 4
  • All
    versions of Windows XP (including SP2 and 64-bit editions)
  • All
    versions of Windows Server 2003 (including Itanium editions)
  • Windows
    98
  • Windows
    SE
  • Windows
    ME

Risk level
Microsoft has rated this threat as important for Windows 2000 SP4, all versions
of Windows XP, and all versions of Windows Server 2003. It has rated it as a
not critical threat for Windows 98, Windows SE, and Windows ME.

Mitigating factors
The telephony service isn’t a particularly common tool to enable, so many
systems won’t be vulnerable. In addition, firewall best practices should
mitigate the threat.

Fix
Apply the update. As workarounds, disable telephony services in Control Panel,
block UDP ports 135, 137, 138, and 445, and block TCP ports 135, 139, 445, and
593. In addition, block unsolicited inbound traffic on all ports above 1024.

MS05-041

Microsoft
Security Bulletin MS05-041, “Vulnerability in Remote Desktop Protocol
Could Allow Denial of Service” is a newly discovered threat that someone
privately reported to the vendor (CAN-2005-1218).
No exploits have yet surfaced in the wild.

Applicability

  • Windows
    2000 Server SP4
  • All
    versions of Windows XP (including SP2 and 64-bit editions)
  • All
    versions of Windows Server 2003 (including Itanium editions)

This vulnerability doesn’t affect Windows 2000 Professional
SP4, Windows 98, Windows SE, or Windows ME.

Risk level
Microsoft has rated this vulnerability as a moderate threat for all affected systems.

Mitigating factors
None of the affected Windows versions enable RDP by default. In addition, using
firewall best practices should prevent any attack on systems that have RDP
enabled.

Fix
Apply the update. Suggested workarounds include blocking TCP port 3389 at the
enterprise firewall and disabling Terminal Services, Remote Desktop, and Remote
Assistance.

MS05-042

Microsoft
Security Bulletin MS05-042, “Vulnerabilities in Kerberos Could Allow
Denial of Service, Information Disclosure, and Spoofing,” includes two
threats: a PKINIT vulnerability (CAN-2005-1982)
and the Kerberos threat (CAN-2005-1981).
Both are newly discovered threats that researchers privately reported to the
vendor.

Applicability

  • Windows
    2000 Service Pack 4
  • All
    versions of Windows XP (including SP2 and 64-bit editions)
  • All
    versions of Windows Server 2003 (including Itanium editions)

This threat doesn’t affect Windows 98, Windows SE, or
Windows ME.

Risk level
Microsoft has rated this as a low threat for Windows 2000 Professional and Windows
XP systems. It is a moderate threat for Windows 2000 Server and Windows Server
2003 systems.

Mitigating factors
Valid logon credentials are required to exploit either component vulnerability.

Fix
Apply the update. Understand that this patch could affect some functionality.
For more information, read the entire security bulletin.

As a workaround for the Kerberos threat, block both TCP and
UDP ports 88 at the firewall. No known workarounds are available for the PKINIT
threat.

Final word

Of course, the big news in the past week was how quickly the
mainstream media jumped on the Zotob family of
malware, which targeted a vulnerability in Windows 2000 that Microsoft patched earlier
this month. All of the reports that I’ve seen indicate that this is a
relatively minor threat. However, since several high-profile media outlets fell
victim to this worm, it is big news—at least to them.

Symantec doesn’t list any Zotob version as being worse than
a grade 3 threat. (Grade 5 is the maximum threat level.) In addition, only
Zotob.E reached that level; the other variants were only grade1 or 2. Nevertheless,
this is a real threat to anyone who’s running an unpatched Windows 2000 system.
For more information, check out these TechRepublic resources:

I’m not making light of this threat—only the way the media
jumped on this while ignoring Esbot.A, which is certainly as dangerous and also
targets the PnP vulnerability patched in MS05-039. The most important thing to
remember is that any vulnerability that affects your system is a critical
threat—even if yours is the only one compromised.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.