Re: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

We put WSUS on our SBS boxes (you know the ones with the kitchen sink 
service running?)  ..that's a DC ...it doesn't need a dedicated server 
to do it's job.

Windows defender is just an anti spyware program.
WMI scripting will tell you what patches are installed now.

Alex Alborzfard wrote:
Yes I'm aware of both tools. WSUS requires dedicated server and
configuration.
MBSA doesn't list installed patches, date of application, versions, etc.
It basically tells you what is missing.
I was talking about a tool that I can run from my PC, which I have used
in the past. I think you could also remove the patch or roll it back
right from the interface. For some reason I thought it was Windows
Defender, but I installed it and it doesn't have that capability.

No I'm not managing patching in our networks...well not yet anyway!
I'm just trying to raise the flags, so to speak.

Alex

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, August 11, 2006 11:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Microsoft Security Bulletin MS06-041
Vulnerability in DNS Resolution Could Allow Remote Code Execution

E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : The threats and 
risk level today:
http://msmvps.com/blogs/bradley/archive/2006/08/10/107303.aspx


Alun's "Holy Crap" post:
Tales from the Crypto : How do I rate today's patches?:
http://msmvps.com/blogs/alunj/archive/2006/08/08/107097.aspx


MBSA  -http://www.microsoft.com/technet/security/tools/mbsahome.mspx

WSUS - 
http://www.microsoft.com/windowsserversystem/updateservices/default.mspx

You are managing patching in your networks now right?

Alex Alborzfard wrote:
  
Thanks John this is really helpful, though only for this
    
vulnerability.
  
Alex

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Singler
Sent: Friday, August 11, 2006 11:22 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Microsoft Security Bulletin MS06-041
Vulnerability in DNS Resolution Could Allow Remote Code Execution

For MS06-040 you can use the tool from eeye.com to ID vulnerable
machines:

http://www.eeye.com/html/resources/downloads/audits/NetApi.html

Alex Alborzfard wrote:
  
    
What about MS06-040? I've heard it's a nasty one like blaster.
DHS has already issued a recommendation to apply this patch.

I remember using a utility tool that would list all applied patches
      
on
  
    
      
a
  
    
Windows box with all kind of information.
Anyone has ever used or knows anything about it?

Alex
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan
    
      
Bradley,
  
    
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, August 08, 2006 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Microsoft Security Bulletin MS06-041
    
      
Vulnerability
  
    
in DNS Resolution Could Allow Remote Code Execution

One of 12 today...but since it's DNS related

Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution 
Could Allow Remote Code Execution (920683):
http://www.microsoft.com/technet/security/Bulletin/MS06-041.mspx

For an attack to be successful the attacker would either have to be
      
on
  
    
      
a
  
    
subnet between the host and the DNS server or force the target host
      
to
  
    
      
  
    
make a DNS request to receive a specially crafted record response
      
from
  
    
      
  
    
an attacking server.

(and Brett...just a FYI... in my twig forest... any attacker that
      
ends
  
    
      
  
    
up on a subnet between a host and my DNS server [aka the Kitchen sink
      

  
service server] ... that attacker is dead meat and has a 2x4 aimed
      
his
  
    
      
  
    
way... one advantage of being little)

Your patch folks may be calling up you AD guys for testing passes.

Workarounds:

*Block DNS related records at network gateways*

Blocking the following DNS record types at network gateways will help
      

  
protect the affected system from attempts to exploit this
    
      
vulnerability.
  
    
*       

ATMA

*       

TXT

*       

X25
    
      
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

  
    

  

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx