[NT] Microsoft Distributed Transaction Coordinator DoS (MS06-018)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Distributed Transaction Coordinator DoS (MS06-018)
------------------------------------------------------------------------


SUMMARY

The Microsoft Distributed Transaction Coordinator is a transaction manager
which permits client applications to include several different sources of
data in one transaction and which then coordinates committing the
distributed transaction across all the servers that are enlisted in the
transaction.

Improper packet handling allows attackers to cause a DoS condition with
Microsoft MSDTC.

DETAILS

Vulnerable Systems:
* Microsoft Windows 2000 Service Pack 4
<http://www.microsoft.com/downloads/details.aspx?FamilyId=8B98F380-0E5C-4B80-9710-95E1B35AFD83> Download the update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
<http://www.microsoft.com/downloads/details.aspx?FamilyId=D80B43B2-727B-46B6-82D1-F2CBD916FE32> Download the update
* Microsoft Windows Server 2003
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E70515C7-8924-46DA-8573-457957EEA0D7> Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems
<http://www.microsoft.com/downloads/details.aspx?FamilyId=7BD81335-79EA-46CE-8D3C-0AA91EEFFF02> Download the update

Immune Systems:
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (Me)

MSDTC Invalid Memory Access Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0034>
CVE-2006-0034:
A denial of service vulnerability exists that could allow an attacker to
send a specially crafted network message to an affected system. An
attacker could cause the Microsoft Distributed Transaction Coordinator
(MSDTC) to stop responding. Note that the denial of service vulnerability
would not allow an attacker to execute code or to elevate their user
rights, but it could cause the affected system to stop accepting requests.

Mitigating Factors for MSDTC Invalid Memory Access Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0034>
CVE-2006-0034:
* This is a denial of service vulnerability. This issue would not allow
an attacker to execute code or to elevate their user rights, but it could
cause the affected service to stop accepting requests.
* If the Microsoft Distributed Transaction Coordinator stops responding
because of an attack, services that are not dependant on the Microsoft
Distributed Transaction Coordinator would continue to function normally.
The affects of an attack will not typically affect the general stability
of the system.
* For customers who require the affected component, firewall best
practices and standard default firewall configurations can help protect
networks from attacks that originate outside the enterprise perimeter.
Best practices recommend that systems that are connected to the Internet
have a minimal number of ports exposed.


Workarounds for MSDTC Invalid Memory Access Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0034>
CVE-2006-0034:
* Disable the Distributed Transaction Coordinator
Disabling the Distributed Transaction Coordinator helps protect the
affected system from attempts to exploit this vulnerability. To disable
the Distributed Transaction Coordinator, follow these steps:

1. Click Start, and then click Control Panel. Alternatively, click Start,
point to Settings, and then click Control Panel.
2. Double-click Administrative Tools.
3. Double-click Component Services.
4. Click Services.
5. Double-click Distributed Transaction Coordinator.
6. In the Startup type list, click Disabled.
7. Click Stop, and then click OK.

You can also stop and disable the Distributed Transaction Coordinator by
using the following command at the command prompt:

sc stop MSDTC & sc config MSDTC start= disabled

Impact of Workaround: If you disable the Distributed Transaction
Coordinator, you cannot use any service or application that is dependant
on the Distributed Transaction Coordinator. This could include other
applications such as SQL Server, BizTalk Server, Exchange Server, or
Message Queuing. Also, this service is required in most clustering
configurations. Therefore, we recommend this workaround only on systems
that cannot install the security update.

Use the Group Policy settings to disable the Distributed Transaction
Coordinator on all affected systems that do not require this feature.
Because the Distributed Transaction Coordinator is a possible attack
vector, disable it by using the Group Policy settings. You can disable the
startup of this service at the local, site, domain, or organizational unit
level by using Group Policy object functionality in Windows 2000 domain
environments or in Windows Server 2003 domain environments. For more
information about how to disable this service through logon scripts, see
<http://support.microsoft.com/kb/297789> Microsoft Knowledge Base Article
297789

Note You may also review the
<http://www.microsoft.com/downloads/details.aspx?FamilyID=15E83186-A2C8-4C8F-A9D0-A0201F639A56&DisplayLang=en> Windows 2000 Security Hardening Guide. This guide includes information about how to disable services.

For more information about Group Policy, visit the following Web sites:

*
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspx> Step-by-Step Guide to Understanding the Group Policy Feature Set
*
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/grpolwt.mspx> Windows 2000 Group Policy
*
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/default.mspx> Group Policy in Windows Server 2003

Impact of Workaround: If you disable the Distributed Transaction
Coordinator, you cannot use any service or application that is dependant
on the Distributed Transaction Coordinator. This could include other
applications such as SQL Server, BizTalk Server, Exchange Server, or
Message Queuing. Also, this service is required in most clustering
configurations. Therefore, we recommend this workaround only on systems
that cannot install the security update.

* Disable Network DTC Access

If you cannot install the security update, and you cannot disable the
Distributed Transaction Coordinator, you may want to disable Network DTC
Access. This option is only available on Windows XP and later operating
system versions. This still allows local transactions to complete, but it
helps protect from network based attacks that try to exploit this issue.
For information about how to configure Network DTC Access, visit the
following
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/html/45297f03-7ff2-41c6-99cc-66ca1cc88569.asp> Microsoft Web site. To disable Network DTC Access, follow these steps:

Warning Performing this procedure causes the affected service to start if
it was not started previously. Stop the MSDTC service on the MSDTC tab
before you close the configuration dialog boxes.

1. Click Start, and then click Control Panel. Alternatively, click Start,
point to Settings, and then click Control Panel.
2. Double-click Administrative Tools.
3. Double-Click Component Services, expand Component Services, expand
Computers, right-click My Computer and then click Properties,
4. Click the MSDTC tab, and then click Security Configuration.
5. In the Security Configuration dialog box, click to clear the Network
DTC Access check box.

Note This sets the following DWORD registry entry to 0 on non-clustering
environments. Clustering environments do not read the following registry
key. For Clustering environments, follow the steps that are listed in the
Disable the Distributed Transaction Coordinator bullet point.

HKLM\Software\Microsoft\MSDTC\Security\NetworkDtcAccess

Note You can also apply this setting to multiple systems by using Group
Policy. For more information about Group Policy, visit the following
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspx> Microsoft Web site.

6. Click OK, close the Component Services dialog box, and then close the
Administrative Tools dialog box.

Impact of Workaround: If you disable Network DTC Access, distributed
transaction could fail. This could impact other applications such as SQL
Server, BizTalk Server, or Message Queuing. Therefore, we recommend this
workaround only on systems that cannot install the security update.

Block the following at the firewall:
* All unsolicited inbound traffic on ports greater than 1024
* Any other specifically configured RPC port

These ports can be used to initiate a connection with MSDTC. Blocking them
at the firewall will help protect systems that are behind that firewall
from attempts to exploit this vulnerability. Also, make sure that you
block any other specifically-configured RPC port on the remote system. We
recommend that you block all unsolicited inbound communication from the
Internet to help prevent attacks that may use other ports. While RPC can
use UDP ports 135, 137, 138, 445, and TCP ports 135, 139, 445, and 593,
the MSDTC service is not vulnerable over those ports.

Note Other protocols, such as Sequenced Packet Exchange (SPX) or NetBEUI,
could be used to communicate with the MSDTC service. If you are using
these protocols, you should block the appropriate ports for those
protocols. For more information about IPX and SPX, visit the following
<http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prch_cnn_goue.asp> Microsoft Web site.

To help protect from network-based attempts to exploit this vulnerability,
use a personal firewall, such as the
<http://go.microsoft.com/fwlink/?LinkId=33335> Internet Connection
Firewall, which is included with Windows XP and with Windows Server 2003.

By default, the Internet Connection Firewall feature in Windows XP and in
Windows Server 2003 helps protect your Internet connection by blocking
unsolicited incoming traffic. We recommend that you block all unsolicited
incoming communication from the Internet.

To enable the Internet Connection Firewall feature by using the Network
Setup Wizard, follow these steps:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Network and Internet Connections,
and then click Setup or change your home or small office network. The
Internet Connection Firewall feature is enabled when you select a
configuration in the Network Setup Wizard that indicates that your system
is connected directly to the Internet.

To configure Internet Connection Firewall manually for a connection,
follow these steps:

1. Click Start, and then click Control Panel.
2. In the default Category View, click Networking and Internet
Connections, and then click Network Connections. (Windows Sever 2003
displays this as Network Connections)
3. Right-click the connection on which you want to enable Internet
Connection Firewall, and then click Properties.
4. Click the Advanced tab.
5. Under Windows Firewall, click Settings.
6. Click On, and then click OK.
7. Click the Exceptions tab. You may need to click Settings to display
the exceptions tab.
8. Verify that MSDTC.exe is not in the list of firewall exceptions, and
then click OK.

Note If you want to enable certain programs and services to communicate
through the firewall, click Settings on the Advanced tab, and then select
the programs, the protocols, and the services that are required.

To help protect from network-based attempts to exploit this
vulnerability, enable advanced TCP/IP filtering on systems that support
this feature.

You can enable advanced TCP/IP filtering to block all unsolicited inbound
traffic. For more information about how to configure TCP/IP filtering, see
<http://support.microsoft.com/kb/309798> Microsoft Knowledge Base Article
309798.

To help protect from network-based attempts to exploit this
vulnerability, block the affected ports by using IPsec on the affected
systems.

Use Internet Protocol security (IPsec) to help protect network
communications. Detailed information about IPsec and about how to apply
filters is available in <http://support.microsoft.com/kb/313190>
Microsoft Knowledge Base Article 313190 and
<http://support.microsoft.com/kb/813878> Microsoft Knowledge Base Article
813878. RPC uses a broad range of ports, which may make it difficult to
try to secure them all by using IPsec.
<http://support.microsoft.com/kb/908472> Microsoft Knowledge Base Article
908472 documents how to restrict RPC communication to a set of fixed ports
and how to secure those ports by using IPsec.


FAQ for MSDTC Invalid Memory Access Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0034>
CVE-2006-0034:
What is the scope of the vulnerability?
A <http://go.microsoft.com/fwlink/?LinkId=21142x> denial of service
vulnerability exists that could allow an attacker to send a specially
crafted network message to an affected system. An attacker could cause the
Microsoft Distributed Transaction Coordinator (MSDTC) to stop responding.
Note that the denial of service vulnerability would not allow an attacker
to execute code or to elevate their user rights, but it could cause the
affected system to stop accepting requests.

What causes the vulnerability?
An unchecked buffer in the MSDTC service.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause the
affected service to stop responding.

Who could exploit the vulnerability?
Any anonymous user who could deliver a specially crafted message to the
affected system could try to exploit this vulnerability.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially
crafted network message and sending the message to an affected system. The
message could then cause the affected service to stop responding.

What systems are primarily at risk from the vulnerability?
Windows 2000 based versions of the Microsoft Distributed Transaction
Coordinator are primarily at risk from this vulnerability because the
MSDTC service is enabled by default. Windows XP SP1 and Windows Server
2003 are also at risk if the service is enabled.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the
Internet. Firewall best practices and standard default firewall
configurations can help protect against attacks that originate from the
Internet. Microsoft has provided information about how you can help
protect your PC. End users can visit the
<http://go.microsoft.com/fwlink/?LinkId=21169> Protect Your PC Web site.
IT professionals can visit the
<http://go.microsoft.com/fwlink/?LinkId=21171> Security Guidance Center
Web site.

What does the update do?
The update removes the vulnerability by modifying the way that MDSTC
validates the length of a message before it passes the message to the
allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

MSDTC Denial of Service Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1184>
CVE-2006-1184:
A <http://go.microsoft.com/fwlink/?LinkId=21142x> denial of service
vulnerability exists that could allow an attacker to send a specially
crafted network message to an affected system. An attacker could cause the
Microsoft Distributed Transaction Coordinator (MSDTC) to stop responding.
Note that the denial of service vulnerability would not allow an attacker
to execute code or to elevate their user rights, but it could cause the
affected system to stop accepting requests.


Mitigating Factors for MSDTC Invalid Memory Access Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1184>
CVE-2006-1184:
* This is a denial of service vulnerability. This issue would not allow
an attacker to execute code or to elevate their user rights, but it could
cause the affected services to stop accepting requests.
* If the Microsoft Distributed Transaction Coordinator stops responding
because of an attack, services that are not dependant on the Microsoft
Distributed Transaction Coordinator would continue to function normally.
* For customers who require the affected component, firewall best
practices and standard default firewall configurations can help protect
networks from attacks that originate outside the enterprise perimeter.
Best practices recommend that systems that are connected to the Internet
have a minimal number of ports exposed.


Workarounds for MSDTC Denial of Service Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1184>
CVE-2006-1184:
* Disable the Distributed Transaction Coordinator

Disabling the Distributed Transaction Coordinator helps protect the
affected system from attempts to exploit this vulnerability. To disable
the Distributed Transaction Coordinator, follow these steps:

1. Click Start, and then click Control Panel. Alternatively, click Start,
point to Settings, and then click Control Panel.
2. Double-click Administrative Tools.
3. Double-click Component Services.
4. Click Services.
5. Double-click Distributed Transaction Coordinator.
6. In the Startup type list, click Disabled.
7. Click Stop, and then click OK.

You can also stop and disable the Distributed Transaction Coordinator by
using the following command at the command prompt:

sc stop MSDTC & sc config MSDTC start= disabled

Impact of Workaround: If you disable the Distributed Transaction
Coordinator, you cannot use any service or application that is dependant
on the Distributed Transaction Coordinator. This could include other
applications such as SQL Server, BizTalk Server, Exchange Server, or
Message Queuing. Also, this service is required in most clustering
configurations. Therefore, we recommend this workaround only on systems
that cannot install the security update.

* Use the Group Policy settings to disable the Distributed Transaction
Coordinator on all affected systems that do not require this feature.
Because the Distributed Transaction Coordinator is a possible attack
vector, disable it by using the Group Policy settings. You can disable the
startup of this service at the local, site, domain, or organizational unit
level by using Group Policy object functionality in Windows 2000 domain
environments or in Windows Server 2003 domain environments. For more
information about how to disable this service through logon scripts, see
<http://support.microsoft.com/kb/297789> Microsoft Knowledge Base Article
297789

Note You may also review the
<http://www.microsoft.com/downloads/details.aspx?FamilyID=15E83186-A2C8-4C8F-A9D0-A0201F639A56&DisplayLang=en> Windows 2000 Security Hardening Guide. This guide includes information about how to disable services.

For more information about Group Policy, visit the following Web sites:
*
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspx> Step-by-Step Guide to Understanding the Group Policy Feature Set
*
<http://download.microsoft.com/download/5/2/f/52f3dbd6-2864-4d97-8792-276544ad6426/grouppolwp.doc> Windows 2000 Group Policy
*
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/default.mspx> Group Policy in Windows Server 2003

Impact of Workaround: If you disable the Distributed Transaction
Coordinator, you cannot use any service or application that is dependant
on the Distributed Transaction Coordinator. This could include other
applications such as SQL Server, BizTalk Server, Exchange Server, or
Message Queuing. Also, this service is required in most clustering
configurations. Therefore, we recommend this workaround only on systems
that cannot install the security update.

Disable Network DTC Access

If you cannot install the security update, and you cannot disable the
Distributed Transaction Coordinator, you may want to disable Network DTC
Access. This option is only available on Windows XP and later operating
system versions. This still allows local transactions to complete, but it
helps protect from network based attacks that try to exploit this issue.
For information about how to configure Network DTC Access, visit the
following
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/html/45297f03-7ff2-41c6-99cc-66ca1cc88569.asp> Microsoft Web site. To disable Network DTC Access, follow these steps:

Warning Performing this procedure causes the affected service to start if
it was not started previously. Stop the MSDTC service on the MSDTC tab
before you close the configuration dialog boxes.

1. Click Start, and then click Control Panel. Alternatively, click Start,
point to Settings, and then click Control Panel.
2. Double-click Administrative Tools.
3. Double-Click Component Services, expand Component Services, expand
Computers, right-click My Computer and then click Properties,
4. Click the MSDTC tab, and then click Security Configuration.
5. In the Security Configuration dialog box, click to clear the Network
DTC Access check box.

Note This sets the following DWORD registry entry to 0 on non-clustering
environments. Clustering environments do not read the following registry
key. For Clustering environments, follow the steps that are listed in the
Disable the Distributed Transaction Coordinator bullet point.

HKLM\Software\Microsoft\MSDTC\Security\NetworkDtcAccess

Note You can also apply this setting to multiple systems by using Group
Policy. For more information about Group Policy, visit the following
Microsoft Web site.

6. Click OK, close the Component Services dialog box, and then close the
Administrative Tools dialog box.

Impact of Workaround: If you disable Network DTC Access, distributed
transaction could fail. This could impact other applications such as SQL
Server, BizTalk Server, or Message Queuing. Therefore, we recommend this
workaround only on systems that cannot install the security update.

* Block the following at the firewall:
* All unsolicited inbound traffic on ports greater than 1024
* Any other specifically configured RPC port

These ports can be used to initiate a connection with MSDTC. Blocking them
at the firewall will help protect systems that are behind that firewall
from attempts to exploit this vulnerability. Also, make sure that you
block any other specifically-configured RPC port on the remote system. We
recommend that you block all unsolicited inbound communication from the
Internet to help prevent attacks that may use other ports. While RPC can
use UDP ports 135, 137, 138, 445, and TCP ports 135, 139, 445, and 593,
the MSDTC service is not vulnerable over those ports.

Note Other protocols, such as Sequenced Packet Exchange (SPX) or NetBEUI,
could be used to communicate with the MSDTC service. If you are using
these protocols, you should block the appropriate ports for those
protocols. For more information about IPX and SPX, visit the following
<http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prch_cnn_goue.asp> Microsoft Web site.

* To help protect from network-based attempts to exploit this
vulnerability, use a personal firewall, such as the Internet Connection
Firewall, which is included with Windows XP and with Windows Server 2003.

By default, the Internet Connection Firewall feature in Windows XP and in
Windows Server 2003 helps protect your Internet connection by blocking
unsolicited incoming traffic. We recommend that you block all unsolicited
incoming communication from the Internet.

To enable the Internet Connection Firewall feature by using the Network
Setup Wizard, follow these steps:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Network and Internet Connections,
and then click Setup or change your home or small office network. The
Internet Connection Firewall feature is enabled when you select a
configuration in the Network Setup Wizard that indicates that your system
is connected directly to the Internet.

To configure Internet Connection Firewall manually for a connection,
follow these steps:

1. Click Start, and then click Control Panel.
2. In the default Category View, click Networking and Internet
Connections, and then click Network Connections. (Windows Sever 2003
displays this as Network Connections)
3. Right-click the connection on which you want to enable Internet
Connection Firewall, and then click Properties.
4. Click the Advanced tab.
5. Under Windows Firewall, click Settings.
6. Click On, and then click OK.
7. Click the Exceptions tab. You may need to click Settings to display
the exceptions tab.
8. Verify that MSDTC.exe is not in the list of firewall exceptions, and
then click OK.

Note If you want to enable certain programs and services to communicate
through the firewall, click Settings on the Advanced tab, and then select
the programs, the protocols, and the services that are required.

To help protect from network-based attempts to exploit this vulnerability,
enable advanced TCP/IP filtering on systems that support this feature.

You can enable advanced TCP/IP filtering to block all unsolicited inbound
traffic. For more information about how to configure TCP/IP filtering, see
<http://support.microsoft.com/kb/309798> Microsoft Knowledge Base Article
309798.

To help protect from network-based attempts to exploit this vulnerability,
block the affected ports by using IPsec on the affected systems.

Use Internet Protocol security (IPsec) to help protect network
communications. Detailed information about IPsec and about how to apply
filters is available in <http://support.microsoft.com/kb/313190>
Microsoft Knowledge Base Article 313190 and
<http://support.microsoft.com/kb/813878> Microsoft Knowledge Base Article
813878. RPC uses a broad range of ports, which may make it difficult to
try to secure them all by using IPsec.
<http://support.microsoft.com/kb/908472> Microsoft Knowledge Base Article
908472 documents how to restrict RPC communication to a set of fixed ports
and how to secure those ports by using IPsec.

FAQ for MSDTC Denial of Service Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1184>
CVE-2006-1184:
What is the scope of the vulnerability?
A denial of service vulnerability exists that could allow an attacker to
send a specially crafted network message to an affected system. An
attacker could cause the Distributed Transaction Coordinator to stop
responding. Note that the denial of service vulnerability would not allow
an attacker to execute code or to elevate their user rights, but it could
cause the affected system to stop accepting requests.

What causes the vulnerability?
An unchecked buffer in the MSDTC service.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause the
affected service to stop responding.

Who could exploit the vulnerability?
Any anonymous user who could deliver a specially crafted message to the
affected system could try to exploit this vulnerability.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially
crafted network message and sending the message to an affected system. The
message could then cause the affected service to stop responding.

What systems are primarily at risk from the vulnerability?
Windows 2000 based versions of the Microsoft Distributed Transaction
Coordinator are primarily at risk from this vulnerability because the
MSDTC service is enabled by default. Windows XP SP1 and Windows Server
2003 are also at risk if the service is enabled.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the
Internet. Firewall best practices and standard default firewall
configurations can help protect against attacks that originate from the
Internet. Microsoft has provided information about how you can help
protect your PC. End users can visit the
<http://go.microsoft.com/fwlink/?LinkId=21169> Protect Your PC Web site.
IT professionals can visit the
<http://go.microsoft.com/fwlink/?LinkId=21171> Security Guidance Center
Web site.

What does the update do?
The update removes the vulnerability by modifying the way that MDSTC
validates the length of a message before it passes the message to the
allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.


ADDITIONAL INFORMATION

The information has been provided by Microsoft Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages