Aurora Report: Around The Horn vol.1,83

MS09-016 - Important: Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759) - Version:1.0

Severity Rating: Important - Revision Note: Bulletin published.Summary: This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG), Medium Business Edition (MBE).

MS09-015 – Moderate: Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426) - Version:1.0

Severity Rating: Moderate - Revision Note: Bulletin published.Summary: This security update resolves a publicly disclosed vulnerability in the Windows SearchPath function that could allow elevation of privilege if a user downloaded a specially crafted file to a specific location, then opened an application that could load the file under certain circumstances.

MS09-014 - Critical: Cumulative Security Update for Internet Explorer (963027) - Version:1.0

Severity Rating: Critical - Revision Note: Bulletin published.Summary: This security update resolves four privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-013 - Critical: Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803) - Version:1.0

Severity Rating: Critical - Revision Note: Bulletin published.Summary: This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Windows HTTP Services (WinHTTP). The most severe vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-012 - Important: Vulnerabilities in Windows Could Allow Elevation of Privilege (959454) - Version:1.0

Severity Rating: Important - Revision Note: Bulletin published.Summary: This security update resolves four publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker is allowed to log on to the system and then run a specially crafted application. The attacker must be able to run code on the local machine in order to exploit this vulnerability. An attacker who successfully exploited any of these vulnerabilities could take complete control over the affected system.

MS09-011 – Critical: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373) - Version:1.0

Severity Rating: Critical - Revision Note: Bulletin published.Summary: This security update resolves a privately reported vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted MJPEG file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-010 - Critical: Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477) - Version:1.0

Severity Rating: Critical - Revision Note: Bulletin published.Summary: This security update resolves two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office text converters. The vulnerabilities could allow remote code execution if a specially crafted file is opened in WordPad or Microsoft Office Word. Do not open Microsoft Office, RTF, Write, or WordPerfect files from untrusted sources using affected versions of WordPad or Microsoft Office Word.

MS09-009 - Critical: Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557) - Version:1.0

Severity Rating: Critical - Revision Note: Bulletin published.Summary: This security update resolves a privately reported and a publicly disclosed vulnerability. The vulnerabilities could allow remote code execution if the user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft security updates for April 2009

Learn about and download the latest computer security updates for March 2009. Read tips on protecting your computer by using anti-spyware and anti-spam programs.

April 2009 Monthly Bulletin Release

By MSRCTEAM

April is here and is turning out to be a typical, busy month, if one can call it that. In general, when we have a large release, the number of updates ranges from 7-12. With this in mind, we released eight security updates this month: 5 rated as Critical, 2 rated as Important, and one rated as Moderate.

MS09-009

This bulletin addresses two remote code execution vulnerabilities in Microsoft Excel. An attacker could exploit the vulnerability by sending a user a malformed Microsoft Excel file. Upon opening the file code can run in the context of the logged on user. We are aware of public exploits of these vulnerabilities. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates.

A rating of Critical has only been assigned to Microsoft Office Excel 2000. The other applicable versions are rated as Important. If the Office Document Open Confirmation Tool has been downloaded and installed on a system with Microsoft Office Excel 2000, the user will first be prompted with a dialog box. This functionality is already built in to newer versions of Microsoft Office.

MS09-010

This bulletin addresses four remote code execution vulnerabilities in Microsoft WordPad and Microsoft Office text converters. An attacker could exploit the vulnerability by sending a user a malformed file. Upon opening the file code can run in the context of the logged on user. We are aware of public exploits of these vulnerabilities. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates.

A rating of Critical has only been assigned to Microsoft Office Word 2000 Service Pack 3. The other applicable versions are rated as Important. If the Office Document Open Confirmation Tool has been downloaded and installed on a system with Office Word 2000 Service Pack 3, the user will first be prompted with a dialog box. This functionality is built in to newer versions of Microsoft Office. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates. One of the mitigations is blogged about in greater detail than the bulletin. You can find this information on the Security Defense & Research blog.

The last thing I will mention is the fact that the Microsoft Security Intelligence Report Volume 6 provides insights into document file formats vulnerabilities and common exploitation techniques.

MS09-011

This bulletin addresses privately reported remote code execution vulnerability in Microsoft DirectX and is rated as Critical. An attacker could exploit this vulnerability by sending a malformed MJPEG file to a user of a system. If a user opened the file, code execution of the attacker’s choice would run in the context of the logged in user. Unregistering the quartz.dll or disabling the decoding of MJPEG content in Quartz.dll is a temporary measure that can be used while testing and deploying the update. Please see the bulletin to understand impact of the workarounds as they affect functionality.

MS09-012

This bulletin addresses several elevation of privilege vulnerabilities in Microsoft Windows and is rated as Important. The elevation of privilege vulnerabilities are commonly known as Token Kidnapping and was first described in Microsoft Security Advisory 951306. A supplemental blog will be posted here as well as a technical deep dive on the Security and Research Defense blog. It can be found here: http://blogs.technet.com/srd/

MS09-013

Microsoft Windows HTTP Services (WinHTTP) contains three vulnerabilities, two of which could allow for remote code execution running in the context of the logged on user. The bulletin is rated as Critical. WinHTTP is a technology within itself. As such, Internet Explorer does not use WinHTTP services.

MS09-014

Internet Explorer contains several remote code execution vulnerabilities and is rated as Critical. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol. This security update also addresses a vulnerability first described in Microsoft Security Advisory 953818. As you will see, MS09-015 also addresses this Advisory. Details as to why can be found in both bulletins.

MS09-015

This bulletin addresses a vulnerability in SearchPath which could allow for an elevation of privilege and is rated as Moderate. It’s worth mentioning here that this security update addresses the issue detailed in Advisory 953818: “Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform”. Among other information in the bulletin I want to note that we added a new api as a defense in depth measure. It is called SetSearchPathMode. This new API allows for a per-process mode when using the SearchPath function to locate files. This allows applications to force the current directory to be searched after the application and system locations. This defense in depth measure is not enabled by default. Please see the bulletin for additional information.

MS09-016

This bulletin address vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) and is rated as Important. These vulnerabilities could allow denial of service if an attacker sends specially crafted network packages to the affected system, or information disclosure or spoofing if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker.

There are several mitigating factors noted in bulletin; one of which I will note here regarding the cross-site scripting (XSS) vulnerability. ISA Server 2006 and Forefront TMG MBE deployments that do not have any Web publishing rules are not vulnerable by default. If ISA Server 2006 or Forefront TMG MBE is installed in a traditional firewall role and is not publishing any internal Web sites to the Internet, the vulnerable Web Filter will not be exposed (the port will be blocked).

My colleague Jonathan, in the MSRC, is providing guidance as it relates to suggestions for prioritization of the security updates. This information can be found at the Security Research & Defense blog site.

As a postscript to this posting I want to share some thoughts with you regarding the advisories.

Of the eight updates, five address vulnerabilities that Microsoft has issued security advisories for:

· Excel vulnerability: Security Advisory 968272 was released Feb. 24, 2009,

· WordPad: Security Advisory 960906 was released Dec. 9 2008, more related information can be found at Security Research & Defense blog.

· CarpetBombing: Security Advisory 953818 was released May 30, 2008, more related information can be found at Security Research & Defense blog

· Token Kidnapping: Security Advisory 951306 was released April 17, 2008, more related information can be found at Security Research & Defense blog.

The question becomes, why does it take so long for Microsoft to release a security update?

When we here at Microsoft are asked this question: our answer is “we want to get this right.” Or to put it another way, we are constantly asking ourselves during any given release cycle “are we doing the right thing for our customers?” If as a result of any given investigation, we find a variant of a vulnerability we are fixing; do we dig deeper to make sure we cover all our bases, or do we just fix what we can see and ship the update because of external pressures? “Are we doing the right thing for our customers?”

If we find, at the 11^th hour, an application compatibility issue that breaks third party software, do we ship anyway because we don’t want to get bad press? “Are we doing the right thing for our customers”?

Do we spread out the release of open advisories so no one notices, but not ship them when ready? “Are we doing the right thing for our customer?”

I will say that we will do the right thing for our customers; we will dig deeper; we will hold a low quality update; and we will release an update when it is ready for broad distribution; no sooner or no later.

*Postings are provided "AS IS" with no warranties, and confers no rights.*

April 14: Updated to include hyperlinks for bulletins

Token Kidnapping

By MSRCTEAM

Hello everyone,

As you can see from the April 2009 release summary, we addressed the Token Kidnapping issue with bulletin MS09-012. This issue allowed an attacker to gain full control of a server if the attacker can first run malicious code on the server as a lesser privileged user.

This issue was originally presented by Cesar Cerrudo in March of 2008 at Hack in the Box (Dubai) 2008. In April of 2008, we released an advisory to inform customers of actions they could take to protect themselves. We also updated the advisory in October of 2008, alerting customers to the availability of proof-of-concept code that demonstrates how to attack systems using token kidnapping techniques. Today we’ve released an update that protects from these issues without having to deploy workarounds. This release has been a long time in the making, so I wanted to take a moment and provide some insight into what it took to resolve this issue for customers.

First, what is Token Kidnapping? This is an elevation of privilege vulnerability that could allow an attacker to go from authenticated user to LocalSystem privileges. An attacker can escalate their privileges on a system if they can control the SeImpersonatePrivilege token. An attacker would need to be executing code in the context of a Windows service to use this exploit. For a more detailed look at the issue, refer to the SRD blog found here.

This case presented some interesting challenges in preparing the update to address the issue. First, there are two updates included in this bulletin. The first update addresses service isolation, while the second addresses processes running as service accounts. In order to secure these items, we took the work we did in Windows Vista to provide additional service hardening and implemented it in older operating systems like Windows XP, and Windows Server 2003. These changes are low-level and deeply engrained in the OS. When making these types of changes, many of the applications that have been written in the 5 to 10 years since the OS was released could be impacted as we are changing infrastructure. Typically, we only change code to this degree in a service pack release to ensure it receives the proper level of testing.

However, given the security risk, and even though we provided workarounds, we wanted to secure customers automatically. So we made the changes, and then did extensive testing to ensure this update is high-quality and did not impact existing implementations. For this bulletin, we ran over 600,000 different test scenarios, with over 6,000 variations tested in one configuration alone. We also needed to ensure we were not breaking 3^rd-party applications by introducing this change. As a result, 2,500 application compatibility tests were also run. In addition to this testing, we selected over 1,000 systems within Microsoft to test the update before we released, and some key customers signed NDAs to do even more testing in their lab environments to make sure we didn’t break Line-of-Business application scenarios. One thing we did notice is that some 3^rd-party applications may need to be updated to receive the same security benefits provides by this update. To facilitate this, the update also provides an infrastructure to 3^rd-parties to isolate and secure their services. In Windows XP and Windows Server 2003, all processes running under the context of a single account will have full control over each other. This update provides 3^rd-parties the ability to isolate and secure their services that hold SYSTEM token and run under the NetworkService or LocalService accounts. For more information on the usage of this registry key, see Microsoft Knowledge Base Article 956572.

While this update took some time to complete, our hope is that the majority of customers are protected either through the guidance we released a year ago or the update we released today. It is never an easy process to bring infrastructure from a newer OS to an older OS, but we considered this an important enough issue to do so. As you would expect, it wasn’t always an easy road, so I would like to thank all of the folks internally and externally that helped bring this update to the worldwide community. Specifically, I’d like to thank the following people who were key contributors in bringing this update to the world:

Cesar Cerrudo, Argeniss Information Security
Bruce Dang, MSRC Engineering
Nick Finco, MSRC Engineering
Anoop KV, Windows Serviceability
Vikas Mittal, Windows Serviceability

And special thanks go out to all of the many developers and testers who help made this release possible.

Thanks,

Dustin

MSRC

Links to related articles:

Service isolation explanation, SRD blog entry, Jonathan Ness, October, 2008

Token Kidnapping in Windows, Nazim’s IIS Security Blog, Nazim Lala, October, 2008

Security Bulletin Overview Video – April 2009

By MSRCTEAM on video

Hi Everyone,

Jerry Bryant again. Here is the overview video for the April 2009 bulletins. Please join us tomorrow at 11:00 am PDT (UTC –7) for our bulletin webcast where we will cover this months updates in more detail and try to answer all of your bulletin related questions.

More viewing options:

Thanks!

Jerry Bryant

Improving the Management of Information Security in Canadian Government Departments

Category: Management & Leadership

Paper Added: April 13, 2009

April Black Tuesday Overview, (Tue, Apr 14th)

Overview of the April 2009 Microsoft patches and their status. # ...(more)...

Oracle quarterly patches, (Tue, Apr 14th)

Oracle also released their quarterly load of patches today. In total 43 vulnerabilities were fixed ...(more)...

VMware exploits - just how bad is it ?, (Tue, Apr 14th)

When Tony reported on the release of new VMware patches on April 4th, we didn't immediately spot tha ...(more)...

Twitter worm copycats, (Mon, Apr 13th)

Yesterday Patrick wrote about a Twitter worm exploiting an XSS vulnerability in Twitter's profile pa ...(more)...

Micrsoft Patch Tuesday Plugs Security Holes as Hackers Circle (E-Week Security)

Report: China, Russia Top Sources of Power Grid Probes (SecurityFix Blog)

A few pennies for your thoughts and credit card (AP) (Yahoo Security)

Amazon.com Disputes Hacker's Confession (E-Week Security)

Tweenbots (Schneier blog)

US Power Grid Infiltrated (April 8 & 9, 2009)

US national security officials said that the computer networks of the country's electrical grid and other utilities have been infiltrated and seeded with tools that could potentially be used to disrupt communications, electricity, and other elements of the country's critical infrastructure.......

Pentagon Spent US $100 Million to Repair Damage From Cyber Incidents (April 7, 2009)

The Pentagon has spent more than US $100 million to mitigate cyber attacks and computer network issues in the last six months.......

Proposed Legislation Would Prohibit SMS Spam (April 6 & 8, 2009)

US Senators Olympia Snowe (R-Maine) and Bill Nelson (D-Florida) have introduced legislation that would expand the Can Spam Act to include unsolicited SMS (Short Message Service) messages.......

Eleven Face Charges in NZ Bank Online Theft (April 9, 2009)

Eleven people are facing charges in New Zealand for allegedly stealing money from online bank accounts.......

Microsoft to Release Eight Security Bulletins on April 14 (April 9, 2009)

According to Microsoft's Security Bulletin Advance Notification, the company will release eight security bulletins on Tuesday, April 14.......

Stolen Laptop Contains Commercial Driver's License Holder Data (April 7, 2009)

A laptop computer stolen from a state office building in Kapolei, Oahu, Hawaii contains personally identifiable information of nearly 1,900 state commercial driver's license holders.......

Conficker Update Spreads Through P2P Network (April 9, 2009)

The Conficker worm appears to be updating itself through a P2P network, placing an as-yet unknown payload on infected machines.......

Microsoft Security Intelligence Report (April 8, 2009)

Microsoft's Security Intelligence Report, which covers events in the second half of 2008, says that scareware, programs that lead users to believe their machines are infected with malware and urge them to buy phony anti-virus software, has emerged as a significant threat.......

FBI Seizes Texas Data Centers' Equipment in Investigation (April 7, 2009)

The FBI seized servers and other equipment from two Texas data centers.......

Penetration Testing Summit

Where else can you find the best speakers from other hacker conferences all at one program:
HD Moore on the future of Metasploit; Joshua Wright on evolving wireless attacks; Jeremiah Grossman on the Top Ten Web Hacking Techniques; Robert "rSnake" Hansen on web app vulnerabilities; Paul Asadoorian on late-breaking pen test techniques; Larry Pesce on using document metadata in pen tests; Jason Ostrum on VoIP pen testing; Ed Skoudis on secrets of pen testing?

IE 7 and 8 Default Security Leaves Intranets At Risk

Researcher shows how default security settings in Internet Explorer can backfire on intranets

Twitter Battered By Powerful Worm Attacks - Mikeyy

By Darknet on XSS

We’ve written about Twitter quite a few times now, with it’s click-jacking vulnerability, twitter phishing attacks and various other issues. It’s no surprise it’s being targeted though as it’s now the 3rd biggest social network after Facebook and Myspace. Within a relatively short time period it’s overtaken...

Watcher - Passive Analysis Tool For HTTP Web Applications

By Darknet on web-application-security

Watcher is a run time passive-analysis tool for HTTP-based Web applications. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads, cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer...