|
|
|
Vulnerability in Microsoft
This month Microsoft released six bulletins which repair a total of 11 vulnerabilities. None of these vulnerabilities resolved the three current Microsoft denial-of-service zero-day vulnerabilities. Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus protected systems against these zero-day exploits prior to their discovery. Blink does not require updated signatures or updated rule sets to provide protection, unlike other host protection or anti-virus-only products.
Patch Precedence
Out of six patches this month, five patches were able to be exploited over the Internet to execute arbitrary code. The highest impact flaws with the highest potential for exploitation have been appropriately marked. Depending on the operating systems and applications in use for your network, identify which of your systems are vulnerable to attack for each patch and use standard patch precedence processes to build the patch rollout plan for your network.
As always, eEye suggests that users roll out these patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please check tomorrow's Vulnerability Expert Forum.
This Month's Bulletins
Critical
MS07-036 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
MS07-039 - Vulnerability in Windows Active Directory Could Allow Remote Code Execution
MS07-040 - Vulnerabilities in .NET Framework Could Allow Remote Code Execution
Important
MS07-037 - Vulnerability in Microsoft Office Publisher 2007 Could Allow Remote Code Execution
MS07-041 - Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution
Moderate
MS07-038 - Vulnerability in Windows Vista Firewall Could Allow Information Disclosure
Bulletin Summary
MS07-036
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)
Computer Network ServicesSmall business prospects and clients may view your computer consulting services as part of their insurance policy. You write up a service ..... http://www.microsoft.com/technet/security/bulletin/MS07-036.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes three vulnerabilities within Excel. All of the vulnerabilities allow for remote code execution as the logged in user.
CVE-2007-1756 - Calculation Error Vulnerability
A remote code execution vulnerability exists in the way Excel handles malformed Excel files. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a malicious or compromised Web site.
CVE-2007-3029 - Worksheet Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Excel handles malformed Excel files. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a malicious or compromised Web site.
CVE-2007-3030 - Workbook Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Excel handles malformed Excel files. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a malicious or compromised Web site.
The exploitation of these vulnerabilities requires user interaction by opening a malicious Excel file. This file could be delivered any number of ways including e-mail or a website. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.
Recommendations
Although exploit code for these vulnerabilities has not been released, eEye Research suggests that vulnerable hosts be patched for these vulnerabilities as soon as possible.
--------------------------------------------------------------------------------
MS07-037
Vulnerability in Microsoft Office Publisher 2007 Could Allow Remote Code Execution (936548)
http://www.microsoft.com/technet/security/bulletin/MS07-037.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Publisher 2007. This vulnerability may allow for a remote attacker to execute arbitrary code as the logged in user. This vulnerability represents the first Office 2007 vulnerability and only affects Office 2007.
CVE-2007-1754 - Publisher Invalid Memory Reference Vulnerability
A remote code execution vulnerability exists in the way Publisher does not adequately clear out memory resources when writing application data from disk to memory. An attacker could exploit the vulnerability by constructing a specially crafted Publisher (.pub) page. When a user views the .pub page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
The exploitation of this vulnerability requires user interaction by opening a malicious .pub file. This file could be delivered any number of ways including e-mail or a website. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.
Recommendations
Although exploit code for these vulnerabilities has not been released, eEye Research suggests that vulnerable hosts be patched for these vulnerabilities as soon as possible.
Resources
eEye Vulnerability Advisory - Microsoft Publisher 2007 Arbitrary Pointer Dereference
--------------------------------------------------------------------------------
MS07-038
Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807)
http://www.microsoft.com/technet/security/bulletin/MS07-038.mspx
Microsoft Severity Rating: Moderate
eEye Severity Rating: Low
Description
This patch fixes one vulnerability within Windows Vista. This vulnerability allows a remote anonymous attacker to gain system information for a remote Vista host over the network regardless of firewall rules.
CVE-2007-3038 - Windows Vista Firewall Blocking Rule Information Disclosure Vulnerability
There is an information disclosure vulnerability in Windows Vista that could allow a remote anonymous attacker to send inbound network traffic to the affected system. It would be possible for the attacker to gain information about the system over the network.
The exploitation of this vulnerability requires user interaction by clicking a link containing a Teredo network address. This would then divulge the Teredo network address to the attacker, allowing them to bypass the local Windows Vista firewall.
Recommendations
Patch Prioritization: Lowest Impact
Considering the low severity of this vulnerability, and the low install base of Windows Vista, this is designated as the lowest severity vulnerability for July.
--------------------------------------------------------------------------------
MS07-039
Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122)
http://www.microsoft.com/technet/security/bulletin/MS07-039.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes two vulnerabilities within Active Directory. One of the vulnerabilities causes a denial of service, while the other vulnerability allows for remote code execution as SYSTEM.
CVE-2007-0040 - Windows Active Directory Remote Code Execution Vulnerability
A remote code execution vulnerability exists in the way that Active Directory validates a LDAP request. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Exchange 2007 Server Migration Exchange Server 5.5 to Exchange Server 2003 Upgrade We can help you make the move from Exchange 5.5 to Exchange 2003 with ..... This vulnerability affects both Windows 2000 and Windows 2003 with Active Directory enabled.
CVE-2007-3028 - Windows Active Directory Denial of Service Vulnerability
A denial of service vulnerability exists in the way that Microsoft Active Directory validates a client-sent LDAP request. An attacker could exploit the vulnerability by sending a specially crafted LDAP request to a server running Active Directory. An attacker who successfully exploited this vulnerability could cause the server to temporarily stop responding.
This vulnerability only affects Windows 2000.
The exploitation of these vulnerabilities requires no user interaction. However, on Windows Server 2003, the exploitation requires valid credentials, therefore mitigation some of the risk. Windows 2000 Active Directory servers are vulnerable anonymously.
Recommendations
Patch Prioritization: Highest Impact
CVE-2007-0040 represents the most potent vulnerability patched this month. While although no exploit code has been released publicly, binary-diffing techniques can help to identify the vulnerable code and begin the exploit development process. Furthermore, although this vulnerability does require valid credentials to be used on Windows Server 2003, if an attacker has access to a workstation (either by having legit credentials to the workstation or using a client-side vulnerability to gain access) he or she may then launch this attack against the domain controller with the workstation's logged-in user credentials, similar in method to the DNS Zero-Day.
--------------------------------------------------------------------------------
MS07-040
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212)
http://www.microsoft.com/technet/security/bulletin/MS07-040.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes three vulnerabilities within the .NET Framework. Two of these vulnerability are client-side vulnerabilities affecting workstations, while the other vulnerability affects webservers and cause lead to the download of any Web page on the server.
CVE-2007-0041 - .NET PE Loader Vulnerability
A remote code execution vulnerability exists in .NET Framework that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user. If a user is logged in with administrative user rights, an attacker could take complete control of the affected system.
CVE-2007-0042 - ASP.NET Null Byte Termination Vulnerability
An information disclosure vulnerability exists in .NET Framework that could allow an attacker who successfully exploited this vulnerability to bypass the security features of an ASP.NET Web site to download the contents of any Web page.
The exploitation of this vulnerability is dependent upon ASP.NET code.
CVE-2007-0043 - .NET JIT Compiler Vulnerability
A remote code execution vulnerability exists in .NET Framework Just In Time Compiler that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user.
The exploitation of the two client-side vulnerabilities requires user interaction by visiting a website or following a hyperlink. For some vulnerabilities, execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.
Recommendations
Patch Prioritization: Second Highest Impact
The two client side vulnerabilities (CVE-2007-0041 and CVE-2007-0043) are quite serious client-side attacks. Although exploit code has not been released for either of these vulnerabilities, the patch should be applied as soon as possible to affected systems.
Regarding CVE-2007-0042, ASP.NET developers are advised to patch their affected webservers or to modify their code to compare values obtained from Internet accessible values against a white-list to ensure that only known queries are being processed.
Resources
MSDN Article - ASP.NET Best Practices
--------------------------------------------------------------------------------
MS07-041
Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution (939373)
http://www.microsoft.com/technet/security/bulletin/MS07-041.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Medium
Description
This patch fixes one vulnerability within IIS 5.1 on Windows XP. This vulnerability allows for anonymous remote system compromise via TCP/80, a normally accessible port across firewalls. This vulnerability was originally disclosed as a denial-of-service in 2005, but was released as a patch this month because of new privately disclosed information to Microsoft proving the exploitability of this vulnerability.
CVE-2005-4360 - IIS Memory Request Vulnerability
There is a remote code execution vulnerability in Internet Information Services (IIS) 5.1 on Windows XP Professional Service Pack 2 that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could exploit the vulnerability by sending specially crafted URL requests to a Web page hosted by Internet Information Services
The exploitation of this vulnerability requires no user interaction and is exploitable within IIS 5.1 which is only available on Windows XP Service Pack 2.
Recommendations
Although a proof-of-concept has been available for some time, there has been no proof-of-concept released publicly that shows the possibility for code execution. Additionally, since most production web servers will be using Windows Server 2000 or 2003 and not Windows XP, the impact of this vulnerability is minimal.
|
|
|
