Security

Microsoft on Friday said it is working on a fix for a vulnerability in the Server Message Block file-sharing protocol in Windows 7 and Windows Server 2008 Release 2 that could be used to remotely crash a computer.

The software giant had said on Wednesday that it was looking at the bug, discovered by researcher Laurent Gaffié, who published proof-of-concept code on a blog.

"Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable. If exploited, this [denial-of-service] vulnerability would not allow an attacker to take control of, or install malware on, the customer's system but could cause the affected system to stop responding until manually restarted," Dave Forstrom, group manager for public relations at Microsoft Trustworthy Computing, said in a statement. "It is important to note that the default firewall settings on Windows 7 will help block attempts to exploit this issue."

Microsoft is not aware of attacks to exploit the hole at this time, he said.

In an advisory, Microsoft criticized the way Gaffié handled the discovery.

"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk," the advisory said. "We continue to encourage responsible disclosure of vulnerabilities."

The advisory suggests that customers block Transmission Control Protocol, or TCP, ports 139 and 445 at the firewall, as a workaround until a patch is ready.

Microsoft said on Wednesday it is looking into a report of a vulnerability in Windows 7 and Server 2008 Release 2 that could be used by an attacker to remotely crash the computer.

The company is investigating claims of a "possible denial-of-service vulnerability in Windows Server Message Block (SMB)," the Microsoft spokesperson said, adding that the company was unaware of any attacks trying to exploit the hole.

The bug triggers an infinite loop on the Server Message Block (SMB) protocol used for sharing files in Windows, researcher Laurent Gaffié wrote in a posting on the Full-Disclosure mailing list and on a blog.

"Whatever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting NBNS [NetBIOS Naming Service] tricks," Gaffié wrote.

Gaffié also posted proof-of-concept code for the "Windows 7, Server 2008R2 Remote Kernel Crash."

On Tuesday, Microsoft issued six patches to fix 15 vulnerabilities, including a critical hole in the Windows kernel, as part of November's Patch Tuesday.

Microsoft on Tuesday issued six security bulletins fixing 15 vulnerabilities, including a critical patch for holes in the Windows kernel and other Windows and Office components that could allow an attacker to take control of a computer.

The critical bulletin affecting the Kernel-Mode Drivers was publicly disclosed and could be used to create a Web page with malware designed to exploit the hole on systems that visit the page, Microsoft said in a blog posting.

"MS09-065, a bug in the Windows kernel, is this month's most serious issue," said Andrew Storms, director of security operations at nCircle. "The vulnerability allows for remote code execution, and the attack code can be embedded inside MS Office files or be hosted on websites. Simply browsing an infected website will compromise unsuspecting users -- not great for all the holiday shoppers looking to get a jump on their shopping. The novelty value of this bug is likely to attract many researchers. A lot of people will try to be the first to publicly post exploit code."

The two other critical bulletins fix holes in Web Services on Devices API and in License Logging Server. Two bulletins ranked "important" fix holes that pose risk of remote code execution if a user opened a maliciously crafted Excel or Word file.

"It is interesting that a new service that helps with the 'user experience' can cause so much harm," said Jason Miller, data and security team leader at Shavlik Technologies. "The WSDAPI service allows users to easily find devices such as printers and cameras on their network. This vulnerability is also not publicly known at this time."

Software affected by the patches includes Windows 2000, XP, Server 2003, Vista, Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, Office 2004 for Mac, and Office 2008 for Mac, according to the bulletin.

Meanwhile, the Microsoft Malware Protection Center team added two rogue antivirus families to the Malicious Software Removal Tool -- Win32/FakeVimes, which calls itself "Windows System Defender" and "Windows Enterprise Suite," and Win32/PrivacyCenter, which calls itself "Safety Center."

(Credit: Microsoft)

Microsoft launched its new Forefront Protection 2010 antimalware for Exchange on Monday.

The company also announced at the TechEd Europe conference in Berlin the availability of Forefront Online Protection for Exchange designed for enterprise customers who want Microsoft to host the security solution.

Forefront Protection 2010 for Exchange incorporates malware engines from Microsoft and various partners, providing 38 times faster malware detection and decreasing spam to the point where only one out of 250,000 spam messages gets through, said Joel Sider, senior project manager for Microsoft's Infrastructure division.

Integration with Exchange provides the ability to scan messages and documents simultaneously, while built-in information protection with Active Directory rights management services give users and IT administrators more control over what e-mail and documents can do and who can receive them, he said.

The announcements were made in conjunction with the scheduled launch this week of Exchange 2010, the new version of Microsoft's e-mail and communications server.

Meanwhile, Microsoft said last month it was delaying the release of its Forefront Endpoint Protection 2010 for Windows desktops until the second half of next year.

The company will be rolling out over the next year all the pieces of its Forefront Protection Suite, formerly code-named "Stirling."

Update at 10:09 a.m. PST with comments from Microsoft.

Microsoft said on Thursday it will issue six patches next week for 15 vulnerabilities, including three critical bulletins affecting Windows and two important Office-related bulletins.

Affected software includes Windows 2000, XP, Server 2003, Vista, Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, Office 2004 for Mac, and Office 2008 for Mac, the company said in an advisory.

November's Patch Tuesday is a contrast to the record number of fixes issued last month--13 bulletins for 34 vulnerabilities.

Updated 2:52 p.m. PST to correct that there will be six patches fixing 15 vulnerabilities.

Scammers are targeting social networks with phishing scams and relying more heavily on worms and Trojans to attack computers, according to security trend reports to be released Monday by Microsoft and McAfee.

Phishing attacks saw a big spike in May and June, primarily because of campaigns targeting social-networking sites, according to Microsoft's report covering the first half of 2009. Gaming sites, portals, and Web sites of banks and retailers were also popular targets for phishing attacks, the report said.

Trojans top the list of threats to computer security, according to Microsoft's latest Security Intelligence Report.

(Credit: Microsoft)

Trojans, including rogue security software, remained the most prevalent category of threats, while Microsoft statistics show that worms rose from fifth place in the second half of last year to become the second most prevalent category, led by Conficker and followed by Taterf, which targets multiplayer online role-playing games.

During the first half of the year, Microsoft detected and cleaned rogue security software--which displays false antivirus warnings to trick people into paying for software they don't need--from 13.4 million computers. That was down from 16.8 million computers in the second half of last year.

Most of the drive-by download pages are hosted on legitimate Web sites that have been compromised by attackers through intrusion or malicious code posted to a poorly secured Web form, such as a blog comment field. The Trojan Downloaders & Droppers category was the type of malware most often delivered in drive-by attacks, according to Microsoft.

The number of total unique vulnerability disclosures across the industry was down sharply from a year ago. While browser vulnerabilities increased slightly, application vulnerabilities dropped and operating system holes were flat, Microsoft said.

Microsoft software accounted for 6 of the top 10 browser-based holes attacked on Windows XP computers, compared with only one on Vista computers. Of the top 10 browser-based holes exploited on computers running Vista, 2 targeted Adobe Reader and the most significant one targeted Adobe Flash Player. In the third spot was an exploit aimed at Internet Explorer.

Infection rates for Windows Vista were significantly lower than Windows XP, while the rate for Windows Server 2008 was less than Server 2003.

Microsoft released 27 security bulletins in the first half of the year, addressing 85 individual vulnerabilities. Of those, 11 were exploited within the first 30 days after the release of the security bulletin.

As far as computer security consciousness, the U.S. is in the middle, according to George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group. Japan is at or near the top of the list and Germany is high up too, he said.

"We are average," he added. "We are not one of the cleanest countries, we are dead on in the middle."

McAfee's report showed the U.S. as the top country when it comes to the number of compromised computers that are zombies used in botnets to do things like send spam, followed by China and Brazil. The U.S. also is the top distributor of spam and has the most servers hosting malware, McAfee said.

Spam comprises 92 percent of all e-mail. It jumped 24 percent from a year ago, McAfee said.

Microsoft on Wednesday said it is fixing a bug in Bing that allowed spammers to bypass spam filters and distribute malicious links.

Researchers at Webroot Software discovered a spam campaign earlier this week that used the search engine's own redirection mechanism and a link-shrinking technique to send people to spam Web pages, according to a post on the Webroot threat blog.

The problem is with how Bing formats links in RSS feeds. The redirect from Bing to the spam site is not obfuscated, allowing scammers to append anything to the end of the Bing redirect URL and thus trick spam filters, said Andrew Brandt, a threat researcher at Webroot.

In the specific case, Webroot examined an RSS feed in Bing with a link that bounced through MySpace's link shrinker and landed on the spam Web page that looked like a news site customized to the user's geolocation and which offered vague work-from-home jobs.

Asked for comment, a Microsoft representative said late on Wednesday: "We were testing new features to improve the search experience for our customers, and during our testing, we found a bug that was causing this issue. We are taking immediate action and expect a fix in the next 48 hours."

Meanwhile, a MySpace representative had this to say when asked for comment: "The security of our users is a top priority for MySpace. With thousands of link-shortening systems available on the Internet, similar to MySpace's MSPLinks, it is critical that sites like Bing employ security measures such as the prevention of URL redirection."

Tuesday was the biggest Patch Tuesday ever as Microsoft released 13 bulletins for 34 vulnerabilities. But just because Microsoft issues patches, does that mean that users should apply them? Yes, says Ben Greenbaum, senior research manager for Symantec Security.

Greenbaum said that these patches impacted many Microsoft products, including Windows 7 that isn't even out yet.

Microsoft released a record number of 13 bulletins for 34 vulnerabilities on Patch Tuesday--and the first critical update for Windows 7--as well as fixes for zero-day flaws involving Server Message Block (SMB) and Internet Information Services (IIS).

The most severe of the three SMB flaws, which were first reported last month, could allow an attacker to take control of a computer remotely by sending a specially crafted SMB packet to a computer running the Server service. Exploit code for one of the SMB holes has been posted to the Web, Microsoft said.

Windows 7 is affected by two critical patches intended to mend vulnerabilities that could allow remote code execution if a malicious Web page were viewed, one part of a cumulative security update for Internet Explorer and the other in .Net Framework and Silverlight.

The official release date for Windows 7 is October 22, but the new operating system has been available to some large businesses with volume licenses since the summer. The code was finalized in July.

Other critical patches in the security bulletin for October fix a vulnerability in Windows Media Runtime that could be exploited if a user opened a malicious media file or received malicious streaming content from a Web site or application, and if a specially crafted ASF (Advanced Systems Format) file is played using Windows Media Player 6.4.

Among the critical updates: a cumulative security update of ActiveX Kill Bits that is being exploited and that affects ActiveX controls compiled using Active Template Library (ATL); and another patch resolving several vulnerabilities in ATL ActiveX Controls that could allow remote code execution if a user loaded a malicious component or control. ActiveX and ATLs were the subject of an emergency patch Microsoft released in July.

The final critical bulletin fixes a hole in Windows GDI+ (Graphics Device Interface) that could allow an attacker to take control of a computer if the user viewed a malicious image file using affected software or browsed a malicious Web page.

"Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows, and vulnerabilities in the component have been exploited broadly in the past. We can expect that security researchers will be looking to reverse-engineer today's patches, which may very well lead to exploits being created," said Dave Marcus, director of security research and communications at McAfee Labs.

Related "For the Record" podcast, with Symantec's Ben Greenbaum
Listen now: Download today's podcast

Nine of the vulnerabilities were previously disclosed, which meant that attackers had time to come up with so-called "zero-day" exploits before the patches were available, Marcus noted.

The most alarming vulnerability in the mix is the SMB flaw, which was introduced by the patch for a different vulnerability, according to Josh Phillips, virus researcher at Kaspersky Lab.

Andrew Storms, director of security operations at nCircle, said the bug that is likely to have the biggest impact will be the critical one that affects Windows Media Runtime and involves a speech codec bug that has limited exploits in the wild. "This is a typical file-parsing issue and similar to vulnerabilities that have allowed attackers to create drive-by attacks that infect unsuspecting video viewers," he said.

Meanwhile, the critical SMB vulnerability is relatively difficult to exploit given default firewall conditions, but the IIS bugs are easy to exploit, Storms added.

"The sheer volume of the bulletins and patches is extreme," said Jason Miller, senior data team leader for Shavlik Technologies. "This is really going to affect administrators. It's going to be very challenging because of the time and research that's going to be needed" to patch systems.

Also released were five bulletins rated "important" to fix vulnerabilities in IIS, for which exploit code has been publicly released and for which there have been limited attacks, along with Windows CryptoAPI, Windows Indexing Service, Windows Kernel, and Local Security Authority Subsystem Service.

The update for Windows CryptoAPI relates to flaws in the way domain names are verified on the Internet, which could allow attackers to impersonate a site and steal information from unsuspecting Web surfers. The holes were revealed by researchers Dan Kaminsky and Moxie Marlinspike at Defcon in August.

Affected software includes Windows 7; Windows 2000; Windows XP; Windows Vista; Server 2003 and 2008; Office XP, 2003, and 2007; Microsoft Office System; SQL Server 2000 and 2005; Silverlight; Visual Studio .Net 2003; Visual Studio 2005 and 2008; Visual FoxPro 8.0 and 9.0; Microsoft Report Viewer 2005 and 2008; Forefront Client Security 1.0; and Office software including Visio, Project, Word Viewer, and Works.

The installation also removes the Win/FakeScanti Trojan, which displays fake malware warnings and then asks computer users to pay for fake antivirus software.

(For more information and analysis from Symantec, listen to my colleague Larry Magid's podcast.)

Update: This story was updated at 2:15 p.m. PDT with additional comment and at 11:47 a.m. PDT with more details and reaction from experts.