Microsoft Patch Tuesday: February 2007
<p>Anybody remember when RTF files were just innocent little things? They were like the big brother of the .txt file, or .txt v2, if you will. Just characters on a screen, but some of them might be different fonts or colors or sizes – maybe the occasional clipart. Who would have guessed they are apparently the most hostile files on the Internet this month? "When RTFs Go Bad!…" Okay, perhaps I’m exaggerating, but this month Microsoft is patching no less than three vulnerabilities, in separate applications, that can be exploited via malicious RTF files that contain OLE objects.</p>
<p>Several of this month’s patches address issues that have been exploited already in limited-distribution, targeted attacks. The combination of target-specific social engineering and privately held vulnerability information is becoming more and more widely adopted by attackers with political and industrial motivations. While the "new breed" of cybercriminals wants to cast as wide a net as possible, we cannot forget that there are also still those who have specific targets and goals in mind.</p>
<p>In addition to those client-side vulnerabilities, we have a number of other client-side issues resolved this month, as well as two local privilege escalation issues, and one vulnerability that could be client-side or fully remote, depending on the vector chosen by the attacker. This last one is our highest urgency patched MS vulnerability for this month actually, and the only one that can be exploited remotely with no user interaction.</p>
<p>The overwhelming majority that the "client-side" patches represent this month got me thinking. Anecdotally, we all know that Microsoft has been patching more and more client-side issues lately. I had to wonder though, how may more? How rapid has this rise been, and when did it start? Luckily, I have the Symantec/SecurityFocus Vulnerability Database handy, and I decided to do some digging.</p>
<p>I should point out that the figures below illustrate patched vulnerabilities, not patches per se. If fixing one vulnerability requires four patches, one for each affected platform, then that counts as one. If one patch addresses three vulnerabilities, then that counts as three. Additionally, just to avoid bickering later, for this experiment "client-side" means "requiring that a user be present and take some action, be that clicking on a URL, opening an attachment, or otherwise." I rather arbitrarily chose to start the count on New Year’s Day 2004.</p>
<p><img alt="MSpatch1.jpg" src="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/02/MSpatch1.jpg" width="305" height="361" /></p>
<p><strong>Figure 1: All patched Microsoft vulnerabilities</strong></p>
<p>It might look like we’re getting off easy this quarter, but remember we’re only two thirds done! However, you can also see that the bulk of the area, especially in 2006 is made of client-side fixes. To make it clearer, I regraphed it as a percentage (figure 2). </p>
<p><img alt="MSpatch2.jpg" src="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/02/MSpatch2.jpg" width="370" height="433" /></p>
<p><strong>Figure 2: Client-side vulnerabilities as percentage of all Microsoft vulnerabilities patched</strong></p>
<p>So there you have it. A decidedly marked increase in the attention being paid by Microsoft to client-side vulnerabilities. Most practitioners already knew this, and, therefore, I didn’t think this was worthy of a blog entry on its own, but seeing the actual proof does make an interesting tangent from the monthly patch list.</p>
<p>And now, on with our regularly scheduled program, starting with this month’s only (even potentially) truly remotely exploitable vulnerability…</p>
<p><br />
<strong><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-010.mspx">MS07-010</a>; <a href="http://support.microsoft.com/kb/932135">KB932135</a>: Vulnerability in Microsoft AntiVirus Engine Could Allow Remote Code Execution </strong></p>
<p><strong>• Microsoft AntiVirus Engine Remote Code Execution Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22479">BID 22479</a>; CVE-2006-5270 (Symantec Urgency Rating: 8.9/10; MS Rating: Critical)<br />
This vulnerability could allow a remote attacker to send a malicious PDF file that will execute attacker-supplied code at the privilege level of the application that includes the engine. Potential affected applications are: Windows Live OneCare, Microsoft Antigen 9.x, Microsoft Windows Defender, Microsoft ForeFront Security for Microsoft Exchange Server 1.x, and Microsoft ForeFront Security for SharePoint Server 1.x .</p>
<p>The PDF could arrive via any number of means including but not limited to email, P2P file transfer, Web downloads etc. In the event of exploitation via an email gateway scanner, no user interaction would be required.</p>
<p><br />
<strong> <a href="http://www.microsoft.com/technet/security/Bulletin/MS07-014.mspx">MS07-014</a>; <a href="http://support.microsoft.com/kb/929434">KB929434</a> : Vulnerabilities in Microsoft Word Could Allow Remote Code Execution</strong></p>
<p>This patch addresses six distinct vulnerabilities in Word versions from 2000 to the present. The first three of these vulnerabilities have seen active exploitation already in the wild.</p>
<p><strong>• Microsoft Word Malformed String Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/21451">BID 21451</a>; CVE-2006-5994 (Symantec Urgency Rating: 8.5/10; MS Rating: Critical)<br />
This is the vulnerability that was exploited by <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2006-121311-5725-99">Trojan.Mdropper.T</a> in December of 2006 and first alluded to by Microsoft in an <a href="http://www.microsoft.com/technet/security/advisory/929433.mspx">advisory released December 5</a>. The exploit file was used to drop a keylogger on compromised systems.</p>
<p><strong>• Microsoft Word 2000 Unspecified Code Execution Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22225">BID 22225</a>; CVE-2007-0515 (Symantec Urgency Rating: 8.5/10; MS Rating: Critical)<br />
Hostile functions in Word documents can execute arbitrary code. Discovery and exploitation of this issue was first observed in the second half of January as <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2007-011813-0435-99&tabid=1">Trojan.Mdropper.W</a>, which was seen dropping a combination of back doors and other downloaders. For a detailed explanation and a video of exploitation, please see this <a href="http://www.symantec.com/enterprise/security_response/weblog/2007/01/watch_the_exploit_a_targeted_a.html">blog entry</a>. </p>
<p><strong>• Microsoft Word Malformed Data Structures Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/21518">BID 21518</a>; CVE-2006-6456 (Symantec Urgency Rating: 8.5/10; MS Rating: Important)<br />
This vulnerability was also exploited in the wild to drop additional malcode onto victims' computers, this time by <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2007-013010-5422-99">Trojan.Mdropper.X.</a> The payloads of this exploit also tended to be back doors and keylogger programs.</p>
<p><strong>• Microsoft Word Code Execution Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/21589">BID 21589</a>; CVE-2006-6561 (Symantec Urgency Rating: 8.5/10; MS Rating: Important)<br />
Exploits for this vulnerability are publicly available.</p>
<p><strong>• Microsoft Word Macro Permissions Bypass Arbitrary Code Execution Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22477">BID 22477</a>; CVE-2007-0208 (Symantec Urgency Rating: 8.5/10; MS Rating: Important)<br />
This vulnerability allows hostile macros in Word documents to bypass Microsoft's security checking. Successful exploitation of this issue could allow a hostile macro to execute arbitrary code.</p>
<p><strong>• Microsoft Word Malformed Drawing Object Arbitrary Code Execution Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22482">BID 22482</a>; CVE-2007-0209 (Symantec Urgency Rating: 8.5/10; MS Rating: Critical)<br />
The code that handles drawing objects in Word files can be exploited to run attacker-supplied code.</p>
<p> <br />
<strong><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-015.mspx">MS07-015</a>; <a href="http://support.microsoft.com/kb/932554">KB932554</a>: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution</strong></p>
<p>This update addresses two vulnerabilities in Office, and replaces MS06-062 as well.</p>
<p><strong>• Microsoft PowerPoint Record Improper Memory Access Remote Code Execution </strong>Vulnerability</p>
<p><a href="http://www.securityfocus.com/bid/20325">BID 20325</a>; CVE-2006-3887 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical)<br />
This update addresses the same vulnerability as was originally address via MS06-058. After further post-release investigation Microsoft determined that the original patches did not adequately prevent all potential exploitation vectors.</p>
<p><strong>• Microsoft Office Malformed String Remote Code Execution Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22383">BID 22383</a>; CVE-2007-0671 (Symantec Urgency Rating: 8.9/10; MS Rating: Critical)<br />
This vulnerability was first discovered due to it’s usage by <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2007-020717-0252-99">Trojan.Mdropper.Y</a> in targeted attacks earlier in February. At the time, Microsoft released <a href="http://www.microsoft.com/technet/security/advisory/932553.mspx">Advisory 932553</a> and patches are now available.</p>
<p><br />
<strong><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx">MS07-016</a>; <a href="http://support.microsoft.com/kb/928090">KB928090</a>: Cumulative Security Update for Internet Explorer </strong></p>
<p>This cumulative update resolves three previously unpatched vulnerabilities in IE 5.01 to IE6.0, and two in IE7.0 when configured with non-default allowed COM object types. This patch also replaces MS06-072 from last year.</p>
<p><strong>• Microsoft Internet Explorer IMJPCKSI COM Object Instantiation Memory Corruption Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22486">BID 22486</a>; CVE-2006-4697 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical/Low)<br />
Instantiation of certain COM objects can lead to the execution of arbitrary code when viewing a hostile Web site. While IE7.0 can be exploited in this manner, the affected COM objects are not on the default allow list. However, users can add them, in which case exploitation could occur in the same fashion as with prior versions. Due to this, Microsoft has rated this vulnerability ‘Important’ for IE7 on XP SP2, ‘Low’ for IE7 on Server 2003 SP1 (Enhanced Security Configuration may mitigate on this platform), but ‘Critical’ for all other affected systems. Either way, IE7 on Vista is not vulnerable.</p>
<p><strong>• Microsoft Internet Explorer COM Object Instantiation Variant Memory Corruption Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22504">BID 22504</a>; CVE-2007-0219 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical)<br />
This is a very similar issue to the previously described vulnerability but affects a number of COM object types.</p>
<p><strong>• Microsoft Internet Explorer FTP Server Response Parsing Memory Corruption Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22489">BID 22489</a>; CVE-2007-0217 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical)<br />
The FTP client built into IE versions 5.01 to 6.0 can be compromised by hostile FTP servers, leading to arbitrary code execution in the security context of the current user.</p>
<p><br />
<strong><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-009.mspx">MS07-009</a>; <a href="http://support.microsoft.com/kb/927779">KB927779</a>: Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution</strong></p>
<p><strong>• Microsoft Internet Explorer ADODB.Connection Execute Memory Corruption Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/20704">BID 20704</a>; CVE-2006-5559 (Symantec Urgency Rating: 7.0/10; MS Rating: Critical)<br />
This buffer overflow vulnerability was initially disclosed in October 2006, and proof of concept code has been available since then. While this was initially published as an IE vulnerability, IE is merely an exploit vector to the MDAC software itself.</p>
<p><br />
<strong><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-008.mspx">MS07-008</a>; <a href="http://support.microsoft.com/kb/928843">KB928843</a>: Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution </strong></p>
<p><strong>• Microsoft HTML Help ActiveX Control Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22478">BID 22478</a>; CVE-2007-0214 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical/Moderate)<br />
The ActiveX control that handles HTML Help fails to validate supplied parameters, which can allow attacker-supplied code to be executed. While this is rated Critical by Microsoft for Windows 2000 and XP, it is only rated Moderate for Server 2003 due to the potential mitigation provided by the Enhanced Security Configuration setting.<br />
MS07-005; KB923723: Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution </p>
<p><strong>• Microsoft Step-by-Step Interactive Training Buffer Overflow Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22484">BID 22484</a>; CVE-2006-3448 (Symantec Urgency Rating: 7.1/10; MS Rating: Important)<br />
This client-side vulnerability can be exploited when a user opens a malicious bookmark link file (.cbo, .cbl, or .cbm).</p>
<p><br />
<strong><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-013.mspx">MS07-013</a>; <a href="http://support.microsoft.com/kb/918118">KB918118</a>: Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution</strong></p>
<p>This patch addresses one vulnerability, which affects the RichEdit component used in Windows, Office, and Wordpad. </p>
<p><strong>• Microsoft Office And Microsoft Windows RichEdit Component Remote Code Execution Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/21876">BID 21876</a>; CVE-2007-0032 (Symantec Urgency Rating: 7.1/10; MS Rating: Important)<br />
An RTF file can contain a malicious OLE object that will exploit this vulnerability. A user on the target system would have to open the file and attempt to interact with the OLE object.</p>
<p><br />
<strong><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-011.mspx">MS07-011</a>; <a href="http://support.microsoft.com/kb/926436">KB926436</a>: Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution </strong></p>
<p><strong>• Microsoft Windows OLE Dialog Remote Code Execution Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22483">BID 22483</a>; CVE-2007-0026 (Symantec Urgency Rating: 7.1/10; MS Rating: Important)<br />
This is another way that an RTF file containing a hostile OLE object can compromise a system when the file is opened and the object is manipulated by the user. </p>
<p><br />
<strong><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-012.mspx">MS07-012</a>; <a href="http://support.microsoft.com/kb/924667">KB924667</a>: Vulnerability in Microsoft MFC Could Allow Remote Code Execution</strong></p>
<p><strong>• Microsoft Windows and Microsoft Visual Studios .Net MFC Remote Code Execution Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22476">BID 22476</a>; CVE-2007-0025 (Symantec Urgency Rating: 7.1/10; MS Rating: Important)<br />
This is yet another vulnerability that allows a malicious OLE object in an RTF file to run attacker-supplied code in the context of the local user.</p>
<p><br />
<strong><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-006.mspx">MS07-006</a>; <a href="http://support.microsoft.com/kb/928255">KB928255</a>: Vulnerability in Windows Shell Could Allow Elevation of Privilege</strong></p>
<p><strong>• Microsoft Windows Shell Hardware Detection Service Privilege Escalation Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22481">BID 22481</a>; CVE-2007-0211 (Symantec Urgency Rating: 6.6/10; MS Rating: Important)<br />
This privilege escalation vulnerability can only be leveraged by users that already have valid login credentials on the target computer. Via exploitation of this vulnerability, users can obtain SYSTEM privileges. This could potentially be combined with other vulnerabilities to escalate the privilege level obtained by a remote attacker.</p>
<p><br />
<strong><a href="http://www.microsoft.com/technet/security/Bulletin/MS07-007.mspx">MS07-007</a>; <a href="http://support.microsoft.com/kb/927802">KB927802</a>: Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege</strong></p>
<p><strong>• Microsoft Windows Image Acquisition Service Privilege Escalation Vulnerability</strong></p>
<p><a href="http://www.securityfocus.com/bid/22499">BID 22499</a>; CVE-2007-0210 (Symantec Urgency Rating: 6.6/10; MS Rating: Important)<br />
This is another local privilege escalation vulnerability on XP SP2. The code that manages communications with imaging devices (scanners, cameras) can be manipulated to grant SYSTEM privilege. This could also theoretically be paired with any number of client-side vulnerabilities to give a remote attacker full access to the target system.</p>
<p><br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/02/microsoft_patch_tuesday_februa.html
http://www.symantec.com/enterprise/security_response/weblog/2007/02/microsoft_patch_tuesday_februa.html
Tue, 13 Feb 2007 15:00:00 -0800
Linear Mode
