Recently in IE Category

A busy week - in addition to Microsoft August's Patch Tuesday which delivers a record setting 15 bulletins covering 35 vulnerabilities, Adobe has just released a Flash update and will be releasing a patch for a Adobe Reader 0-day vulnerability published a few weeks ago at Black Hat security conference.To help with this challenging patch workload, we have ranked the Microsoft bulletins into three distinct groups of updates, which can be addressed on different schedules.

IT admins should first tackle the updates that represent the biggest attack potential: end-users and internet browsing are at the subject of six bulletins, all of them of critical severity and four of them with an exploitability rating of "1", indicating that working exploits are expected within 30 days. MS10-053 has six direct fixes for Internet Explorer, while the ZDI submitted MS10-055 and MS10-052 address issues in media-plugins: MS10-055 for the Cinepak codec and MS10-052 for the MP3 file format. MS10-060 patches a critical .NET framework issue that can be exploited through web browsing/Silverlight and MS10-051 addresses a vulnerability in the Internet Explorer MSXML ActiveX component. MS10-049 deals with a client side vulnerability of the HTTPS protocol that can be triggered by a malicious HTTPS site. This and the previous MSXML ActiveX component are the bulletins in the group that are rated "2" on the exploitability scale (= harder to exploit). All of these updates should be applied as soon as possible.

A second group of updates has its focus on file format vulnerabilities. The most critical is MS10-056, a vulnerability in the RTF format in Microsoft Word 2007 and older. An attacker can craft a malicious file that triggers a remote code execution when opened by Word on the target computer. Users of Outlook 2007 installations need to pay special attention, since the preview pane in Outlook is configured by default to use Word to render the RTF format. This makes Outlook 2007 susceptible to an attack that does not even require the opening of the e-mail. Apply this update as quickly as possible. MS10-057 and MS10-050 provide fixes for Excel 2003 and earlier and Windows Movie Maker (a default component in Windows XP) file format vulnerabilities. Both have an exploitability rating of "1" and should be addressed as soon as possible.

MS10-058 deals with an interesting vulnerability. It is a located in the new TCP/IP stack for IPv6 under Vista, Windows 7 and 2008R2. While we believe that currently very few publicly facing network infrastructures have IPv6 enabled, this bulletin is important for them, because it is remotely attackable and few mitigations exist. It is a reminder that new OS components and applications are apt to introduce new attack vectors into networks. MS10-054 is a vulnerability in the SMB protocol; it requires read access to a share as well as attacker-controlled data on the target machine. The exploit here will most likely manifest itself as a local escalation of privilege attack.

The remainder of the August updates all address local flaws of the Windows Operating system family and are rated important as the attacker needs to be present on the target system to make use of them. MS10-047 is a Windows Kernel flaw, MS10-048 a flaw in the win32k.sys driver and MS10-059 fixes a problem in the tracing component of Windows.

Last week Microsoft released a bulletin for the 0-day flaw using the LNK filetype. If you have not done so yet, apply MS10-046 together with the first group of patches as desktop systems are at the highest risk of attack using the LNK vulnerability.

References:

• Microsoft Security Bulletin
• Qualys Security Alert
  

This August is bringing a record setting number of updates from Microsoft. In addition to last week's LNK update, there will be another 14 bulletins addressing 34 vulnerabilities, that IT admins will have to take care of in the weeks after Patch Tuesday. Including the LNK update,9 bulletins have a rating of critical and affect all version of the Windows OS, Internet Explorer, Silverlight and Microsoft Office.

Windows 7 and 2008 R2 have a smaller number of critical vulnerabilities than Windows XP and 2003 in function of their improved security architecture, but are still affected by 2 critical vulnerabilities each.

Internet Explorer, Office and Silverlight updates apply across the board on all Windows versions. They are a examples of the this increasingly used type of flaw, where attackers and malware go through the installed applications rather than through the core operating system.

Windows XP SP2 users do not have any patches supplied to them, even though the 5 critical vulnerabilities for XP SP3 most likely apply to their discontinued version of the OS as well. Windows XP SP2 users should upgrade to SP3 as quickly as possible.

Microsoft's July update is a small step for security updates, but a huge leap for enterprise security. Windows 2000 and Windows XP SP2 are being retired from official support today and will not receive security updates anymore. Our own internal statistics indicate that approximately 50 % of Windows XP machines are still on the SP2 level and external surveys put the number of organizations that still depend on SP2 at 77 %. This month there are four bulletins, two for security flaws in Windows and two for Microsoft Office. We rank MS10-042 as the most urgent update: It covers Windows XP (both SP2 and SP3) and Windows 2003 and addresses the Windows Help and Support Center vulnerability published by Tavis Ormandy in a much discussed full disclosure move. Microsoft showed a quick turnaround time on this update.

Next on our list is MS10-045 because it undermines the security model of attachments in Microsoft Outlook. Microsoft classified the vulnerability only as "important", but it allows an attacker to camouflage malicious files as a safe file type. An example would be to pass off an executable as a simple text file. All versions of Outlook are affected, excluding the newest Outlook 2010. The second Microsoft Office update, MS10-044 is a vulnerability in a Microsoft Access ActiveX component, is ranked critical and should be treated as a priority as well.

Last on our list is MS10-043, a vulnerability in the CDD display driver for Windows 7 and Windows 2008R2. It is ranked critical, but there are a number of mitigating factors; it is only applicable to 64 bit versions and requires a fairly high display resolution. The priority of the update depends on your environment.

Microsoft's July update is small - four bulletins in total, two of them addressing security flaws in Windows and two for Microsoft Office. Both Windows bulletins have a maximum rating of critical and both address previously disclosed vulnerabilities. The first one is for Windows XP and 2003 and fixes the Windows Help and Support Center vulnerability published by Tavis Ormandy in a much discussed full disclosure move. Microsoft showed some impressive turnaround time on that patch. The second bulletin fixes a problem in the AERO display driver component for Windows 7 and Windows Server 2008 R2, which was disclosed publicly earlier in May.

The two remaining bulletins, one ranked critical and one important, are for Microsoft Office and all versions but the new Office 2010 are affected, including Office XP, Office 2003 and Office 2007.

July also marks the end of support for two important Microsoft Operating Systems, Windows XP SP2 and Windows 2000. Windows XP SP2 users are advised to upgrade to SP3, which will be supported throughout 2014. Windows 2000 users need to upgrade to a different version of the operating system altogether, as the entire Windows 2000 line is discontinued.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

Update:

• Microsoft warns of limited, targeted exploits in the wild.
• Windows 2003 Server not affected
• Secunia dissects the Hotfix (not the workaround)

Original:

Earlier today Tavis Ormandy released an advisory disclosing a new vulnerability in Windows XP and Windows 2003. The vulnerability is in the Windows Help and Support Center component and is accessed through the protocol handler "hcp://". It can be triggered through all major browsers, but as Tavis points out it is easier to exploit under IE7. Tavis provides sample exploit code for both IE8 and IE7 in the advsiory.

As a work-around for the vulnerability, it is possible to de-register the HCP protocol on the target machine:

1. From the Start Menu, select Run
2. Type regedit then click OK (The registry editor program launches)
3. Expand HKEY_CLASSES_ROOT and highlight the HCP key
4. Right mouse click on the HCP key, and select Delete

This workaround will disable all local, even legitimate help links that use hcp://. For example links in the Control Panel may no longer function. For more details on the workaround consult MS03-044, which lists the above instructions for an older vulnerability in the Help system.

Tavis' decision to use full disclosure for this vulnerability will certainly revive the discussions around full vs. responsible disclosure. Tavis provides some comments regarding that discussion and includes references to articles by Bruce Schneier exploring the matter.

We are working on testing the exploit and will update this post when new developments occur.

Updates:

• MIcrosoft MSRC comment on disclosure
• Microsoft Advisory KB2219475

June is a big month for Microsoft patches, there are 10 bulletins covering 34 vulnerabilities. Four bulletins address 0-day issues, the most significant being MS10-035, which fixes the 0-day published by Core Security for an information disclosure vulnerability originally published in February 2010. It also fixes the PWN2OWN vulnerability that security researcher Peter Vreugdenhil used to win ZDI'S competition at CANSECWEST, not a 0-day but high profile as it bypassed all built-in protections such as DEP and ASLR by combining multiple attack methods. MS10-039 addresses a second 0-day, the vulnerability in SharePoint, described by Microsoft in KB983438. MS10-032 and MS10-041 are the additional updates that fix vulnerabilities that were previously disclosed.

The most critical bulletins this month are MS10-035 for Internet Explorer, MS10-033 for DirectShow, and MS10-038 for Excel in Microsoft Office. All versions of IE, including IE8 are affected by MS10-035. There are 6 vulnerabilities in the update, 2 critical and it has an overall exploitability index of 1, indicating that an exploit is expected within 30 days. MS10-033 is a vulnerability in the MJPEG codec and affects a large number of Microsoft products, but its main attack vector is going to be through media files delivered through the Internet to Windows Media Player or IE. Excel has 14 vulnerabilities covered by MS10-038, with 11 in Office XP and only 3 in more recent versions (2003,2007). These vulnerabilities can be used to trigger code execution when a malicious file is opened by the user. The new Office 2010, which is scheduled to be released later this month, is not affected by any of the vulnerabilities.

MS10-032 addresses a local escalation of privilege vulnerability. While it is not remotely exploitable through any Microsoft product, 3rd party applications could expose it and provide a remote attack possibility.

MS10-040 is a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset.

In related news, Adobe which published an advisory for a critical 0-day vulnerability in Flash and Reader on Friday, announced that they will provide patches on June 10th and June 29th, respectively, 2 dates that IT administrators should track closely as exploits for the vulnerability are widely available.

References:

• Microsoft SRD Blog
• Peter Vreugdenhil's research site
• Adobe APSA10-01 Advisory

Today Microsoft released MS10-018, a critical bulletin with 10 patches affecting all versions of Internet Explorer. The release includes the patch for the one of the current 0-day exploits against IE6 and IE7, the "iepeers" (KB981374 and CVE-2010-0806) vulnerability. The original schedule for the bulletin was April 13th, during the normal April Patch Tuesday, but it was anticipated because Microsoft has detected an increase in exploits for that 0-day vulnerability..

All users of Internet Explorer 6 and 7 should patch immediately, as the exploit for these versions in known and becoming more popular.

Users of Internet Explorer 8 are not affected by the exploit, but the bulletin contains 2 critical vulnerabilities for this version, so we can expect exploit code for them soon. IT Admins will have to decide whether they can take the risk of patching IE8 only during next patch Tuesday - 2 weeks out, or whether to patch sooner and incur the cost of having 2 separate patch days.

The other open 0-day, the F1 flaw in IE has not been fixed yet, and last week's PWN2OWN IE8 flaw is still under investigation by the security team at Microsoft, so we will continue to see updates in the browser area.

Microsoft will release MS10-018 a patch for the critical Internet Explorer 0-day vulnerability KB981374 out of band tomorrow, on March 30th. Microsoft's decision to accelerate the release rather than waiting until next Patch Tuesday on April 13th is an indication that attacks against the "iepeers" vulnerability are on the rise.

Similar to what happened with the last IE 0-day patch MS10-002, Microsoft is including fixes for 9 other vulnerabilities, so the patch is critical for ALL versions of IE

If you are still using IE6 or IE7, patch immediately. But even if you are on IE8 you should patch as quickly as possible, as attackers will start reverse engineering the flaws addressed and preparing corresponding exploits within the week.

Kudos to Microsoft for their quick turn-around on this vulnerability.

The exploit for the Internet Explorer 6 and 7 vulnerability announced yesterday (KB981374) is public now. Late yesterday, Moshe Ben Abu published a Metasploit Module for the exploit after tracking down the exploit to a webpage.

> But Microsoft also released advisory KB981374 which describes a 0-day vulnerability
> reported to Microsoft only recently. At the moment only a limited number of targeted
> attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason
> to update to this latest version of IE. There are not a lot of details available on the
> vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.

Contrary to what we expected last week, the Microsoft March Security announcements have a little surprise in it.

The standard bulletins cover Windows Movie Maker/Producer and Office:

• MS10-016 - possible code execution in Windows Movie Maker - ranked important: an attacker can send a malicious file to the target. When the file gets opened, remote code execution is possible. The exploitability index is high, meaning that the file format vulnerability is relatively easy to exploit. Windows XP and Vista ship with vulnerable versions. While Windows 7 does not ship with a vulnerable version, a user could have downloaded and installed the 2.6 version, which is affected. The bulletin does not provide a patch for the also affected Windows Producer, a little used multimedia add-on to Powerpoint.
• MS10-017 - possible code execution in Microsoft Excel - ranked important as well. This bulletin covers 7 vulnerabilities, all of them file format based. All versions of Office are affected, including Mac Office 2004 and 2008. An attacker needs to trick the target to open a specially crafted Excel document, which will allow the attacker to take control of the target system. Exploitability is high for the majority of vulnerabilities listed, so we suggest to put this patch on a fast installation schedule. Attack vectors include also Excel viewer and SharePoint server.

But Microsoft also released advisory KB981374 which describes a 0-day vulnerability reported to Microsoft only recently. At the moment only a limited number of targeted attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason to update to this latest version of IE. There are not a lot of details available on the vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.

No major updates on advisory KB981169, also for Internet Explorer, which requires the target to press F1 to launch the attack and can best be avoided by user education.

References:

• Microsoft March 2010 Bulletin
• Qualys Security Alert
  

Microsoft's February 2010 Patch Tuesday was slated to be the biggest release for Microsoft fixes in the last two years - 14 bulletins addressing 34 vulnerabilities. But the Google/CN Internet Explorer 0-day forced Microsoft to accelerate the testing of the planned IE bulletin and release it early, still in January. That leaves 13 bulletins covering 26 vulnerabilities for the February release, which constitutes one of the bigger patch Tuesdays.

There are 5 critical vulnerabilities for the Windows Operating System family - the newer versions Windows 7 and Windows 2008 R2 are only affected by 3 of them. Rewrites of the TCP/IP stack and the URI handling in Windows 7 and 2008/R2 improved on the implementation of these core OS capabilities.

Overall highest on our list for patching are MS10-006 SMB client and MS10-013 DirectShow, which affect all versions of Windows and have a low exploitability index. Next are MS10-007 Shell URL handling, which is critical for Windows 2000, XP and 2003 and MS10-008, an update to the ActiveX Killbit settings, applicable to all platforms.

MS10-012 is a bulletin for SMB that server administrators should focus on. It allows a malicious, unauthenticated party to launch a remote denial of service attack. In addition remote authenticated clients can execute code using another flaw addressed in the bulletin.

MS10-010 addresses an interesting vulnerability - it is in the hypervisor of Windows 2008. This virtualization vulnerability allows a guest operating system to crash the host operating system, affecting all virtual machines running on the same physical host. Virtualization is increasingly used in corporate IT environments and in cloud computing initiatives and we see this class of vulnerability gaining importance.

Microsoft Office has 2 bulletins, both rated as important. While the newest version of Office for Windows, Office 2007, is not affected, users of all other versions, including on MAC OS X should update as quickly as possible because file based vulnerabilities have been a favorite of attackers in the last year.

References:

• Microsoft Security Bulletin
• Technical insight from Microsoft
• SANS ranking for February 2010 patches

Microsoft released today the patch for the critical Internet Explorer 0-day flaw that has been widely covered by us and the security community in general. MS10-002 fixes a total of 8 vulnerabilities, including the 0-day which is identified as CVE-2010-0249 and is attributed to Meron Sellem from BugSec.

In the MSRC blog post announcing the release, Microsoft gives some insight on how they were able to turn around this patch in record time. Meron had reported the vulnerability in late August of 2009 and Microsoft had it confirmed in early September. By the time of public disclosure of the attacks against Google and others, the fix was in essence ready and tested. It was slated for release in the February Patch bulletin. Microsoft had to decide whether an out-of-band release of the patch was warranted or whether to bundle it into the February release as originally planned. An out-of-band release causes additional work for IT administrators that are tasked with addressing operating system vulnerabilities and are have been feeling the strain of keeping updated the growing number of software packages that attackers are increasingly targeting.

Nevertheless, given that exploits are available and that security researchers have shown that DEP as a defense can be circumvented, we recommend applying this update as soon as possible.

Hi this is Richie again with some updates:

Internally we do not think of the IE 0-day that was released last week isn't something that is new or unique. Every couple of months a new exploit for a critical vulnerability is discovered in the browser space and all major browsers see their share. Exploits of these types are commonly used in targeted attacks ("spear-phisihing") against corporations. What is new is that the affected organizations are coming forward with information on the attacks - a positive trend that we encourage and hope will continue.

Technically, the attack was focused on the browser/OS combination IE6 and Windows XP, both close to 10 years old and near end of life. Microsoft has put a lot of work into increasing attack mitigation and surface hardening that reduces the risk of successful exploitation on newer versions of the Windows Operating System (Vista, Windows 2008, Windows 7). In general users should upgrade to a modern OS/Browser combination, at minimum the browser should be updated to IE8 or another modern browser.

As of now, the attacks are limited to a small target population and we have not seen widespread use of the exploit. We expect that to change in the coming days since details of the vulnerability have been made publicly available. Microsoft has released a Fix-It which will turn on DEP for IE and help mitigate the attack. However there is active research going on to bypass the DEP measure and its effectiveness could be limited.

Further Microsoft has indicated that they will release an out-of-band patch for this issue soon. We will keep you updated with new developments as they arise.

Thanks
Richie Lai
Director of Vulnerability Research, Qualys, Inc.
http://twitter.com/rlaiqualys

Hi, my name is Richie Lai and I am the Director of Vulnerability Research here at Qualys. Some of you might have seen me with Wolfgang during our monthly patch Tuesday webcasts. We have been tracking some developments surrounding a 0-day in Internet explorer and I just wanted to give everyone information we've gathered.

Today Microsoft released an advisory for Internet Explorer versions 6 above and on all platforms up to Win7. The current exploit that is in the wild results in code execution only on Internet Explorer 6 on XP. The vulnerability exists in IE DOM parsing resulting in a dangling pointer potentially exploitable for remote code execution. Even though the advisory lists all platforms as affected, there are a few mitigating factors.

First, you are protected from this specific known exploit if Data Execute Protection (DEP) is enabled in the operating system. While DEP has been proven to stop exploits like this, there are known ways to bypass DEP if you can get code running. Which is where the second mitigating factor comes in, Address Space Layout Randomization (ASLR). On platforms where both DEP and ASLR are enabled, exploitation is extremely difficult. In the mean time, we suggest Windows XP users run Microsoft's "Fix-It" from the advisory which will enable DEP for IE 6 or 7 on XP. Table outlining the current exploitability across all platforms and IE versions listed below. As you can see, having the most updated browser will significantly reduce your exposure to this vulnerability at this time. We will update you as we get more information regarding this development.

	Windows 2000	Windows XP	Windows 2003	Windows Vista	Windows 2008	Windows 7
IE 6	exploitable	exploitable	DEP protected	N/A	N/A	N/A
IE 7	N/A	exploitable	DEP protected	Protected by Protected Mode	N/A	N/A
IE 8	N/A	DEP protected with XPSP3	DEP protected	DEP and ASLR Protected	DEP and ASLR Protected	DEP and ASLR Protected

Thanks
Richie Lai
Director of Vulnerability Research, Qualys, Inc.
http://twitter.com/rlaiqualys

McAfee's CTO George Kurtz just published some deeper insight into the attacks against Google. According to him a 0-day vulnerability in Internet Explorer was used. Microsoft has just issued an advisory KB979352 acknowledging the vulnerability on all versions of Internet Explorer, except IE v5.

It looks as if the Adobe Reader 0-day was not directly involved, contrary to what we had assumed so far.

We will update this post when further information comes to our attention.

References:

• Wired post by Kim Zetter
• CNET News by Elinor Mills

Microsoft closes 2009 with its last regular patch release adding 6 bulletins bringing the year's total to 74. December's release is by our current standards a rather normal workload of 12 individual vulnerabilities. As expected Bulletin MS09-072 fixes the critical 0-day Internet Explorer vulnerability that was publicly disclosed just 3 weeks ago. Microsoft credits iDefense for the vulnerability, so it appears that they had been working on the issue already. Still Kudos to the team at Microsoft for the quick release. This patch is rated for immediate deployment as attackers are actively working on making the POC into a reliable exploit. The advisory further contains an additional 4 vulnerabilities, with 3 affecting Internet Explorer 8, including Windows 7. BTW, this is the only bulletin this month that affects Windows 7 and Windows 2008 R2.

Bulletin MS09-070 deals with remote code execution on Active Directory on Windows 2003 and 2008. This is rated as Important because it requires an attacker to be authenticated. If the attacker has credentials, an exploit can be used to execute code on the active directory server and impact core infrastructure of corporate environments - we recommend fixing it as quickly as possible after internal testing.

MS09-073 and MS09-074 address vulnerabilities in file formats for Word/Wordpad converters and MS-Project. Both allow remote code execution when users open specifically crafted files that can be received through e-mail or downloaded from a website. Install the patches as quickly as possible and review whether extended testing is necessary in your environment.

The 2 remaining bulletins MS09-069 and MS09-071 address the Windows operating system, one in the well-known LSASS component and the other in the Intenet Authentication Services (IAS). The LSASS is a resource consumption DOS only vulnerability and the IAS only affect Windows 2008 with MSCHAP v2 enabled. The exploitability index for both is 2 and we think these patches should be installed as necessary.

The highly critical vulnerability in IE6/7 with an exposure window to exploits of over 3 weeks without the availability of a patch, should put the task of getting users off IE6/7 on the top of IT admins New Year's resolutions for 2010. They have to be migrated to a more modern browser, with the most viable options being IE8 with its well known patching mechanism or Firefox 3 with its more aggressive patching schedule.

Outside of the direct Microsoft realm, Adobe will release an update for a critical Flash vulnerability that we recommend installing right away.

References:

• Microsoft Security Bulletin
• Qualys Security Advisory

A mere 10 days after acknowledging the SMB flaw in Windows 7, the Microsoft Security Response Center (MSRC) released a new security advisory for new critical 0-day in Internet Explorer 6 and 7 as KB977981. A Proof of Concept for the 0-day was published on bugtraq on Friday, but it is not fully reliable against all combinations of browsers and OSs. Attackers are currently working on improvements to the exploit and we are expecting to see new versions soon.

The advisory proposes several work-arounds, but all of them result in restricted usability of the browser. As Internet Explorer 8 (and IE5....) is not affected for consumers the best option is to upgrade to IE8 or alternatively switch to another product. For enterprise customers IDS/IPS vendors and secure web gateways are able to deliver a degree of protection against the known exploits.

Qualys tracks this new 0-day under QID 90570

References:

• VUPEN Analysis
• Microsoft Advisory

October's 2009 Microsoft Patch Tuesday is a massive release with 13 advisories covering 34 vulnerabilities. 2 advisories address last month's 0-day vulnerabilities - SMBv2 and FTP for IIS in a very quick turn-around. However another 6 vulnerabilities are tagged as having information disclosed publicly before today's patch release. Of the total set of vulnerabilities a full 22 are of critical severity and should be addressed as quickly as possible. A large selection of software is affected: all versions of Windows (including Windows 7), Windows Media Player, Office and also Silverlight - Microsoft's new rich media development tool. Internet Explorer also receives an update for 2 critical vulnerabilities - one of them disclosed at the Black Hat Security conference.

MS09-054 is a fix for critical vulnerabilities in all versions of Internet Explorer and interestingly can also affect non-Microsoft software - namely Firefox the browser from Mozilla. The Microsoft .Net runtime installs a plug-in into Firefox that allows XAML Browser Applications (XABP) to be launched through Firefox and serves as a conduit to the vulnerable component of Windows.

The biggest set of vulnerabilities this month is addressed by MS09-062, which fixes 8 flaws in the GDI+ graphics library. This library is widely used in applications as diverse as Microsoft Office, Visual Studio development tools, SQL Server and even Forefront Security Client.

Another set of 2 vulnerabilities disclosed at Black Hat (video presentation here and here - worth watching) is addressed by MS09-056. It provides a fix to the CryptoAPI library and the much talked about "Null prefix certificate" which allows for the impersonation of an arbitrary SSL certificate by embedding a NULL character at the right spot in the certificate request. Earlier this month a certificate was leaked to the full disclosure mailing list that impersonated www.paypal.com. The vulnerability is rated only as "important", because it does not allow the attacker to take over the machine, but it can be used to steal the user's credentials to any web site.

Important: Adobe released their patch for Adobe Reader, the popular PDF viewer. Adobe Reader versions 7, 8 and 9 are vulnerable on all versions Windows and Mac OS X. Adobe had acknowledged the existence of exploits focused on v9 and Windows last week. This is a critical update that should be applied as soon as possible.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

This month Microsoft released 5 critical advisories, addressing a total of 8 vulnerabilities. The focus is on the Windows Operating System family and all versions are affected. The notable exception is Windows 7 which is a pleasant surprise and most likely an outcome of the additional security measure implemented in this latest version of Windows.

MS09-045 and MS09-047 are client side vulnerabilities affecting indirectly Internet Explorer and Windows Media Player. They require user actions for a successful exploit, but attackers have the necessary tools in place to entice users to visit infected web pages and open malicious media files. MS09-048 is a "classical" network vulnerability of a type that we have not seen in a while: it is located in the TCP/IP network stack of Windows 2008 and Vista and can be exploited through the network, however Microsoft rates the exploitation difficulty as high. MS09-049 is a very interesting attack on the WLAN auto-configuration service of Vista and Windows 2008, it requires a malicious Access Point to be in WIFI range, which limits the number of machines that can be attacked at any given time. We recommend that customers focus on MS09-045 and MS09-047 due the high likely hood of exploits.

As previously announced Microsoft did not address the IIS FTP 0-day vulnerability that was made public last week. In addition yesterday a security researcher disclosed a vulnerability in the file sharing protocol (SMB2) of Vista, 2008 and potentially Windows 7. We expect Microsoft to monitor the extent of exploitation of these 2 new vulnerabilities and continue to provide guidance for workarounds.

Update: Microsoft has acknowledged the SMB2 vulnerability and provided a workaround in advisory 975497, suggesting to disable the SMB2 protocol, machines would then fallback to the older SMB protocol for filesharing.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

As announced last week Microsoft today released 2 bulletins, one addressing Internet Explorer (MS09-034) and the other addressing the ATL component of Visual Studio (MS09-035). The release outside of their normal patch window means that exploits for this vulnerability have been spotted in the wild and IT administrators should treat the fixes as high priority.

The main attack vector that the current exploit is using is browsing with Internet Explorer. An end-user browsing the Internet with a vulnerable version of IE can get their system taken over simply by looking at a websites that have malicious tables or ATL objects. To increase their reach, attackers have been using web application vulnerabilities to put these type of exploits on common, non-malicious sites, that end-users would not suspect of. Once infected the attacker can add the system to their botnet or use it to attack other machines inside the network where the system is hosted. This second mode of use of an infected computer is increasingly common and can lead to indirect exploitation of systems within corporate networks that do not even have external connectivity or a browser installed. Ryan Smith will present on the issue at BlackHat in Las Vegas tomorrow and has a small preview up on his site....

This has been an exciting week in the security space, first Adobe and and now Microsoft have announced that they will deliver out-of-band patches next week:

• Adobe: has a problem in the Flash component and there are known instances of attacks in the wild using PDF documents as an entry point (these were detected first) and also word of the standard drive-by variety.
• Microsoft: will address a problem on Tuesday with a patch for Visual Studio and Internet Explorer

Both vulnerabilities are rated critical and are found in very common software components - all versions of IE (6,7 and 8) are vulnerable, while Adobe says that updates will be shipped for Flash 9 and 10 and also Adobe Reader 9. IT administrators should prepare for a quick turnaround.

Microsoft's July Security Bulletin does not have any surprises due to the intense pre-release activity around the 3 zero-day advisories that came out in the last 6 weeks. Microsoft had already announced that they would address 2 advisories with patches MS09-028 and MS09-032 for DirectShow and Microsoft Video respectively. Yesterday's zero-day is left for later and users should apply the work-around published in KB973472. The 3rd critical vulnerability addressed is MS09-029 OpenType Font Engine which applies to all versions of Windows, Vista and 2008 included.These 3 advisories should be addressed immediately as they allow the attacker to fully control the victim's computer.

Microsoft proxy server ISA 2006 has a vulnerability rated as "important" that allows remote unauthenticated users to access the server. However paired with a knowledge of the administrators user name attackers can take full control of the server. As administrator usernames are often easy to guess this vulnerability deserves special attention, if IT organizations are using ISA with the Radius configuration. This vulnerability is covered in MS09-031. The ISA blog has some more in depth information.

MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite is rated as "important" as well, but can be used to take full control of the system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as "critical" as well.

Microsoft also provided patches for their virtualization product VPC and Virtual Server on all versions (MS09-033) preventing an elevation of privilege in the guest operating system. This is classified as "important" because local access to the guest OS is required. This bulletin is interesting because this vulnerability is introduced by the fact that the OS is running under a virtual environment and allows the user to access to privileged kernel mode.

In addition we are working on the Oracle CPU patch release and are monitoring the Firefox 3.5 zero-day.

References:

• Qualys Security Alert
  

We just released our QID 110101 which detects the Microsoft Office Web Components ActiveX zero-day vulnerability that Microsoft released today as KB973472. Similar to last weeks zero-day vulnerability Microsoft is providing a workaround using their Fixit program.

The main attack vector is again Internet Explorer, a user can be infected by browsing a website that hosts the exploit without further interaction with a so called "drive-by" exploit. There have been a number of sightings already, which have prompted Microsoft for this out-of-band release - for more information take a look at SANS.

QualysGuard will not raise the vulnerability if you have the described workaround applied which inhibits the OWC10 and OWC11 classids that are susceptible to the attack. We will be enhancing the detection as more information about workarounds and patches becomes available. Due to the timing we do not expect this vulnerability to be addressed tomorrow at Patch Tuesday.

Microsoft released advisory KB972890 yesterday for a zero-day vulnerability found by ISS, warning of an attack on an ActiveX control for Microsoft Video. The main attack vector is for the user to browse a website that has the exploit installed with Internet Explorer- further interaction is not necessary, the attack is of the type called "drive-by". This makes the attack very dangerous as there is very little that Internet Explorer users can do to defend themselves. Security news here and here report that thousands of websites have started serving the exploits already, which is supported by the in-depth information that we are getting from our iDefense feed which has a long list of sites that are serving the exploits.

The described work arounds involve disabling 40+ classids in the registry, which should be scriptable by IT administrators. The Microsoft support website has a FixIt link which individual users can use to apply those changes to the registry.

QualysGuard detects this zero-day vulnerability as QID 90510, but does not raise it if you have the described workaround applied. We will be enhancing the detection as more information about workarounds and patches becomes available.

How do you deal with ActiveX controls, do you disable them in your default builds ? Let me know by sending feedback. We also will discuss this issue on our upcoming panel at the Black Hat security conference in Las Vegas with the present industry experts.

June's Patch Tuesday is generating major workload for IT administrators. Microsoft released their biggest number of patches in recent memory, not only for Windows systems, but also for their Mac Office suite. Adobe has patches for their Reader product for Windows, Mac and Unixes and Apple released a production version of Safari 4 for Mac OS X and Windows.

Microsoft's 10 bulletins patch a total of 31 vulnerabilities, extending to almost all of their products on both servers and workstations. Most urgent on the server side are MS09-018 for the Active Directory vulnerabilities and MS09-020 for the IIS/WebDAV vulnerabilities, as both are categorized as critical and have the highest rating (Consistent exploit code likely) in the Microsoft exploitability index. MS09-022 - Windows Print Spooler is rated critical as well, affects both servers and workstations and so has a higher exposure potential than the other server based vulnerabilities. MS09-25 brings 4 updates for the Windows base operating system kernels and even the new Vista and 2008 versions are affected by 3 of them.

On the workstation side, beyond MS09-022 and MS09-025 we have the updates for Internet Explorer, Word, Excel and Windows Search. MS09-019 has patches for 8 IE vulnerabilities for all versions from IE5 to IE8 - however it is interesting to note that IE8 is only affected by a single vulnerability, which was recently disclosed at the CanSecWest conference in the Pwn2Own contest sponsored by TippingPoint's ZDI.

As expected we did not see a patch for DirectShow vulnerability, acknowledged by Microsoft 10 days ago in KB971778. While they have the patch it is still undergoing Quality Assurance and Stability testing. For Macintosh users, Microsoft provided the patch for last month's disclosed vulnerabilities - MS09-017 for PowerPoint. Both users of Office 2004 and Office 2008 are advised to upgrade to fix a Remote Code execution issue.

As Adobe had announced previously they also published their quarterly patches this 2nd Tuesday of the month. Currently we see that a patch has been released, but there is no further detail available as to the vulnerabilities covered.

Update: The Adobe advisory is out and it shows a total of 14 vulnerabilities. The patch covers Adobe Reader on Windows and Macintosh. Unix users will have to wait until June 16th to get their fixes.

References:

• Qualys Security Alert