Recently in Microsoft Category

The exploit for the Internet Explorer 6 and 7 vulnerability announced yesterday (KB981374) is public now. Late yesterday, Moshe Ben Abu published a Metasploit Module for the exploit after tracking down the exploit to a webpage.

> But Microsoft also released advisory KB981374 which describes a 0-day vulnerability
> reported to Microsoft only recently. At the moment only a limited number of targeted
> attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason
> to update to this latest version of IE. There are not a lot of details available on the
> vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.

Contrary to what we expected last week, the Microsoft March Security announcements have a little surprise in it.

The standard bulletins cover Windows Movie Maker/Producer and Office:

• MS10-016 - possible code execution in Windows Movie Maker - ranked important: an attacker can send a malicious file to the target. When the file gets opened, remote code execution is possible. The exploitability index is high, meaning that the file format vulnerability is relatively easy to exploit. Windows XP and Vista ship with vulnerable versions. While Windows 7 does not ship with a vulnerable version, a user could have downloaded and installed the 2.6 version, which is affected. The bulletin does not provide a patch for the also affected Windows Producer, a little used multimedia add-on to Powerpoint.
• MS10-017 - possible code execution in Microsoft Excel - ranked important as well. This bulletin covers 7 vulnerabilities, all of them file format based. All versions of Office are affected, including Mac Office 2004 and 2008. An attacker needs to trick the target to open a specially crafted Excel document, which will allow the attacker to take control of the target system. Exploitability is high for the majority of vulnerabilities listed, so we suggest to put this patch on a fast installation schedule. Attack vectors include also Excel viewer and SharePoint server.

But Microsoft also released advisory KB981374 which describes a 0-day vulnerability reported to Microsoft only recently. At the moment only a limited number of targeted attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason to update to this latest version of IE. There are not a lot of details available on the vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.

No major updates on advisory KB981169, also for Internet Explorer, which requires the target to press F1 to launch the attack and can best be avoided by user education.

References:

• Microsoft March 2010 Bulletin
• Qualys Security Alert
  

After the massive February update Microsoft will only release 2 Bulletins next week. Both are rated as "important," a medium criticality rating for Microsoft. The first bulletin is for the Windows Operating System affecting the only desktop platforms XP, Vista and Windows 7. The second Bulletin is for Microsoft Office and applies to all versions on Windows (Office XP, 2003 and 2007) and Mac OS X (Office 2004 and 2008), plus SharePoint and the Excel Viewer.

The lower criticality ratings allow IT admins more time to address these March bulletins. It is likely that the Office vulnerabilities should be handled first, as file format vulnerabilities in general have been on the rise in the last year and end users frequently trust open office format files such as Excel due to their business oriented, serious nature.

Microsoft issued earlier this week an advisory KB981169 for a clever attack through Internet Explorer. It requires the end user to press F1 in a pop-up box, so the main defense is make your users aware of the existence of the flaw and instruct them to get in touch with IT should this happen.

Stay tuned for our detailed analysis on next Tuesday.

References:

• Microsoft Advanced Notification for March 2010
• Vulnerability in VBScript Could Allow Remote Code Execution

Microsoft's February 2010 Patch Tuesday was slated to be the biggest release for Microsoft fixes in the last two years - 14 bulletins addressing 34 vulnerabilities. But the Google/CN Internet Explorer 0-day forced Microsoft to accelerate the testing of the planned IE bulletin and release it early, still in January. That leaves 13 bulletins covering 26 vulnerabilities for the February release, which constitutes one of the bigger patch Tuesdays.

There are 5 critical vulnerabilities for the Windows Operating System family - the newer versions Windows 7 and Windows 2008 R2 are only affected by 3 of them. Rewrites of the TCP/IP stack and the URI handling in Windows 7 and 2008/R2 improved on the implementation of these core OS capabilities.

Overall highest on our list for patching are MS10-006 SMB client and MS10-013 DirectShow, which affect all versions of Windows and have a low exploitability index. Next are MS10-007 Shell URL handling, which is critical for Windows 2000, XP and 2003 and MS10-008, an update to the ActiveX Killbit settings, applicable to all platforms.

MS10-012 is a bulletin for SMB that server administrators should focus on. It allows a malicious, unauthenticated party to launch a remote denial of service attack. In addition remote authenticated clients can execute code using another flaw addressed in the bulletin.

MS10-010 addresses an interesting vulnerability - it is in the hypervisor of Windows 2008. This virtualization vulnerability allows a guest operating system to crash the host operating system, affecting all virtual machines running on the same physical host. Virtualization is increasingly used in corporate IT environments and in cloud computing initiatives and we see this class of vulnerability gaining importance.

Microsoft Office has 2 bulletins, both rated as important. While the newest version of Office for Windows, Office 2007, is not affected, users of all other versions, including on MAC OS X should update as quickly as possible because file based vulnerabilities have been a favorite of attackers in the last year.

References:

• Microsoft Security Bulletin
• Technical insight from Microsoft
• SANS ranking for February 2010 patches

Microsoft released today the patch for the critical Internet Explorer 0-day flaw that has been widely covered by us and the security community in general. MS10-002 fixes a total of 8 vulnerabilities, including the 0-day which is identified as CVE-2010-0249 and is attributed to Meron Sellem from BugSec.

In the MSRC blog post announcing the release, Microsoft gives some insight on how they were able to turn around this patch in record time. Meron had reported the vulnerability in late August of 2009 and Microsoft had it confirmed in early September. By the time of public disclosure of the attacks against Google and others, the fix was in essence ready and tested. It was slated for release in the February Patch bulletin. Microsoft had to decide whether an out-of-band release of the patch was warranted or whether to bundle it into the February release as originally planned. An out-of-band release causes additional work for IT administrators that are tasked with addressing operating system vulnerabilities and are have been feeling the strain of keeping updated the growing number of software packages that attackers are increasingly targeting.

Nevertheless, given that exploits are available and that security researchers have shown that DEP as a defense can be circumvented, we recommend applying this update as soon as possible.

Microsoft starts 2010 slowly - a single bulletin containing one vulnerability in the embedded OpenType Font (EOT) engine. Due to the memory model in Windows 2000 the vulnerability is critical on that version of the Windows Operating System, all others receive a low severity rating. The flaw can be exploited through any OpenType enabled application such as Internet Explorer, PowerPoint, Word, etc by viewing a webpage or a document. Users of Windows 2000 should upgrade as quickly as possible.

There are 2 significant releases from other vendors today:

• Oracle has released their quarterly Critical Patch Update today. It contains 25 fixes for 7 of their products, including application servers and database engine. The majority of the vulnerabilities are remotely exploitable without authentication and IT admins should be taking a close look at the exposure these products have in their networks. In general database engines should have no necessity to be connected to open networks, but the application servers are very likely exposed.
• Adobe is also publishing their quarterly patch - and it will address a vulnerability in Adobe Reader that was documented as being actively exploited in the wild since the week before Christmas. There are workarounds are available, the official recommendation is to blacklist the JavaScript function that is being exploited. Blacklisting is a capability introduced by Adobe in their last update to Adobe Reader v9 and v8 in October 2009 and might not be familiar to many IT admins yet. An alternative recommendation is to turn off JavaScript completely in Adobe Reader - JavaScript has played a major role in the exploitation of Adobe Reader in 2009, so this a good preventive and defensive measure. As this setting disables functionality potentially needed by users, IT admins need to evaluate their individual situations.
  
  This release is also introducing the new Adobe updater process, which will according to Brad Arkin's tweet come preconfigured for automatic, silent updates à la Google Chrome

Intevydis, a security research company in Russia has announced last week that they will publish server-based 0-day vulnerabilities for the next 3 weeks. The first two are live and have POC code for Sun Directory Server 7.0 and Tivoli Directory Server 6.2. We are monitoring these releases and will keep you updated on further development.

References:

• Microsoft Security Bulletin
• Qualys Security Advisory

Over the weekend Jericho published on the OSVDB blog an analysis of annual vulnerability numbers that Elinor Mills from CNET had written about on Thursday in her InSecurity Complex blog. Some of the numbers originated from Qualys and we were not specific enough on the exact scope. As Jericho speculated our numbers were indeed for a more narrow set of products - not for all of Adobe and Microsoft software, but specifically for Adobe Reader and Microsoft Office. Elinor has since updated the article.

The overall point that we are trying to make remains the same - patching such applications is being neglected by most IT admins and attackers have increasingly shifted their attention to exploiting vulnerabilities in them. On Friday Brad Arkin from Adobe stated that Adobe Reader as a cross operating system application has a bigger installed base than Microsoft Windows, which makes it a very attractive target to attack.

What is your opinion on why the number of vulnerabilities found in Adobe Reader have gone up in 2009? Did attackers first notice that there was a potential, started writing exploits and then security researchers followed up or was it the other way around?

I am looking forward for your comments...

A mere 10 days after acknowledging the SMB flaw in Windows 7, the Microsoft Security Response Center (MSRC) released a new security advisory for new critical 0-day in Internet Explorer 6 and 7 as KB977981. A Proof of Concept for the 0-day was published on bugtraq on Friday, but it is not fully reliable against all combinations of browsers and OSs. Attackers are currently working on improvements to the exploit and we are expecting to see new versions soon.

The advisory proposes several work-arounds, but all of them result in restricted usability of the browser. As Internet Explorer 8 (and IE5....) is not affected for consumers the best option is to upgrade to IE8 or alternatively switch to another product. For enterprise customers IDS/IPS vendors and secure web gateways are able to deliver a degree of protection against the known exploits.

Qualys tracks this new 0-day under QID 90570

References:

• VUPEN Analysis
• Microsoft Advisory

A new 0-day flaw in the Microsoft's SMB protocol implementation in Windows 7 and 2008/R2 was published by Laurent Gaffié on Wednesday of last week, one day after Microsoft's November Patch Tuesday. The flaw was acknowledged on Friday by Microsoft as KB977544.

The exploit involves tricking an end user to click on a link to a server with a malicious configuration, which causes the machine to become unresponsive requiring a reboot. The flaw is unrelated to the recent SMBv2 problem (MS09-050). The recommended workaround at the moment is to prohibit outgoing traffic for the ports used by SMB 139 and 445 with a firewall. This type of egress filtering is already considered a best practice, but such a configuration involves additional work and I doubt that it is consistently implemented.

However, the vulnerability is not very "useful" as it involves user interaction and "only" locks up the target machine. A typical attacker that goes through the work of tricking users to click on a link will use an exploit that allows him to control the target machine after execution. For Microsoft the vulnerability represents a trigger to review and improve the part of the SDL process that did not catch the flaw.

Laurent is doing excellent security research work here on Windows 7 just as 2 months ago, but the discussion on "full" vs. "responsible" disclosure will certainly be revived by his post. While we do not know the exact details for Laurent's exchange with Microsoft, we believe that "responsible disclosure" is the more productive mechanism to improve Internet security by fostering collaboration.

References:

• ISC blog post - great information
• Qualys ID 90569

Today Microsoft released patches for 6 security updates that address 15 individual vulnerabilities. Three patches were rated as critical and the other 3 are rates as important. Here is a recap of today's advisory:

• MS09-065 was rated as Critical due to the EOT (Embedded Open Type Font) vulnerability in which an attacker can execute arbitrary commands on the victim's computer. This can be achieved by enticing the victim to visit a web page with malicious EOT fonts or open an e-mail which contains malicious content. A proof of concept that causes the application to crash is publicly disclosed. All Windows operating systems except Windows 7 and Windows 2008 R2 are affected.
  We can expect working exploits soon and this is the most critical vulnerability to address - for users that cannot patch the vulnerability immediately Microsoft has provided also some workarounds in a detailed blog post including instructions on how to use GPOs to roll them out in an automated way.

• MS09-063 and MS09-064 are critical as well as they allow a remote un-authenticated attacker to send malicious packets to the affected systems to cause a remote code execution. MS09-063 is limited to attacks from the local subnet.

• MS09-067 and MS09-068 affect Microsoft Excel and Word. They are standard file format issues that affect consumers and enterprise users alike.

• Three of the six advisories (MS09-063, MS09-064 and MS09-066) have listening ports open which can be targeted for network based attacks.

The newer OS versions Windows 7 and Windows 2008 R2 were not affected by any of the bulletins released today, a good indication of the progress that Microsoft has made in securing the base Operating System.

In a similar way the security features included in the new Office 2010 would have prevented both MS09-067 and MS09-068. We saw a demo of these features the other day at BlueHat and the strict sandboxing imposed on files that are received through e-mail or Internet download should take care of 2 of the main attack vectors for this type of exploit.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

Security Researchers at Immunity have released today an exploit for the SMB2 flaw in Vista/2008, as reported today by The Register's Dan Goodin. The code is available under the Canvas Early Updates program and a paid subscription is needed to access it.

The Exploit works on all versions of Vista and Windows 2008 with the exception of 2008 R2. Microsoft has described in this advisory a workaround, amounting to turning off SMB2. The implementation of this workaround is now becoming critical as attackers will have access to the code soon, in the most optimistic case next week when HDMoore thinks that Metasploit will have the exploit implemented.

The SANS Institute just published the Top Cyber Security Risks Report for the first half of 2009. In this report TippingPoint, SANS and Qualys collaborated using attack, vulnerability and forensics data to provide the latest trends in the security field.

Enterprise IT administrators and tech savvy computer end users alike will find interesting information that will help them secure their computers against current threats in the typical software installed on their machines, such as Adobe Reader and Flash, Apple QuickTime, Microsoft Office and Sun Java. The report clearly demonstrates a lag in installing security patches to these productivity applications, despite the attention they get in the press and from the security community. Since all of them are widely installed in businesses, we advise organizations to treat them with the same attention as OS and network vulnerabilities patches and to include them in their regular patching process.

This month Microsoft released 5 critical advisories, addressing a total of 8 vulnerabilities. The focus is on the Windows Operating System family and all versions are affected. The notable exception is Windows 7 which is a pleasant surprise and most likely an outcome of the additional security measure implemented in this latest version of Windows.

MS09-045 and MS09-047 are client side vulnerabilities affecting indirectly Internet Explorer and Windows Media Player. They require user actions for a successful exploit, but attackers have the necessary tools in place to entice users to visit infected web pages and open malicious media files. MS09-048 is a "classical" network vulnerability of a type that we have not seen in a while: it is located in the TCP/IP network stack of Windows 2008 and Vista and can be exploited through the network, however Microsoft rates the exploitation difficulty as high. MS09-049 is a very interesting attack on the WLAN auto-configuration service of Vista and Windows 2008, it requires a malicious Access Point to be in WIFI range, which limits the number of machines that can be attacked at any given time. We recommend that customers focus on MS09-045 and MS09-047 due the high likely hood of exploits.

As previously announced Microsoft did not address the IIS FTP 0-day vulnerability that was made public last week. In addition yesterday a security researcher disclosed a vulnerability in the file sharing protocol (SMB2) of Vista, 2008 and potentially Windows 7. We expect Microsoft to monitor the extent of exploitation of these 2 new vulnerabilities and continue to provide guidance for workarounds.

Update: Microsoft has acknowledged the SMB2 vulnerability and provided a workaround in advisory 975497, suggesting to disable the SMB2 protocol, machines would then fallback to the older SMB protocol for filesharing.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

This Monday proof of concept exploit code for a Microsoft IIS FTP vulnerability was posted to the milw0rm site. The code allows the attacker to take control of the machine that runs the vulnerable FTP server and can easily be automated and turned into a mass attack tool by combining it with a scanning tool. In order to be exploitable, the vulnerable FTP server need to allow write access and the creation of directories. Unfortunately, even anonymous write access is good enough to make the server vulnerable, but nevertheless this cuts down on the number of potential targets.

Microsoft acknowledged the vulnerability and published an advisory 975191 this afternoon and list 5.0, 5.1, 6.0 and also 7.0 as affected. The advisory suggests as work-arounds to either disable FTP altogether, limit access to only authorized and named users or use NTFS capabilities to prohibit the creation of directories on the server. The NTFS solution seems to be the way to go for users that cannot make a bigger change to their FTP services and has minimal impact, so it is a good interim solution until a real patch comes out. We don't expect this problem to be addressed in next week's Patch Tuesday release as the Development and QA time are too long; it makes sense to prepare for a longer period without a real solution. An alternate way of dealing with the problem is to evaluate whether a robust FTP server with more granular management capabilities can be deployed instead of the one built-in within IIS.

HD Moore ported the exploit code to his Metasploit project yesterday. This makes it even simpler for IT administrators to demonstrate the existence of the exploit and argue for the deployment of an alternative FTP server.

Updated to include IIS 7.0 as Microsoft amended their advisory on 9/3/2009

Although August is the month of vacations, it's certainly not the case for Microsoft which today announced 9 total patches as part of their monthly Patch Tuesday release cycle for August 2009.  There are 5 critical patches that can all be exploited remotely and 4 important ones that require direct access to the system for exploitation.  This release covers a variety of products with Windows as the main focus.

Highlights of the 5 critical patches covered in this release are:

• MS09-37: This is an MS Active template library patch that covers 5 vulnerabilities. It supersedes MS09-034 where a temporary fix was made available as a work around. This is a true patch and it covers a lot of Microsoft software on all versions of Windows including Outlook, MS media players, ActiveX and many others.
  
• MS09-038: Windows Media file processing patch where a malicious AVI can be posted on any media site for exploitation. All that's needed to be exploited is to click on a malicious link on a file-sharing site like MySpace or others. The malicious link can then take complete control of the user's computer.
  
• MS09-039: This is a patch for WINS and while critical WINS is not installed by default so it is likely not that relevant for most users. However, if WINS is enabled on a Windows system, someone can send a malicious packet to the running service and take control of user's machine.
  
• MS09-043: This is an Office patch for 4 vulnerabilities including one Zero-day.  Office is very prevalent and this vulnerability is fairly simple to exploit. All that's needed is to convince someone to view a malicious web page. There is already a Zero-day detection for it in the QualysGuard Knowledgebase (QID 110101) to address CVE-2009-1136.
  
• MS09-044: This is a patch to address a Remote Desktop vulnerability that is critical, but it requires the user to connect to a malicious server using Remote Desktop. Remote Desktop is typically used by an advanced user or system administrator.
  

Although this is a big release, there are no surprises in it as it addresses an outstanding public Zero-day vulnerability and it includes an official patch for the out-of-band patch released in July for MS09-034. As always users are urged to review these critical patches carefully against their environment and apply them as soon as possible. QualysGuard users are advised to scan systems in their environment to identify affected Windows machines and patch them accordingly. 

References:

• Microsoft Security Bulletin Summary for August 2009
• Qualys Security Alert
  

As announced last week Microsoft today released 2 bulletins, one addressing Internet Explorer (MS09-034) and the other addressing the ATL component of Visual Studio (MS09-035). The release outside of their normal patch window means that exploits for this vulnerability have been spotted in the wild and IT administrators should treat the fixes as high priority.

The main attack vector that the current exploit is using is browsing with Internet Explorer. An end-user browsing the Internet with a vulnerable version of IE can get their system taken over simply by looking at a websites that have malicious tables or ATL objects. To increase their reach, attackers have been using web application vulnerabilities to put these type of exploits on common, non-malicious sites, that end-users would not suspect of. Once infected the attacker can add the system to their botnet or use it to attack other machines inside the network where the system is hosted. This second mode of use of an infected computer is increasingly common and can lead to indirect exploitation of systems within corporate networks that do not even have external connectivity or a browser installed. Ryan Smith will present on the issue at BlackHat in Las Vegas tomorrow and has a small preview up on his site....

This has been an exciting week in the security space, first Adobe and and now Microsoft have announced that they will deliver out-of-band patches next week:

• Adobe: has a problem in the Flash component and there are known instances of attacks in the wild using PDF documents as an entry point (these were detected first) and also word of the standard drive-by variety.
• Microsoft: will address a problem on Tuesday with a patch for Visual Studio and Internet Explorer

Both vulnerabilities are rated critical and are found in very common software components - all versions of IE (6,7 and 8) are vulnerable, while Adobe says that updates will be shipped for Flash 9 and 10 and also Adobe Reader 9. IT administrators should prepare for a quick turnaround.

Microsoft released advisory KB972890 yesterday for a zero-day vulnerability found by ISS, warning of an attack on an ActiveX control for Microsoft Video. The main attack vector is for the user to browse a website that has the exploit installed with Internet Explorer- further interaction is not necessary, the attack is of the type called "drive-by". This makes the attack very dangerous as there is very little that Internet Explorer users can do to defend themselves. Security news here and here report that thousands of websites have started serving the exploits already, which is supported by the in-depth information that we are getting from our iDefense feed which has a long list of sites that are serving the exploits.

The described work arounds involve disabling 40+ classids in the registry, which should be scriptable by IT administrators. The Microsoft support website has a FixIt link which individual users can use to apply those changes to the registry.

QualysGuard detects this zero-day vulnerability as QID 90510, but does not raise it if you have the described workaround applied. We will be enhancing the detection as more information about workarounds and patches becomes available.

How do you deal with ActiveX controls, do you disable them in your default builds ? Let me know by sending feedback. We also will discuss this issue on our upcoming panel at the Black Hat security conference in Las Vegas with the present industry experts.

June's Patch Tuesday is generating major workload for IT administrators. Microsoft released their biggest number of patches in recent memory, not only for Windows systems, but also for their Mac Office suite. Adobe has patches for their Reader product for Windows, Mac and Unixes and Apple released a production version of Safari 4 for Mac OS X and Windows.

Microsoft's 10 bulletins patch a total of 31 vulnerabilities, extending to almost all of their products on both servers and workstations. Most urgent on the server side are MS09-018 for the Active Directory vulnerabilities and MS09-020 for the IIS/WebDAV vulnerabilities, as both are categorized as critical and have the highest rating (Consistent exploit code likely) in the Microsoft exploitability index. MS09-022 - Windows Print Spooler is rated critical as well, affects both servers and workstations and so has a higher exposure potential than the other server based vulnerabilities. MS09-25 brings 4 updates for the Windows base operating system kernels and even the new Vista and 2008 versions are affected by 3 of them.

On the workstation side, beyond MS09-022 and MS09-025 we have the updates for Internet Explorer, Word, Excel and Windows Search. MS09-019 has patches for 8 IE vulnerabilities for all versions from IE5 to IE8 - however it is interesting to note that IE8 is only affected by a single vulnerability, which was recently disclosed at the CanSecWest conference in the Pwn2Own contest sponsored by TippingPoint's ZDI.

As expected we did not see a patch for DirectShow vulnerability, acknowledged by Microsoft 10 days ago in KB971778. While they have the patch it is still undergoing Quality Assurance and Stability testing. For Macintosh users, Microsoft provided the patch for last month's disclosed vulnerabilities - MS09-017 for PowerPoint. Both users of Office 2004 and Office 2008 are advised to upgrade to fix a Remote Code execution issue.

As Adobe had announced previously they also published their quarterly patches this 2nd Tuesday of the month. Currently we see that a patch has been released, but there is no further detail available as to the vulnerabilities covered.

Update: The Adobe advisory is out and it shows a total of 14 vulnerabilities. The patch covers Adobe Reader on Windows and Macintosh. Unix users will have to wait until June 16th to get their fixes.

References:

• Qualys Security Alert

Microsoft just published their advance notice for June's Patch Tuesday. After the rather light weight release of last month, which only addressed PowerPoint on Windows, this month's release covers all major areas with 10 updates. Two are critical updates for Windows (out of a total of 6), there is one critical update for Internet Explorer and three critical updates for Microsoft Office.

Mac OS X users, which have seen their fair share of action recently on the OS side and with QuickTime need to pay attention as well, Microsoft will release an update for the Powerpoint vulnerabilities that they disclosed last month for both Windows and Mac platforms, but at the time only provided patches for Windows.

We will not see a fix for the DirectShow vulnerability KB971778 disclosed last week. While they have a fix it is still undergoing Quality Assurance and Stability testing.

http://www.youtube.com/watch?v=BpD-I3M9pfw&hd=1

Microsoft's May Security Bulletin contains a single advisory for PowerPoint in Microsoft Office (MS09-017). It addresses 14 distinct vulnerabilities, including the 0-day vulnerability that was identified in the beginning of April 2009. While the vulnerabilities rank only as important on most versions of Microsoft Office, they all categorized as "remote code execution" and have a low exploitability index, meaning exploits are relatively easy to write and can be expected to be used soon in attacks.

One of the mentioned workarounds for CVE-2009-0556 , the 0-day vulnerability patched in this advisory is installing MOICE (KB937696). MOICE stands for "Microsoft Office Isolated Conversion Environment," a toolset that sanitizes Office documents when opened through browsing and email by removing potentially dangerous code. It has been available since May 2007 and is cited as a work-around in eight of Microsoft's 78 advisories in 2008. MOICE is an interesting tool, used to reduce the risk produced by the increasing number of file format vulnerabilities. Its limitation is that it only works with Office 2003 and 2007; Office 2000 and Office XP are not supported.

In addition to the Microsoft patches both Adobe and Apple released their equivalent of "Patch Tuesday" advisories. Adobe fixed a recent critical 0-day vulnerability in their Acrobat and Reader product lines. Compared to their February patch for a known 0-day, this time around they reacted much faster and published patches for Windows, Mac OS X and Unix simultaneously. Adobe software is widely installed and according to statistics from F-Secure PDF based file exploits are on the rise - 49% for the first 4 months of 2009 compared to 28% in 2008.

Apple's patches address a variety of critical issues in OS X and the Safari browser. The advisory for OS X addresses over 40 vulnerabilities and the Safari advisory applies to both OS X and Windows.

References:

• Qualys Security Alert
  

Microsoft's Security bulletin for April brought a total of 8 advisories covering 23 (21 distinct, 2 are covered in multiple advisories) vulnerabilities in Windows and Office. The most interesting part of the bulletin is the elevated number of vulnerabilities that have known exploits. 6 vulnerabilities have already been used by attackers and 4 have a proof of concept or attack plan published. For IT administrators this means that their window to patch is rapidly shrinking, when before weeks were an acceptable timeframe, now days seems more adequate.

The most urgent patches to apply are the advisories that have working exploits - MS09-009 for Office/Excel, MS09-010 for Windows/Office and MS09-012 for Windows. Microsoft's Internet Explorer cumulative patch MS09-014 has proof of concept code available for at least one its covered vulnerabilities and thus has a high exploitability index of 1 (consistent exploit code likely). All, but MS09-012 are rated as critical on all of Microsoft's operating systems, meaning that the attacker can gain complete control over the affected systems and apply even to Microsoft newer OS versions such as Vista and Server 2008.

Users who have updated already to Internet Explorer 8 are not affected by MS09-014, another indicator of the significant amount of work Microsoft has invested into this new browser and an incentive to move towards that version of IE as quickly as possible.

The vulnerability addressed by MS09-016 is the only one that is remotely exploitable. It affects Microsoft's ISA product used in securing and proxying companies' internet connections. As it is limited to a denial of service condition it was rated as Important. Further its exploitability index has the lowest value of 3 (Functioning exploit code unlikely), meaning that it is difficult to write a successful and consistent exploit

References:

• More details on the MSFT release process
• Interesting look into the making of one of the bigger patches today
• Qualys Security Alert
  

This weekend we found an interesting pattern when we polled our system-wide QualysGuard statistics around the Conficker vulnerabilities.

Since early February MS08-067, the critical Windows vulnerability that Conficker initially used to infect machines, has been oscillating between the 20 % and 40 % mark, but in general hovering around the 35 % barrier. Then on March 30th, driven by the media coverage around the April 1st wake-up date for the Conficker.C variant and the availability of the QualysGuard remote detection for Conficker, which we released that day, our scanning numbers went through the roof as customers scanned their networks for the presence of the worm.

It is encouraging that the overall numbers for Conficker infections within enterprise networks are in the low single digit percent range - we are assuming that protection by corporate firewalls kept the initial attack vector in check until patching could be performed and other secondary defense mechanisms such as anti-virus and anti-malware were updated.

The interesting pattern however is the drop in the detection rate of the MS08-067 vulnerability starting April 4th. It seems that all the media attention made IT admins either look closer or start looking at all at the underlying problem and apply the fix, as we see a reduction of 25 % in detections which is only comparable to the drop when MS08-067 was first announced.

http://www.youtube.com/watch?v=7LKl29X8OBI