Patch Tuesday Plugs 19 Microsoft Security Holes

May 2007, Black Tuesday patch overview

Sans.org has a nice chart showing all of the Security Bulletins and patches released today:

http://isc.sans.org/diary.html?storyid=2769&dshield=97e5573ad925ab38c534df8302ec493e

For a discussion later with some friends, I've summarized them from the Bulletins - included below for anyone interested in the details and mitigating factors of these exploits.

regards,

-rich

=================Begin List=========================================================

Microsoft Security Bulletin MS07-023
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS07-023.mspx

A remote code execution vulnerability exists in the way Excel handles Excel files with specially crafted set font values. Such a file might be included in an e-mail attachment or hosted on a malicious Web site. An attacker could exploit the vulnerability by constructing a specially crafted Excel file that could allow remote code execution.

Such a file might be included in an e-mail attachment or hosted on a malicious Web site.

In a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.
==========================================================================

Microsoft Security Bulletin MS07-024
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS07-024.mspx

A remote code execution vulnerability exists in the way Microsoft Word handles data within an array. A specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.

A remote code execution vulnerability exists in the way Microsoft Word handles a specially crafted Word Document stream. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.

A remote code execution vulnerability exists in the way Microsoft Word parses certain rich text properties within a file. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.
================================================================================

Microsoft Security Bulletin MS07-025
Vulnerability in Microsoft Office Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS07-025.mspx

A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object.

An attacker could exploit the vulnerability by constructing a specially crafted Office file containing a malformed drawing object that could allow remote code execution.

In a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.

Workarounds for Drawing Object Vulnerability - CVE-2007-1747:
Use Microsoft Word Viewer 2003 to open and view files. The Microsoft Word Viewer 2003 is not affected by the issue. Users can download Microsoft Word Viewer 2003 from the Microsoft Download Center.
==================================================================================

Microsoft Security Bulletin MS07-026
Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS07-026.mspx

An information disclosure vulnerability exists in Microsoft Exchange in the way that Outlook Web Access (OWA) handles script-based attachments. An attached script could spoof content, disclose information, or take any action that the user could take within the context of the OWA session.

The vulnerability could not be exploited automatically through e-mail. For an attack to be successful an attacker must e-mail a specially crafted file to a user and convince the user to open the file within an authenticated OWA session.
===================================================================================

Microsoft Security Bulletin MS07-027
Cumulative Security Update for Internet Explorer
http://www.microsoft.com/technet/security/Bulletin/MS07-027.mspx

A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps reduce the number of successful attacks that exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail, they could still be vulnerable to this issue through the Web-based attack scenario.

Customers who are running Windows Internet Explorer 7 with default settings are therefore not at risk unless these COM objects have been activated through the ActiveX opt-in feature in the Internet Zone. Customers who are upgrading to Windows Internet Explorer 7 and have enabled these COM objects in previous versions of Internet Explorer will have them enabled in Windows Internet Explorer 7. For more information on the ActiveX Opt-in feature and how to add ActiveX controls to the pre-approved list, see the product documentation.

A remote code execution vulnerability exists in the way Internet Explorer accessing a object when it is not initiated or already deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. If a user viewed the Web page, the vulnerability could allow remote code execution.

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability.

The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to this issue through the Web-based attack scenario.

Workarounds for Uninitialized Memory Corruption Vulnerability - CVE-2007-0944:
Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

A remote code execution vulnerability exists in the way Internet Explorer handles a property method. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

HTML Objects Memory Corruption Vulnerabilities - CVE-2007-0946, CVE-2007-0947:

Several remote code execution vulnerabilities exist in Internet Explorer due to attempts to access uninitialized memory in certain situations. An attacker could exploit these vulnerabilities by constructing a specially crafted Web page. If a user viewed the Web page, these vulnerabilities could allow remote code execution. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system.

It cannot be ruled out that these vulnerabilities could be used in an exploit without Active Scripting. However, using Active Scripting significantly increases the chances of a successful exploit. As a result, these vulnerabilities have been given a severity rating of Critical on Windows Server 2003.

Arbitrary File Rewrite Vulnerability - CVE-2007-2221:

A remote code execution vulnerability exists in a media service component that was never supported in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

COM objects not intended to be instantiated in Internet Explorer are not included in the default allow-list for ActiveX controls in Windows Internet Explorer 7. Customers who are running Windows Internet Explorer 7 with default settings are therefore not at risk unless these COM objects have been activated through the ActiveX opt-in feature in the Internet Zone. Customers who are upgrading to Windows Internet Explorer 7 and have enabled these COM objects in previous versions of Internet Explorer will have them enabled in Windows Internet Explorer 7. For more information on the ActiveX Opt-in feature and how to add ActiveX controls to the pre-approved list, see the product documentation.
==============================================================================

Microsoft Security Bulletin MS07-028
Vulnerability in CAPICOM Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS07-028.mspx

A remote code execution vulnerability exists in Cryptographic API Component Object Model (CAPICOM) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

What is CAPICOM.Certificates?
CAPICOM.Certificates is an ActiveX control that provides scripters (VBS, ASP, ASP.NET etc.) with a method for encrypting data based on secure underlying Windows CryptoAPI functionality. The CAPICOM Suite is also available for download as Platform SDK Redistributable: CAPICOM and is also part of the Windows Platform SDK and the Windows Driver Kit.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability.

An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions.

By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps reduce the number of successful attacks that exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail, they could still be vulnerable to this issue through the Web-based attack scenario.
==============================================================================

Microsoft Security Bulletin MS07-029
Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx

A remote code execution vulnerability exists in the Domain Name System (DNS) Server Service in all supported server versions of Windows that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

The DNS Server Service may not be enabled by default in certain server role configurations. On Domain Controller, DNS Server, and Microsoft Small Business Server configurations the DNS Server Service is enabled by default.

===========End List==================================================================

 

Re: May 2007, Black Tuesday patch overview

Thanks Rich
So, the old rule still applies: "Don't be fooled by social engineering"

 

Well, for the most part, yes.

In a discussion yesterday with a colleague and some friends who work in institutional settings, we reviewed the topic of the MSOffice exploits, since most companies and educational institutions use this program.

The consensus was that much of the security industry emphasizes the wrong solutions:

• Keep your AV up to date
• Keep your patches up to date

All agreed this was not effective, since AV databases just can't keep current for the ever-changing exploits. And patches take time before they are released. Sans.org regularly includes the statement that AV is not effective for the onslaught of zero-day attacks. Hence, the thousands who are infected before updates and patches are released.

Another area of agreement was that the security articles announcing the latest exploit rarely give an analysis of what the exploit does. This is also true of the MS Bulletins, which regularly use the phrase, "remote code execution" but do not detail the steps of the attack. It was agreed that most System Admins they had talked with were not familiar with the specifics of the exploits, and relied on the above solutions for the most part.

Getting information from the general media is rarely helpful. A recent example was put out by at least 7 different outlets, including USA Today

Cyberspies exploit Microsoft Office
http://www.usatoday.com/tech/news/computersecurity/2007-04-22-cyberspies-microsoft-office_N.htm

It sensationalized the whole affair, nothing of any use to an IT was given, and included this helpful suggestion:

Right. That was two weeks ago and the patch is just now available.

Searching around finally found a link to the orginal article, which included the most important piece of information about the attack, conveniently omitted by the general media articles:

We agreed that most of the MSWord exploits functioned in this way. Gone are the days of hackers maliciously tampering with the system:they want to install a trojan that sets up the computer to provide information to the hacker. Taking down the computer serves no purpose.

Last year, securityfocus.com published an article showing how this type of exploit works. Part of it reads:

3. Sample mechanism of an attack

Steps to exploitation:

• Step 1: The targeted victim opens the malicious MS Word document via an email attachment or a web page.
  
• Step 2: The malicious storage component (dropper program) within the OLE Structured Storage gets executed as the Word file is opened.
  
• Step 3: The Trojan is dropped on the victim's system.
  
• Step 4: The trojan operates with a backdoor which allows the remote attacker to collect system information, access the command shell and take screen shots and store them to %System%\Capture.bmp.

Here is a graphic from the article, showing the above steps:

http://www.securityfocus.com/images/infocus/msoff5.jpg

The full article is here: http://www.securityfocus.com/infocus/1874

So what are the solutions?

It's obvious that user action is required in these exploits. All agreed that policies and procedures aren't always effective. Turnover of secretarial and clerical staff often means something slips through the cracks. Briefings on procedures include "verify attachments from colleagues before opening" and " delete messages from unknown people." Yet, the "let's-see-what-this-is click" still happens.

A write up last year of a Word exploit included:
http://www.eweek.com/article2/0,1895,1965042,00.asp

This was a suggested work-around:

Effective, but essentially cripples one of the useful tools of the workforce.

Most of the MS Bulletins emphasize user awareness, but this evidently doesn't sink in to many people.

Last year, sans.org published a very informative article with a number of solutions:

Word 0-day, recommended defenses.
http://isc.sans.org/diary.html?storyid=1347

One interesting comment:

Finally, more recent is:

Microsoft attempts to lock down Office
http://www.vnunet.com/vnunet/news/2188855/microsoft-attempts-lock-office

The article quotes Vincent Weafer, senior director of Symantec Security Response, as saying that the biggest security issue facing Office is the sheer size and ubiquity of the software. Because Office is so widespread, it will always be a target of malware authors and attackers.

He concludes,

Not very reassuring.

In all of the above literature, not one word about White List and Reboot-to-Restore solutions was mentioned. One WAG suggested that the dominance of the AV industry and the coziness between Media and Advertisers was partly responsible for this. But we dismissed this after a brief chuckle, because it does no good to criticize or point fingers. We are in the business of implementing solutions.

With White List solutions at the front line, in front of the above-mentioned solutions, you effectively prevent any intrusion of a virus or trojan executable.

From time to time, this approach is mentioned, or discussed:

https://www.wilderssecurity.com/showthread.php?t=161891

https://www.wilderssecurity.com/showthread.php?t=167806

Now, institution settings are quite different from home environments, and the solutions are more complex. In another post I listed some references discussing Enterprise products, which makes for good background reading for anyone:

https://www.wilderssecurity.com/showthread.php?t=172541
see Post #8

So, it is possible to implement solutions that permit the workforce to use their tools knowing that protection is in place, the most effective being using common sense and following the established polices/procedures of the company.

The same can be applied to home users.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Very good report Rich

 

Hi Lucas,

Well, I had some help! Hope it is useful.

thanks,

-rich