Microsoft Patch Tuesday

[Symantec]

Microsoft Patch Tuesday
<p>Hello, and welcome to this month’s blog on the Microsoft patch releases. September is a light month, with only 4 releases, each resolving one issue. </p>

<p>Which is the most critical of these vulnerabilities? Well, it depends on who you ask. Microsoft lists the issue in the Agent ActiveX control as the only ‘Critical’ update this month, however our calculations have resulted in a higher urgency rating for the MSN / Live Messenger issue. Both vulnerabilities grant a remote attacker the ability to run arbitrary code on the target machine if the target user performs a specific action (clicks on a link or accepts an incoming message). Microsoft may have rated the ActiveX issue higher because a non-vulnerable upgrade to Messenger has been available for some time. However, we rate the issue in MSN Messenger/Live Messenger higher, due to the availability of public proof-of-concept code known to work on at least one platform. From the perspective of an affected user, the knowledge that they could have upgraded some time ago may not be much solace. </p>

<p>We have seen an upswing in the number of browser plug-in vulnerabilities in the last six months, and ActiveX is certainly no exception – in fact, vulnerabilities in ActiveX components are at the forefront of this continuing trend, with an increasing rate of discovery that surpasses all other plug-in technologies combined. Expect to see more patches of this nature throughout the remainder of the year.</p>

<p>Microsoft’s summary of the September release can be found here: <a href="http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx">http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx</a></p>

<p><br />
<strong>1. Vulnerability in MSN Messenger and Live Messenger Could Allow Remote Code Execution (KB924099)</strong></p>

<p>CVE-2007-2931 (BID 25461) <br />
Microsoft MSN Messenger Video Conversation Buffer Overflow Vulnerability<br />
(MS Rating: Important / Symantec Urgency Rating: 8.6/10)</p>

<p>This is a remote buffer overflow vulnerability affecting MSN Messenger and Windows Live Messenger. This issue occurs during a video conversation because the application doesn’t properly check the ‘chunk_index’ of an incoming packet, resulting in a heap-based overflow. A public exploit for the Chinese version of Windows 2000 is available.</p>

<p>Affects: MSN Messenger 6.2, 7.0, and 7.5, as well as Windows Live Messenger 8.0. Windows Live Messenger 8.1, available for Vista and XP since late January 2007, is not affected by this.</p>

<p><br />
<strong>2. Vulnerability in Agent Could Allow Remote Code Execution (938827)</strong></p>

<p>CVE-2007-3040 (BID 25566)<br />
Microsoft Agent Malformed URL Remote Code Execution Vulnerability <br />
(MS Rating: Critical / Symantec Urgency Rating 7.1/10)</p>

<p>This is a remote code execution vulnerability in the Microsoft Agent ActiveX control. An attacker would need to trick a victim into visiting a malicious web page. A successful attack will result in the execution of attacker supplied code in the context of the currently logged in user.</p>

<p>Affects: Microsoft Windows 2000</p>

<p><br />
<strong>3. Vulnerability in Windows UNIX Services Could Allow Elevation of Privilege (939778)</strong></p>

<p>CVE-2007-3036 (BID 25620)<br />
Microsoft Windows Services for Unix Local Privilege Escalation Vulnerability<br />
(MS Rating: Important / Symantec Urgency Rating 6.6/10)</p>

<p>This is a privilege escalation vulnerability affecting Windows UNIX Services. This is a local issue and occurs due to improper handling of setuid files. A local attacker could exploit this issue to elevate privileges on the vulnerable computer. The privilege level is not specified, but is assumed to be at the administrative level.</p>

<p>Affects: Services for UNIX 3.0, and 3.5, and Subsystem for UNIX based applications running on Windows 2000, Windows Server 2003, and Windows Vista.</p>

<p>Note: These applications are not installed by default on any of the operating systems.</p>

<p><br />
<strong>4. Vulnerability in Crystal Reports Could Allow Remote Code Execution (941522)</strong></p>

<p>CVE-2006-6133 (BID 21261) <br />
Business Objects Crystal Reports XI Professional File Handling Buffer Overflow Vulnerability <br />
(MS Rating: Important / Symantec Urgency Rating 6.7/10)</p>

<p>This is a remote buffer-overflow vulnerability affecting Crystal Reports. Specifically, the application doesn’t properly handle malformed .rpt files. A remote attacker could exploit this issue to execute arbitrary code in the context of the victim running the affected application.</p>

<p>Crystal Reports is a third-party application from Business Objects. Microsoft redistributes a version of Crystal Reports in Visual Studio.</p>

<p>This vulnerability was originally disclosed in Crystal Reports in November 2006, and exploit code was released publicly in January 2007.</p>

<p>Affects: Visual Studio .NET 2002, .NET 2003, and 2005</p>

<p><br />
More information on these and other vulnerabilities are available at Symantec’s free <a href="http://www.securityfocus.com/">SecurityFocus</a> portal and to our customers through the DeepSight Threat Management System.</p>

<p><br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/09/microsoft_patch_tuesday.html
http://www.symantec.com/enterprise/security_response/weblog/2007/09/microsoft_patch_tuesday.html
Tue, 11 Sep 2007 12:10:50 -0800