__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerability in Windows (926255) [Microsoft Security Bulletin MS06-075] December 13, 2006 14:00 GMT Number R-077 [REVISED 21 Dec 2006] ______________________________________________________________________________ PROBLEM: A privilege elevation vulnerability exists in the was that Microsoft Windows starts applications with specially crafted file manifests. PLATFORM: Tested Software and Security Update Download Locations: Affected Software: • Microsoft Windows XP Service Pack 2 • Microsoft Windows Server 2003 • Microsoft Windows Server 2003 for Itanium-based Systems Non-Affected Software: • Microsoft Windows 2000 Service Pack 4 • Microsoft Windows XP Professional x64 Edition • Microsoft Windows Server 2003 Service Pack 1 • Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems • Microsoft Windows Server 2003 x64 Edition • Windows Vista Storage Management Appliance I, II, III DAMAGE: This vulnerability could allow a logged on user to take complete control of the system. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The user must be logged on locally to ASSESSMENT: exploit this vulnerability. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-077.shtml ORIGINAL BULLETIN: Microsoft Security Bulletin MS06-075 (926255) http://www.microsoft.com/technet/security/Bulletin/MS06-075.mspx ADDITIONAL LINK: Visit Hewlett-Packard's Subscription Service for: HPSBST02180 SSRT061288 rev. 1 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-5585 ______________________________________________________________________________ REVISION HISTORY: 12/21/2006 - revised to add a link to Hewlett-Packard HPSBST02180 SSRT061288 rev. 1 for Storage Management Appliance v2.1 Software running on Storage Management Appliance I, II, III. [***** Start Microsoft Security Bulletin MS06-075 *****] Microsoft Security Bulletin MS06-075 Vulnerability in Windows Could Allow Elevation of Privilege (926255) Published: December 12, 2006 Version: 1.0 Summary Who Should Read this Document: Customers who use Microsoft Windows Impact of Vulnerability: Elevation of Privilege Maximum Severity Rating: Important Recommendation: Customers should apply the update at the earliest opportunity Security Update Replacement: None. Caveats: None. Tested Software and Security Update Download Locations: Affected Software: • Microsoft Windows XP Service Pack 2 — Download the update • Microsoft Windows Server 2003— Download the update • Microsoft Windows Server 2003 for Itanium-based Systems— Download the update Non-Affected Software: • Microsoft Windows 2000 Service Pack 4 • Microsoft Windows XP Professional x64 Edition • Microsoft Windows Server 2003 Service Pack 1 • Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems • Microsoft Windows Server 2003 x64 Edition • Windows Vista The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site. General Information Executive Summary Executive Summary: This update resolves a privately identified vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. We recommend that customers apply the update at the earliest opportunity. Severity Ratings and Vulnerability Identifiers: Vulnerability Identifiers Impact of Vulnerability Windows XP Service Pack 2 Windows Server 2003 File Manifest Corruption Vulnerability - CVE-2006-5585 Elevation of Privilege Important Important This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Note The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows: • The Windows Server 2003 for Itanium-based Systems severity rating is the same as the Windows Server 2003 severity rating. Vulnerability Details File Manifest Corruption Vulnerability - CVE-2006-5585: A privilege elevation vulnerability exists in the way that Microsoft Windows starts applications with specially crafted file manifests. This vulnerability could allow a logged on user to take complete control of the system. Mitigating Factors for File Manifest Corruption Vulnerability - CVE-2006-5585: • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. Security Update Information Affected Software: For information about the specific security update for your affected software, click the appropriate link: Windows XP Windows Server 2003 (all versions) Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • V1.0 (December 12, 2006): Bulletin published. [***** End Microsoft Security Bulletin MS06-075 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-067: l2tpns Buffer Overflow R-068: Microsoft Windows Media Player R-069: IBM Tivoli Storage Manager R-070: BrightStor ARCserve Backup R-071: Cisco Security Agent Management Center LDAP Administrator Authentication Bypass R-072: Security Vulnerabilities in Solaris ld.so.1(1) R-073: Vulnerability in SNMP (926247) R-074: Cumulative Security Update for Internet Explorer (925454) R-075: Vulnerability in Visual Studio 2005 (925674) R-076: Vulnerability in Windows Media Format (923689)