As announced last week Microsoft today released 2 bulletins, one addressing Internet Explorer (MS09-034) and the other addressing the ATL component of Visual Studio (MS09-035). The release outside of their normal patch window means that exploits for this vulnerability have been spotted in the wild and IT administrators should treat the fixes as high priority.
The main attack vector that the current exploit is using is browsing with Internet Explorer. An end-user browsing the Internet with a vulnerable version of IE can get their system taken over simply by looking at a websites that have malicious tables or ATL objects. To increase their reach, attackers have been using web application vulnerabilities to put these type of exploits on common, non-malicious sites, that end-users would not suspect of. Once infected the attacker can add the system to their botnet or use it to attack other machines inside the network where the system is hosted. This second mode of use of an infected computer is increasingly common and can lead to indirect exploitation of systems within corporate networks that do not even have external connectivity or a browser installed.
Ryan Smith will present on the issue at BlackHat in Las Vegas tomorrow and has a small preview up on his site….
This has been an exciting week in the security space, first Adobe and and now Microsoft have announced that they will deliver out-of-band patches next week:
- Adobe: has a problem in the Flash component and there are known instances of attacks in the wild using PDF documents as an entry point (these were detected first) and also word of the standard drive-by variety.
- Microsoft: will address a problem on Tuesday with a patch for Visual Studio and Internet Explorer
Both vulnerabilities are rated critical and are found in very common software components – all versions of IE (6,7 and 8) are vulnerable, while Adobe says that updates will be shipped for Flash 9 and 10 and also Adobe Reader 9. IT administrators should prepare for a quick turnaround.
Microsoft’s July Security Bulletin does not have any surprises due to the intense pre-release activity around the 3 zero-day advisories that came out in the last 6 weeks. Microsoft had already announced that they would address 2 advisories with patches MS09-028 and MS09-032 for DirectShow and Microsoft Video respectively. Yesterday’s zero-day is left for later and users should apply the work-around published in KB973472. The 3rd critical vulnerability addressed is MS09-029 OpenType Font Engine which applies to all versions of Windows, Vista and 2008 included.These 3 advisories should be addressed immediately as they allow the attacker to fully control the victim’s computer.
Microsoft proxy server ISA 2006 has a vulnerability rated as "important" that allows remote unauthenticated users to access the server. However paired with a knowledge of the administrators user name attackers can take full control of the server. As administrator usernames are often easy to guess this vulnerability deserves special attention, if IT organizations are using ISA with the Radius configuration. This vulnerability is covered in MS09-031. The ISA blog has some more in depth information.
MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite is rated as "important" as well, but can be used to take full control of the system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as "critical" as well.
Microsoft also provided patches for their virtualization product VPC and Virtual Server on all versions (MS09-033) preventing an elevation of privilege in the guest operating system. This is classified as "important" because local access to the guest OS is required. This bulletin is interesting because this vulnerability is introduced by the fact that the OS is running under a virtual environment and allows the user to access to privileged kernel mode.
We just released our QID 110101 which detects the Microsoft Office Web Components ActiveX zero-day vulnerability that Microsoft released today as KB973472. Similar to last weeks zero-day vulnerability Microsoft is providing a workaround using their Fixit program.
The main attack vector is again Internet Explorer, a user can be infected by browsing a website that hosts the exploit without further interaction with a so called "drive-by" exploit. There have been a number of sightings already, which have prompted Microsoft for this out-of-band release – for more information take a look at SANS.
QualysGuard will not raise the vulnerability if you have the described workaround applied which inhibits the OWC10 and OWC11 classids that are susceptible to the attack. We will be enhancing the detection as more information about workarounds and patches becomes available. Due to the timing we do not expect this vulnerability to be addressed tomorrow at Patch Tuesday.
I am delighted to present the Laws 2.0 research at Black Hat and with new data that compares the progress of patching across multiple critical industries. The focus on this talk will be on zero-days vulnerabilities and how organizations deal with them. I will discuss this topic with a panel of leading CISOs and security experts that includes Richard Bejtlich from General Electric, Ed Bellis from Orbitz, Paul Griffiths from Goldman Sachs, Kris Herrin from Heartland Payment Systems and Mark Weatherford from the State of CA. Please join us if you are attending Black Hat USA 2009. I am personally looking forward to the event and participating in all the Black Hat discussions and festivities. More details about this talk here.
Microsoft released advisory KB972890 yesterday for a zero-day vulnerability found by ISS, warning of an attack on an ActiveX control for Microsoft Video. The main attack vector is for the user to browse a website that has the exploit installed with Internet Explorer- further interaction is not necessary, the attack is of the type called "drive-by". This makes the attack very dangerous as there is very little that Internet Explorer users can do to defend themselves. Security news here and here report that thousands of websites have started serving the exploits already, which is supported by the in-depth information that we are getting from our iDefense feed which has a long list of sites that are serving the exploits.
The described work arounds involve disabling 40+ classids in the registry, which should be scriptable by IT administrators. The Microsoft support website has a FixIt link which individual users can use to apply those changes to the registry.
QualysGuard detects this zero-day vulnerability as QID 90510, but does not raise it if you have the described workaround applied. We will be enhancing the detection as more information about workarounds and patches becomes available.
How do you deal with ActiveX controls, do you disable them in your default builds ? Let me know by sending feedback. We also will discuss this issue on our upcoming panel at the Black Hat security conference in Las Vegas with the present industry experts.