The information
provided in this site is provided "as is" without warranty
of any kind. Microsoft Corporation disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall
Microsoft Corporation or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages,
even if Microsoft Corporation or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation may not
apply. Furthermore, this information is only listed as a
resource for such information by Whiptech. Whiptech is in
no way responsible for the use or misuse of the information
by anyone, anywhere, at anytime.
Microsoft Patch Disclosure - August 2006
Vulnerability in Server Service Could Allow Remote
Code Execution (921883) Published: August 8, 2006
Microsoft Severity Rating: Critical
Description:
Last month MS06-035 addressed issues with the Server Service
and this month MS06-040 is another patch addressing different
issues in the same service. As you may remember from last month, exploitation
of the issue was difficult and not completely anonymous on
all operating systems. This time around, the vulnerability, an unchecked
buffer in the Server Service, allows for anonymous exploitation remotely.
In addition, US-CERT and Microsoft have both claimed to have observed
existing exploits for this vulnerability.
Recommendations:
While Whiptech cannot confirm or deny claims of exploits
in the wild, we have no choice but to trust them until proven
otherwise. Because of this, we recommend that users who cannot
install this patch immediately should insure that TCP ports
139 and 445 are blocked at corporate gateways. Obviously blocking
these ports internally is not an option as it will break
many essential services.
Affected Software:
.
Microsoft Windows 2000 Service Pack 4
.
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
.
Microsoft Windows XP Professional x64 Edition
.
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
.
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
.
Microsoft Windows Server 2003 x64 Edition
|