McAfee, Inc. provides coverage for the seven security vulnerabilities that were disclosed by Microsoft Corporation on March 14. These vulnerabilities have been reviewed by McAfee AVERT Labs, and based on its findings, McAfee recommends that users confirm the Microsoft product versioning outlined in the bulletins and update as recommended by Microsoft and McAfee. This includes deploying solutions to ensure protection against the exploits outlined in this advisory.
"Based on the MS06-012 vulnerabilities announced today, McAfee believes that an exploit targeting these vulnerabilities could surface as early as this week. Additionally, exploits targeting MS06-011 are already present that allow authenticated users to escalate their privileges remotely on affected systems," said Monty Ijzerman, manager of security content for McAfee AVERT Labs. "Customers using McAfee products can identify and block potential exploits before they cause damage."
Microsoft Vulnerability Overview:
MS06-011 -- Permissive Windows Services DACLs Could Allow Elevation of Privilege
MS06-012 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
Scope of Potential Compromise
Today's bulletins cover a total of seven vulnerabilities-one vulnerability affecting Microsoft Windows Services and six vulnerabilities affecting Microsoft Office. If a user is logged on to vulnerable versions of Office with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the client workstation. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. An attacker who successfully exploited the Windows Services vulnerability would be able to elevate their privileges and could take complete control of an affected system. In both cases, the attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
With McAfee's Security Risk Management approach, customers can address business priorities and security realities. McAfee's solutions identify and block known and unknown attacks before they can cause damage.
By default, McAfee Host IPS v6.0 and McAfee Entercept protect users against code execution that may result from exploitation of the buffer overflow/overrun vulnerabilities in Microsoft Word, Microsoft Outlook, Microsoft PowerPoint and Microsoft Excel reported in MS06-012. This "out of the box" protection is provided with no need for security content updates for either product.
McAfee has released the first Vulnerability Shield package for McAfee Host IPS v6.0 customers providing specific protection against the vulnerability reported in MS06-011. This package protects against non-buffer overflow vulnerabilities and reduces the possibility of a denial-of- service as a result of buffer overflow attacks. The Vulnerability Shield package is deployed through McAfee ePolicy Orchestrator to agents, protecting systems without a reboot.
McAfee VirusScan Enterprise 8.0i and McAfee Managed VirusScan with AntiSpyware protect against attacks targeting the buffer overflow/overrun vulnerabilities in Microsoft Word, Microsoft Outlook, Microsoft PowerPoint and Microsoft Excel reported in MS06-012.
McAfee IntruShield will add protection against the vulnerability reported in MS06-11 and certain vulnerabilities reported in MS06-012. The updated signatures are included in signature sets 3.1.9, 2.1.36, 1.9.53, and 1.8.70, and will be available for download today. McAfee IntruShield sensors deployed in in-line mode can be configured with a response action to drop such packets for preventing these attacks.
McAfee Foundstone checks have been created that will detect all of these vulnerabilities and will be available in the package released.
The McAfee System Compliance Profiler, a component of McAfee ePolicy Orchestrator, is being updated for MS06-012 to quickly assess compliance levels of the Microsoft Office security patches.