Microsoft issued a formal security advisory late Tuesday on a reported zero-day flaw in Windows Vista and Windows Server 2008. However, the software maker also said that the flaw does not affect the final version of Windows 7, contrary to earlier reports.
"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation," Microsoft said in the advisory. "We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."
The flaw could allow an attacker to gain control of a system, although Microsoft said that "most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."
The software maker said it is working with security software partners to provide information that can be used to create protections. Once its investigation is wrapped up, Microsoft said it will take action, which could include releasing a patch during its next monthly cycle or doing an "out-of-band" release, if necessary. Tuesday was Microsoft's monthly release for patches, which included five critical Windows updates addressing eight vulnerabilities.
The software maker said the latest issue affects the "release candidate" version of Windows 7, but not the final version that was completed in July. Also, the recently completed Windows Server 2008 R2 is not vulnerable, Microsoft said, nor are the earlier Windows XP and Windows 2000 operating systems.
Microsoft is already dealing with a separate, still unpatched flaw reported last week. Attacks have already been seen based on that vulnerability. Microsoft has taken issue with the fact that that flaw, like the latest one, was reported publicly as opposed to being privately disclosed to Microsoft, giving the company time to patch it.
Microsoft on Tuesday issued five critical Windows-related updates as part of its monthly Patch Tuesday release.
While the issues affect different versions of Windows differently, Microsoft said none of the issues apply to the final version of Windows 7, which Microsoft wrapped up in July.
The five bulletins address eight vulnerabilities. According to Symantec Security Response research manager Ben Greenbaum, the two vulnerabilities most likely to be used by attackers involve the way Windows handles ASF and MP3 media files. "We've seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected."
McAfee Avert Labs director Dave Marcus said that two of the flaws, in particular, relate to serious security vulnerabilities in the networking components of Window Vista, Windows Server 2008 and Windows Server 2003 that could allow for malicious software to spread from one PC to another.
"These vulnerabilities are the most likely to be exploited by malicious code and are two of the best worm candidates that we've seen since Conficker," Marcus said in a statement. "That said, all of today's security bulletins address vulnerabilities that could allow an attacker to take complete control of a vulnerable PC."
In addition, Microsoft said it is re-releasing a bulletin from last month to address an additional control found to be vulnerable to an issue with the Microsoft Active Template Library.
Greenbaum noted that Microsoft has yet to issue a patch for a zero-day flaw in Internet Information Services that was made public last week. "Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately," Greenbaum said. "We also recommend using a firewall and restricting access to creating directories. Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5."
There are already some attacks being seen based on that flaw.
"While the company will not release an update this month, it will do so once it has reached an appropriate level of quality for broad distribution," Microsoft said.
Meanwhile, Microsoft said Tuesday that it is investigating another zero-day issue, this one a reported flaw in Windows Vista and Windows 7.
As for the patches Microsoft did release on Tuesday, Qualys CTO Wolfgang Kandek noted that some of the bulletins are interesting in that they either affect only newer operating systems or are more critical on later versions--the reverse of what is normally the case. Overall, he said, five Windows patches should keep IT workers busy.
"Due to the criticality of the patches and wide coverage of the operating system, this will be a busy day for IT administrators," Qualys CTO Wolfgang Kandek said in an e-mail.
Microsoft on Tuesday released nine patches, five of them critical, to plug holes in Windows and other software products.
The nine patches actually relate to 19 separate vulnerabilities in Windows, the .Net Framework, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server, and Remote Desktop Client for Mac.
Among the issues addressed is one that Microsoft warned about last month--a vulnerability related to the Office Web Components that help users put spreadsheets, charts, and other documents onto the Web. At the time, Microsoft said it was already seeing attacks based on the flaw, which affects Office XP, Office 2003, Internet Security and Acceleration Server 2004 and 2006, as well as Office Small Business Accounting 2006.
More information on that issue and the others addressed with this month's patches is available in a bulletin on Microsoft's Web site.
As is its practice, Microsoft said last week that the patches were coming.
Symantec senior research manager Ben Greenbaum noted that many of the vulnerabilites this month related to so-called ActiveX controls and added that many of the holes could be exploited just by getting a user to visit a Web page that has malicious code.
"All of the ActiveX issues patched this month could be easily exploited and can impact even the average computer user," Greenbaum said in an e-mail. "For example, any user who has Microsoft Office on their machine could be vulnerable to the Microsoft Office Web Components vulnerabilities. Similarly, every user with Windows XP SP3 or Vista could also be susceptible to one of the Remote Desktop Connection issues."
Actually, not all versions of Office are affected, as the Web components issue does not affect the latest version--Office 2007. For a list of Office programs affected, see this security bulletin.
In any case, McAfee and Lumension both noted that it continues to be a long, hard summer for IT professionals who have had to deal with a large number of regular patches and some unscheduled ones as well from Microsoft and others.
"There's no break from patching this summer," McAfee Avert Labs' Dave Marcus said in a statement. "Microsoft is playing catchup with these patches as cybercriminals have already used some of the serious vulnerabilities to commandeer vulnerable Windows computers."
Lumension analyst Paul Henry said there had been some fear that the patches would go further, addressing some kernel-level issues. But even still, he said the latest crop of patches will bring their fair share of headaches.
"After a summer of heavier-than-normal Patch Tuesdays, the last thing IT workers need is yet another large batch of patches from Microsoft," Henry said in a statement. "Unfortunately, that is exactly what we got today as Microsoft released a total of nine security updates, five of which are critical and seven of which require disruptive restarts."
Apple has issued an advisory regarding security enhancements included in the iPhone OS 3.0 release Wednesday.
(Credit:
Apple)
Here is a synopsis of the 46 iPhone security vulnerabilities addressed by the latest operating-system update for the iPhone and iPod Touch. As may be expected, many of these security patches focus on the Web-browsing framework WebKit.
CoreGraphics Changes to CoreGraphics prevent maliciously crafted image and PDF files from causing unexpected application termination or arbitrary code execution; vulnerabilities causing the same problems in FreeType v2.3.8 were also patched.
Exchange Changes were made to prevent a user from connecting to a malicious Exchange server that could lead to the disclosure of sensitive information by adding improvements to the handling of untrusted certificate exceptions.
ImageIO Changes to ImageIO prevent the use of maliciously crafted PNG images from causing unexpected application termination or arbitrary code execution.
International Components for Unicode Changes to Unicode prevent the use of maliciously crafted content that may bypass Web site filters and result in cross-site scripting.
IPSec Changes to IPSec patch multiple vulnerabilities in the racoon daemon that may lead to a denial-of-service attack.
Libxml Changes to XML library Libxml patch multiple vulnerabilities in Libxml2 version 2.6.16.
Mail Changes were made to the Mail app to give users control over the loading of remote images in HTML messages (see below). Additionally, the app was changed to prevent an application from causing an alert to appear that may be used to initiate a phone call without user interaction.
MPEG-4 Video Codec Changes to the MPEG-4 Video Codec will prevent the viewing of maliciously crafted MPEG-4 video files that may lead to an unexpected device reset.
Profiles Changes to Profiles will prohibit the installation of a configuration profile that may weaken the passcode policy defined by Exchange ActiveSync.
Safari Changes to Safari support the clearing of Safari's history via the Settings application, allowing prevention of disclosure of the search history to a person with physical access to the device. Now search history is actually removed. Additionally, if a user were to interact with a maliciously crafted Web site, a patch has been put in place to prevent unexpected action on another site such as "clickjacking."
Telephony Changes to Telephony address a problem in which a remote attacker may cause an unexpected device reset.
WebKit Changes to Web-browsing framework WebKit were very numerous in this release, given how popular the iPhone has become for Web use. They included many fixes to prevent arbitrary code or script execution, when visiting maliciously crafted Web sites. Some of these vulnerabilities could lead to app crashes and unexpected device resets, or the disclosure of sensitive information.
Previous coverage: Security updates in iPhone OS 2.2.
Microsoft on Tuesday released a patch aimed to fix a critical vulnerability in PowerPoint that had already led to exploits.
The vulnerability is listed as critical for Office 2000, but rated only as important for Office XP, Office 2003, and Office 2007. However, the hole had already formed the basis of targeted attacks, prompting Microsoft to issue a warning last month.
Although Microsoft says the hole is now patched in the Windows version of PowerPoint, the software maker said it is still working on fixes for the Mac version of Office as well as for Microsoft Works, the company's entry-level productivity suite.
"The updates for Office for Mac and Microsoft Works 8.5 and 9.0 users are still in development," Microsoft security response communications lead Christopher Budd said in a statement. "Microsoft plans to issue updates for these software when testing is complete and we can ensure high quality. We are releasing this security update on an incremental basis because of active targeted exploitation toward Windows platform users."
Without the patch, the vulnerability can be exploited by getting a person to open a PowerPoint file rigged for the attack, Microsoft has said. When the file is opened, PowerPoint will access an invalid object in memory. That then allows an attacker to remotely execute code on the system.
The fix was released as part of the company's regularly scheduled monthly Patch Tuesday.
The software maker said that with the update, the ability to open PowerPoint 4.0 file formats will be disabled by default in Microsoft Office PowerPoint 2000 and Microsoft Office PowerPoint 2002. (Microsoft has already disabled that option by default in PowerPoint 2003 Service Pack 3 and that capability does not exist in PowerPoint 2007.)
Microsoft said that the vulnerability is not rated critical for PowerPoint 2002 and later versions because they prompt a user before opening a document, meaning that the vulnerability "requires more than a single user action to complete the exploit."
Symantec said in a statement that the PowerPoint fix related largely to flaws in older file formats. "Because taking advantage of these vulnerabilities requires a user to open a maliciously crafted PowerPoint file, e-mail is likely the most probable method attackers would use to try and exploit these," said Alfred Huger, vice president of Symantec Security Response, in a statement. "Another possibility is for an attacker to lure a victim into downloading the file from a misleading or compromised Web site. At that point, the attacker would then have complete control over everything the user's account has permission to do on the system."
One security analyst warned that corporate IT staff should be paying attention not just to Microsoft, but also to a variety of security updates being issued by other software makers.
"Although Microsoft only dropped one patch for PowerPoint this month, IT administrators shouldn't get the wrong impression and breathe easy given the light load," said Lumension security analyst Paul Henry. "In addition to Microsoft, other vendors including Google, F-Secure, Adobe, HP, Symantec and Mozilla (to name a few) released a slew of patches for popular software applications."
Henry posted a list of the other updates and blogged on the subject.
"It is important to remember that historically, popular applications and files like Adobe PDF files or Word, Excel or PowerPoint files have been great vehicles for targeted attacks because those attachments are so socially acceptable and are simply expected attachments within corporate email," Henry said. "While we are relieved about the PowerPoint patch, we live in an environment where compromised applications have now become a delivery mechanism for additional downloaded and executed malware such as key-loggers and rootkits. The most effective risk mitigation, therefore, continues to be application control to prevent a compromised application from downloading and running any unauthorized software (including malware) on a user's PC."
On Tuesday, Microsoft released a patch for a hole in Windows 2000 and Server 2003 and 2008 that could allow an attacker to redirect network traffic to a malicious site that has been set to serve as a proxy.
The vulnerability, rated important by Microsoft, allows IT managers to set a Windows Proxy Auto-Discovery, or WPAD, entry in the DNS. If IE or Firefox are configured to "automatically detect settings," the browser will connect to the proxy machine.
This is a useful feature for corporations that want to set up their own proxy server for monitoring employee Web use and for security purposes. But it also could allow for a man-in-the-middle type of attack if an outsider were able to set the WPAD entry through a dynamic DNS update so that the traffic is diverted to a malicious IP address.
The patch solves the problem for systems with no WPAD entry in the DNS, by blocking future queries for WPAD. But for systems with a WPAD entry, the patch does nothing.
IT managers who install the patch could be given a false sense of security that any compromised systems have been fixed, said Tyler Reguly, senior security research engineer at nCircle, who contacted Microsoft and wrote a blog post about his concerns the same night Microsoft released its update.
In a blog post the following day, Reguly said a Microsoft representative told him the company chose to leave existing WPAD entries untouched because it is not possible to differentiate legitimate WPAD entries from ones loaded by an attacker.
But Microsoft could at least have included a pop-up message in that instance, warning users that the DNS has a WPAD entry, and maybe even ask if they want to keep it or block it, Reguly said.
"I understand the need to preserve functionality, but not at the cost of sweeping security issues under the rug," he wrote.
In response to the concerns, Microsoft issued a more detailed technical note on the update on Friday that said the company didn't want to impair functionality and chose not to risk breaking any administrator configurations in the possibility that the WPAD was not legitimate, even if it means an attack would continue to be effective.
"This is indeed not a scenario the security update, or any security update released by Microsoft aims to address," the Microsoft note says. "Security updates are intended to help protect the system against future exploitation, and don't aim to undo any attack that has taken place in the past."
The note then provides instructions for how an administrator can validate the IP address assigned to the WPAD entry in the DNS.
In a telephone interview with CNET News late on Friday, Reguly remained disappointed with how Microsoft implemented its fix for the problem.
"They could have done things to mitigate the fact that they chose function over security," he said. "They also could have modified DNS so you couldn't do dynamic updates with WPAD."
Updated 11:15 a.m. PST with more information, security expert comments.
Microsoft on Tuesday issued patches for critical holes in all supported versions of Windows that could allow an attacker to take over a system by executing code remotely if the user viewed a maliciously crafted image file.
"An attacker can send you an e-mail with an infected image in it or you can go to a Web site with an infected image or get it elsewhere, from a thumbdrive," said Wolfgang Kandek, chief technology officer of Qualys, which helps companies with security risk and compliance.
Attackers can also disguise .WMF and .EMF files as other image file types, such as .JPG, in order to sneak them past cautious users, said Alfred Huger, vice president of development at Symantec Security Response.
Also patched on Patch Tuesday were two holes rated "important" that affected the same systems and which could be used by an attacker to masquerade as someone else in a spoofing attack.
One of the important patches, which affects Windows 2000, Server 2003, and Server 2008, resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Windows DNS server and Windows WINS (Windows Internet Name Server). The holes could allow an attacker to redirect network traffic intended for systems on the Internet to a malicious site, according to the advisory.
The second important patch, which affects all supported versions of Windows, (MS09-007) resolves a vulnerability in the Secure Channel security package in Windows. It could allow an attacker to gain access to the certificate used by the end user for authentication. Customers are affected only when the public key component of the certificate used has been accessed by some other means, Microsoft said.
Kandek of Qualys said the risk is minimized by the fact that not many corporations seem to use the technology involved much.
Microsoft has yet to provide a fix for a security vulnerability in Excel from last month, for which there have been zero-day exploits or a zero-day Word-Pad vulnerability from December.
Microsoft said Thursday it will release three security updates on this coming Patch Tuesday, including one that is rated "critical" and could allow an attacker to take over the computer.
The critical update affects Windows 2000, XP, Vista and Server 2003 and 2008, the company said in an advisory.
The other two updates are rated "important" and could be used for spoofing, in which an attacker is able to masquerade as someone else. One of the patches affects all supported versions of Windows and the second affects Windows 2000, Server 2003, and Server 2008.
Missing from the security updates is a fix for a security vulnerability in Excel, for which there have been Zero-Day exploits.
Microsoft on Tuesday released security updates that fix four critical vulnerabilities in Internet Explorer and Exchange Server that could allow an attacker to take control of an affected computer remotely.
Microsoft Security Bulletin MS09-002 plugs two critical holes in IE that could allow remote code execution if an IE user views a Web page that has malicious code, according to Microsoft's notification.
"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," the bulletin said.
Security Bulletin MS09-003 fixes two critical vulnerabilities in Exchange Server. One could allow for remote code execution if a maliciously crafted TNEF (Transport Neutral Encapsulation Format) message is sent to an Exchange Server and could allow an attacker to take complete control of the system with Exchange Server service account privileges. The second hole could allow for a denial of service attack if a maliciously crafted MAPI (Messaging Application Programming Interface) command is sent to an Exchange Server.
Security Bulletin MS09-004 fixes an important remote code execution vulnerability in SQL Server that could be exploited if untrusted users access an affected system or if a SQL injection attack occurs. The vulnerability was discovered in December.
And Security Bulletin MS09-005 closes three important vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a maliciously crafted Visio file. An attacker could then steal data and make changes to accounts with full user rights.
The updates affect Internet Explorer 7, Windows XP Professional Edition, Windows Vista, Exchange 2000 Server, Exchange Server 2003 and 2007, SQL Server 2000 and 2005 and Office Visio 2002, 2003 and 2007.
Andrew Storms, director of security operations for security firm nCircle, predicted that while there were no known exploits for the Exchange vulnerability, attackers were likely working on them.
"All kinds of highly confidential and proprietary information pass through an Exchange server every day," he said in a statement. "Gaining control over it and its content would be a goldmine to any cybercriminal."
Meanwhile, the IE update is less critical because it requires action on the part of the user, Storms added.
As it always does, Microsoft had provided advance notification last week that it would have four security updates on Patch Tuesday.
Updated 12:30 p.m. PST with nCircle comment.
The critical updates affect Windows Internet Explorer 7, Windows XP Professional Edition, Windows Vista, Microsoft Exchange 2000 Server, Exchange Server 2003 and Exchange Server 2007, according to the alert.
Two other updates rated important affect SQL Server 2000, SQL Server 2005 and Office. The vulnerabilities could allow for an attacker to remotely execute code on an unpatched system.
Microsoft will release the security updates on Patch Tuesday, the second Tuesday of the month. The company provides advance notification for customers to alert them as to the software affected but keeps the details vague to prevent exploits from being developed.
