[ISN] Homeland Security: Apply MS06-040 Patch

From: InfoSec News (alerts@private)
Date: Wed Aug 09 2006 - 22:29:14 PDT


http://www.eweek.com/article2/0,1895,2001412,00.asp

By Ryan Naraine
August 9, 2006

Less than 24 hours after Microsoft shipped security fixes for 23 serious 
software vulnerabilities, the U.S. government's Department of Homeland 
Security issued a firm notice to Windows users: immediately apply the 
patches in the MS06-040 bulletin.

In a somewhat unusual move, the DHS warned that the patches cover a remote 
code execution vulnerability that could be used in a network worm attack 
similar to Blaster, Slammer of Sasser.

"Windows users are encouraged to avoid delay in applying this security 
patch. Attempts to exploit vulnerabilities in operating systems routinely 
occur within 24 hours of the release of a security patch,"  the agency 
said in an public advisory.

The department warned that a successful attack could be launched remotely 
to take control of an affected system and install programs, view, change 
or delete data, and create new accounts with full user rights.

"This vulnerability could impact government systems, private industry and 
critical infrastructure, as well as individual and home users,"  the DHS 
added.

The DHS recommended that home users opt for Microsoft's Windows Update to 
automatically download and apply all the appropriate security fixes.

The MS06-040 bulletin addresses a buffer overflow in Server Service, which 
is used to provide RPC (remote procedure call) support, file print support 
and named pipe sharing over a network.

Because the flaw presents a remote, unauthenticated attack vector, an 
anonymous attacker could send specially rigged network packets over the 
Internet to launch malicious code on vulnerable systems.

A worm attack exploiting this bug would affect unpatched versions of 
Windows 2000, Windows XP (SP1 and SP2) and Windows Server 2003 (SP1 
inclusive).

The use of the built-in Internet Connection Firewall in Windows XP and 
Windows Server 2003 would help block network-based attempts to exploit the 
vulnerability.

Microsoft also recommends that TCP ports 139 and 445 be blocked at the 
firewall.

The US-CERT (U.S. Computer Emergency Readiness Team) has already warned 
that the flaw has been used in active attacks, even before Microsoft 
released the patch.

Immunity, a Miami-based security company that sells penetrating testing 
tools, on Aug. 9 released proof-of-concept exploits for MS06-040 to 
customers in its Partner Program.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Wed Aug 09 2006 - 22:42:25 PDT