Making up for lost time, Microsoft has released nine
security bulletins for October after taking the month of September off. Of the nine updates, Microsoft has rated three as critical,
four as important, and two as moderate threats.

Details

Last time, I told you what you needed to know about
Microsoft’s three
critical security bulletins for October: MS05-050, MS05-051, and MS05-052.
This time, let’s look at the remaining six bulletins, classified as either
important or moderate threats. In case you’ve lost track, important is more
dangerous than moderate, so I’ll address the bulletins in that order.

MS05-046

Microsoft
Security Bulletin MS05-046, “Vulnerability in the Client Service for
NetWare Could Allow Remote Code Execution,” affects users of the Client or
Gateway Service for NetWare (CAN-2005-1985).
This is a remote code execution threat, but no exploits have appeared in the
wild.

Applicability
This threat applies to all Windows OS versions after Windows 2000 that have Client
Service for NetWare (CSNW) installed (known as Gateway Service for NetWare on
Windows 2000). This includes:

  • Windows
    2000 Service Pack 4
  • Windows
    XP SP1
  • Windows
    XP SP2
  • Windows
    Server 2003
  • Windows
    Server 2003 SP1

Risk level
Microsoft has rated this as an important threat for all affected systems.

Mitigating factors
While some components of CSNW are present on all affected platforms, none of
the operating systems activate this service by default. Only systems that have
CSNW fully installed and activated are vulnerable. In addition, Windows Server 2003
SP1 systems are only vulnerable if the attacker has valid logon credentials.

Fix
Install the update. Microsoft has tested and approved several workarounds.
These include:

  • Block
    ports TCP 139 and 445 at the firewall.
  • If
    not using CSNW, remove it.

MS05-047

Microsoft
Security Bulletin MS05-047, “Vulnerability in Plug and Play Could
Allow Remote Code Execution and Local Elevation of Privilege,” could allow
an attacker to completely take over a vulnerable system (CAN-2005-2120).
This bulletin
replaces Microsoft
Security Bulletin MS05-039 on all affected platforms.

Applicability

  • Windows
    2000 SP4
  • Windows
    XP SP1
  • Windows
    XP SP2

Risk level
This is an important threat for all affected systems.

Mitigating factors
If you already applied MS05-039 to Windows 2000 systems, remote attackers can’t
exploit the vulnerability without valid logon credentials. For both versions of
Windows XP, attackers must have valid logon credentials. In addition, attackers
must have administrator privileges to exploit the vulnerability on Windows XP
SP2.

Fix
Install the update. Microsoft has tested and approved one workaround: Block
ports TCP 139 and 445 at the firewall.

MS05-048

Microsoft
Security Bulletin MS05-048, “Vulnerability in the Microsoft
Collaboration Data Objects Could Allow Remote Code Execution,” is a newly
reported vulnerability (CAN-2005-1987)
that could allow an attacker to take complete control of vulnerable systems.
The threat stems from an unchecked buffer in Collaboration Data Objects, but no
exploits have appeared in the wild.

Applicability

  • Windows
    2000 SP4
  • All
    versions of Windows XP
  • All
    versions of Windows Server 2003
  • Exchange
    2000 Server SP3

This threat does not apply to Exchange Server 5.5, Exchange
Server 2003, Exchange Server 2003 SP1, Windows 98, Windows SE, or Windows ME.

Risk level
This is an important threat for Windows 2000 SP4 and Exchange 2000 Server SP3.
It is a moderate threat for all other affected systems.

Mitigating factors
Most systems don’t have the affected components enabled by default.

Fix
Install the update. A workaround is available for some systems, but applying it
affects functionality. See the security bulletin for details.

MS05-049

Microsoft
Security Bulletin MS05-049, “Vulnerabilities in Windows Shell Could
Allow Remote Code Execution,” is a newly discovered threat, and no exploits
have appeared in the wild. This bulletin addresses three separate threats:

For Windows 2000, Windows XP, and Windows Server 2003 (but
not Windows Server 2003 SP1), this bulletin replaces
Microsoft
Security Bulletin MS05-016. This bulletin also
replaces Microsoft
Security Bulletin MS05-024 for Windows 2000.

Applicability

  • Windows
    2000 SP4
  • All
    versions of Windows XP
  • All versions
    of Windows Server 2003

Risk level
Some of the vulnerabilities don’t apply to all platforms or are only moderate
threats. The aggregate threat level for all platforms is important.

Mitigating factors
All three vulnerabilities require valid logon credentials. There are various other
mitigating factors, which mostly involve not visiting malicious Web sites or
opening suspicious e-mails.

Fix
Install the update. There are various workarounds tested and approved by
Microsoft. For Shell Vulnerability CAN-2005-2122, don’t open attachments with
.lnk extensions. For the other two threats, block TCP ports 139 and 445 at the
firewall.

MS05-044

Microsoft
Security Bulletin MS05-044, “Vulnerability in the Windows FTP Client
Could Allow File Transfer Location Tampering,” is a relatively minor file-tampering
threat (CAN-2005-2126).
This vulnerability’s only effect is to allow an attacker to alter the
destination directory for downloaded files, which means attackers could use it
in conjunction with other attacks to place files in unprotected locations.
Proof of concept is on the Web, but Microsoft says it hasn’t received any
reports of successful attacks.

Applicability

  • Windows
    XP SP1
  • Windows
    Server 2003
  • Windows
    Server 2003 for Itanium-based systems

Risk level
This is a moderate threat for all affected platforms.

Mitigating factors
Attackers must entice users to visit a malicious FTP site.

Fix
Install the update. As a workaround, simply don’t download files from untrusted
FTP sites.

MS05-045

Microsoft
Security Bulletin MS05-045, “Vulnerability in Network Connection
Manager Could Allow Denial of Service,” is a newly reported minor threat
caused by an unchecked buffer (CAN-2005-2307).
Proof of concept is on the Web, but Microsoft says it hasn’t received any
reports of successful attacks.

Applicability

  • Windows
    2000 SP4
  • Windows
    XP SP1
  • Windows
    XP SP2
  • Windows
    Server 2003
  • Windows
    Server 2003 SP1

Risk level
This is a moderate threat for Windows 2000, Windows XP SP1, and Windows Server
2003. For Windows XP SP2 and Windows Server 2003 SP1, it is a low-level threat.

Mitigating factors
Attackers need valid logon credentials to exploit this vulnerability.

Fix
Install the update. Workarounds are available that involve some fairly complex
firewall settings. For more details, see the security bulletin.

Also watch for…

FrSIRT reports a critical remotely
exploitable vulnerability in Snort versions 2.4.0
through 2.4.2. This is an arbitrary file execution threat.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.