Microsoft December 2005 Security updates



Sans has the tip that information on the critical Windows updates expected tomorrow from Microsoft has started to be released.

MS 05-54: Cumulative Security Update for Internet Explorer

This will hopefully patch the javascript issues…

MS 05-55: Vulnerability in Windows Kernel Could Allow Elevation of Privilege.


More later in the day I’m sure.

The Kernel Vulnerability described here is an escalation of privilige vulnerability (local only?)

The Internet Explorer update does appear to address the remote code execution (recent javascript 0-day) vulnerability. There are caveats with this update. There may be problems with the update. They will be described in this knowledge base article http://support.microsoft.com/kb/905915 (which isn’t yet up at 1:28PM EST 12/13/05).

Here’s some info from SANs… kernel vulnerability:

A vulnerability in the Asynchronous Procedure Call queue allows local users to escalate their privileges. A regular user (who has to be logged in first) could use this vulnerability to gain Administrator privileges.
Microsoft rates this vulnerability as “Important” as there is no direct remote vector to exploit this issue. However, coupled with an Internet Explorer vulnerability or similar issues, this could be used to gain Administrator privileges even if a user runs Internet Explorer as a less privileged user.
Note that remote exploit may be possible if user credentials are known.

Explorer cumulitive update:

File Download Dialog Box Manipulation Vulnerability – CAN-2005-2829

HTTPS Proxy Vulnerability- CAN-2005-2830:

COM Object Instantiation Memory Corruption Vulnerability – CAN-2005-2831:

Mismatched Document Object Model Objects Memory Corruption Vulnerability – CAN-2005-1790:

This last item addresses the javascript 0-day exploit that was exploited late November.

–update 2:18 EST–

The security fix has mentioned the fixes and details the history of the zero-day exploit. It’s also worth mentioning – he points out that this cumulitive fix also removes a component left behind by Sony’s uninstaller for the XCP software. I need to re-read….

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft October 2006 patch Tuesday The first thing I should mention is that this months update from Microsoft is the last for XP SP1 users should plan a migration path to SP2 to keep getting updates to XP. Multiple vulnerabilities this month have been patched in Office There are 4 advisories, but a total of......
  • Big Windows June update day Updates for Windows for the month of June are out today and it looks like some list! 12 updates covering 20 or more vulnerabilities. MANY of these are tagged as critical. (Critical vulnerabilities are considered remotely exploited or with little (or no) user interaction.) Sans has a good listing of......
  • Zero-day ( 0-day) Microsoft Word exploit There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit......
Blog Traffic Exchange Related Websites
  • Windows 7 Sales Spike to Overtake Mac OS X [/caption]Proving there is no accounting for taste Microsoft’s latest attempt at a decent operating system, Windows 7, is now running on 5% of the computers online.  The daily average of online users as measured by Internet metrics company Net Applications showed that an increase last week put Windows 7 above......
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
  • Bypass the Recycle Bin in XP I have a love hate relationship with the Recycle Bin.  When I need it, I'm glad its there, but for the most part it is just a pain in the rear.  Most people forget to empty it (don't we all hate taking out the trash?) and end up with loads......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site