Microsoft’s May Security Bulletin contains a single advisory for PowerPoint in Microsoft Office (MS09-017). It addresses 14 distinct vulnerabilities, including the 0-day vulnerability that was identified in the beginning of April 2009. While the vulnerabilities rank only as important on most versions of Microsoft Office, they all categorized as "remote code execution" and have a low exploitability index, meaning exploits are relatively easy to write and can be expected to be used soon in attacks.
One of the mentioned workarounds for CVE-2009-0556 , the 0-day vulnerability patched in this advisory is installing MOICE (KB937696). MOICE stands for "Microsoft Office Isolated Conversion Environment," a toolset that sanitizes Office documents when opened through browsing and email by removing potentially dangerous code. It has been available since May 2007 and is cited as a work-around in eight of Microsoft’s 78 advisories in 2008. MOICE is an interesting tool, used to reduce the risk produced by the increasing number of file format vulnerabilities. Its limitation is that it only works with Office 2003 and 2007; Office 2000 and Office XP are not supported.
In addition to the Microsoft patches both Adobe and Apple released their equivalent of "Patch Tuesday" advisories. Adobe fixed a recent critical 0-day vulnerability in their Acrobat and Reader product lines. Compared to their February patch for a known 0-day, this time around they reacted much faster and published patches for Windows, Mac OS X and Unix simultaneously. Adobe software is widely installed and according to statistics from F-Secure PDF based file exploits are on the rise – 49% for the first 4 months of 2009 compared to 28% in 2008.
Verizon Business published their annual data breach report for 2008 in mid april 2009 (h). It is excellent reading and has a wealth of interesting data on 90 forensic investigations for a total of 285 Million compromised records. Verizon states (pg. 18) that roughly 4 out of 10 attacks are executed through poorly secured Remote Access and System Management Applications. This refers to applications such as Windows RDP, Citrix, VNC and PC Anywhere, but also telnet and SSH. Attackers scan for these applications on the internet and log in using default or easily guessable passwords. Once on the machine they install a malware (i.e. a backdoor and a sniffing application), if necessary using a local exploit to become administrator or root. The Malware can then capture data on the network such as Credit Card numbers and search for profitable data on local and remote drives and databases and monitor keystrokes for usernames and passwords. At BlackHat US 2008 there was a PCI session where a restaurant owner told his breached story and it sounded very similar (PC Anywhere, user: POS password: POS).
Companies can address this scenario by scanning their entire perimeter IP range and reporting on Remote Access applications found. Any of the available scanning tools should be able to do this. In QualysGuard QID 42017 "Remote System Mgmt Application detected" can be used to generate a list of all machines that have a Remote Access application enabled. Currently QID 42017 scans for Windows RDP, Citrix, VNC, PC Anywhere, telnet, SSH and radmin on standard and non standard ports. So launch a scan on your perimeter and report on QID 42017 to see if there are any unexpected instances.
For information about the setup steps for the scan or report and how to further drill down on the information using the QualysGuard Asset Search Portal, please contact your TAM or Qualys Support.