Security UPDATE--A Dozen Security Patches and Several Related Exploits--June 21, 2006

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.



Scalable Software


1. In Focus: A Dozen Security Patches and Several Related Exploits

2. Security News and Features

- Recent Security Vulnerabilities

- Microsoft Takes Security to the Forefront

- Will Ethereal Be Devoured by Wireshark?

- SmartLine DeviceLock Minireview

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

- Instant Poll

- Share Your Security Tips

4. New and Improved

- Virtual Security Gateway


==== Sponsor: CrossTec ====

Just Released - New NetOp Remote Control v9.0

Work at blazing speeds with new NetOp Remote Control v9.0. NetOp, already one of the fastest remote control tools on the market, has gotten even faster. You won't even realize you are working remotely! With more than 40 new features, NetOp 9.0 lets you work smarter and offers a higher ROI. Complete central administration with the NetOp Security Server means that v9.0 is the most secure remote control product on the market and new Smart Card support keeps your remote technology cutting edge. Click to download the latest version of NetOp today.


==== 1. In Focus: A Dozen Security Patches and Several Related Exploits ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

As you hopefully know by now, Microsoft released a dozen security patches last week. Microsoft rated eight of the patches as critical, meaning that the related problems could be exploited without user interaction to possibly spread a worm. The remaining four patches are rated important, meaning that the related problem could be exploited to compromise sensitive information, hinder access to data, or affect availability and integrity of processing resources.

After Microsoft releases security patches, intruders often quickly release exploits that take advantage of the vulnerabilities or researchers sometimes discover that previously known security problems still exist and that the latest batch of patches left problems unfixed. This past week was no different.

Reading the Handler's Diary blog at SANS Internet Storm Center (at the URL below) last week, I learned that the day after Microsoft released its security patches, there were at least six new exploits. Fortunately, two of those exploits, which affect Microsoft Windows Media Player and RRAS, were released by a security vendor to its customers, so those weren't floating around in the wild. Another exploit, which affects TCP/IP networking, was released privately, so it wasn't in the wild either. Yet another exploit, which affects Microsoft Word, was already in the wild before the related patch was released. That leaves at least two new exploits that are in the wild, both of which affect Server Message Block (SMB) and could be used to elevate privileges or hide a running process.

These last two exploits caught my attention because installing the patch in the related Microsoft Security Bulletin MS06-030: Vulnerability in Server Message Block Could Allow Elevation of Privilege doesn't completely fix the security problems. Even with the patch installed, vulnerability remains, although to an arguably lesser extent.

Ruben Santamarta, who runs the Web site, posted a message to SecurityFocus's BugTraq mailing list (at the URL below) in which he stated in reference to MS06-030, "Microsoft has not fixed the NtClose/ZwClose DeadLock vulnerability.... I think that the Driver Developer community should be informed that using NtClose/ZwClose, the driver will be exposed to a security issue by default."

Santamarta published a document on his Web site that discusses the problem in considerable technical detail (at the URL below). If I understand correctly, Santamarta has found that a malware writer could use the still existing vulnerability to essentially hide a process. As demonstrated in one of his published exploits, even if you try to terminate the process, it will disappear but not actually stop running. This of course gives the malware writer a great way to avoid malware removal. Santamarta's proof of concept points out that Microsoft needs to fix this problem sooner rather than later.

Finally, another exploit you need to be aware of, which isn't related to Microsoft's June release of patches, is a zero-day exploit released last week that affects Microsoft Excel. At the time of this writing, no patch was available from Microsoft to correct the problem. The problem is serious in that it allows the execution of arbitrary code when someone opens an affected Excel document. Security vendors are working to provide detection of this exploit, so hopefully you'll have the protection you need by the time you read this newsletter.


==== Sponsor: Faxback ====

Maximize your VoIP environment by integrating FoIP technology to increase ROI, and streamline processes.


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Microsoft's Takes Security to the Forefront

At TechEd 2006 last week in Boston, Microsoft announced its Forefront brand and the launch of ISA Server 2006. Forefront will include solutions for clients, servers, and the network boundary. Find out what products will be included and when you can expect to see them.

Will Ethereal Be Devoured by Wireshark?

Ethereal has long been the tool of choice among countless network administrators for robust packet capturing and protocol analysis. Now the hugely popular open source tool has a new name, Wireshark, and a new sponsor to go along with it.

SmartLine DeviceLock Minireview

SmartLine's DeviceLock lets you manage device security for portable devices by assigning users access levels to network devices and interfaces, such as USB and infrared ports, wireless network adapters, and removable storage devices. Read Trisha Pendley's minireview on our Web site.


==== Resources and Events ====

Special Offer: Download any white paper from Windows IT Pro before June 30, and you could win a pair of Bose Triport Headphones. View the full selection of papers today at

Learn to differentiate between alternative solutions to disaster recovery for your Windows-based applications and how to ensure seamless recovery of your key systems whether a disaster strikes just one server or the whole site. On-demand Web seminar.

Any unscheduled downtime--especially of your Exchange systems--can quickly affect a company's bottom line. Learn essential skills for reducing downtime to minutes instead of hours.

Get all you need to know about today's most popular security protocols, including SSL-TLS, for Web-based communications.

Learn the key requirements of an effective internal network security solution and whether your approach protects you against worms, BotNets, Trojan horses, and hackers. On-demand Web seminar


==== Featured White Paper ====

Test-drive the Starter PKI program and learn how companies that need to secure multiple domains and host names can benefit.

Bonus: Whenever you download a white paper from Windows IT Pro before June 30, you'll be entered to win Bose Triport Headphones. See the full selection of papers today at


==== Hot Spot ====

How much are you spending on IT compliance? Streamline and automate the compliance life cycle with this FREE white paper, and reduce your costs today!


==== 3. Security Toolkit ====

Security Matters Blog: 100GB in My Pocket!

by Mark Joseph Edwards,

I found a super-affordable portable disk that gives me 100GB to store whatever I need, like bunches of security tools and even an alternative OS. Plus I can carry it around in my pocket.


by John Savill,

Q: Why does the Windows Server 2003 R2 File Server Resource Manager (FSRM) file screen audit report contain three entries for file screen violations?

Find the answer at

Security Forum Featured Thread: Using Administrator Account Is a Security Offense

A forum participant wonders why it's a serious security offense in some organizations for a network administrator to use the Administrator account for routine work. Join the discussion at

New Instant Poll

Is your company using Microsoft's antispyware tool, Windows Defender Beta 2, on its systems?

- Yes, it's the only antispyware tool we use

- Yes, we use it along with other antisypware programs

- No, we use another antispyware program

Go to the Security Hot Topic and submit your vote

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Announcements ====

(from Windows IT Pro and its partners)

Monthly Online Pass--only $14.95!

Includes instant online access to every article ever written in the Windows IT Security newsletter. Order now:

June Special--Save $80 off the Windows Scripting Solutions newsletter

Get endless scripting techniques and expert-reviewed code. Subscribe to Windows Scripting Solutions today and save $80:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Virtual Security Gateway

Astaro announced the general availability of Astaro Security Gateway for VMware, which lets customers run Astaro Security Gateway software on a VMware infrastructure. A new Astaro Command Center will allow for one integrated view and unified control of any number of Astaro Security Gateways for VMware and/or Astaro Security Gateway physical appliances. Suggested pricing for a sample configuration of 250 active users, 512,000 connections, and one year of maintenance is $11, 885. For more information or to download a trial copy of the software, go to

Tell Us About a Hot Product and Get a Best Buy Gift Card!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Best Buy Gift Card if we write about the product in a Windows IT Pro What's Hot column. Send your product suggestion with information about how the product has helped you to [email protected]


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.