Qualys Blog

493 posts

Critical 0-day Flaw in Internet Explorer 6 and 7

A mere 10 days after acknowledging the SMB flaw in Windows 7, the Microsoft Security Response Center (MSRC) released a new security advisory for new critical 0-day in Internet Explorer 6 and 7 as KB977981. A Proof of Concept for the 0-day was published on bugtraq on Friday, but it is not fully reliable against all combinations of browsers and OSs. Attackers are currently working on improvements to the exploit and we are expecting to see new versions soon.

The advisory proposes several work-arounds, but all of them result in restricted usability of the browser. As Internet Explorer 8 (and IE5….) is not affected for consumers the best option is to upgrade to IE8 or alternatively switch to another product. For enterprise customers IDS/IPS vendors and secure web gateways are able to deliver a degree of protection against the known exploits.

Qualys tracks this new 0-day under QID 90570


Non-critical 0-day For Windows 7 Disclosed

A new 0-day flaw in the Microsoft’s SMB protocol implementation in Windows 7 and 2008/R2 was published by Laurent Gaffié on Wednesday of last week, one day after Microsoft’s November Patch Tuesday. The flaw was acknowledged on Friday by Microsoft as KB977544.

The exploit involves tricking an end user to click on a link to a server with a malicious configuration, which causes the machine to become unresponsive requiring a reboot. The flaw is unrelated to the recent SMBv2 problem (MS09-050). The recommended workaround at the moment is to prohibit outgoing traffic for the ports used by SMB 139 and 445 with a firewall. This type of egress filtering is already considered a best practice, but such a configuration involves additional work and I doubt that it is consistently implemented.

However, the vulnerability is not very "useful" as it involves user interaction and "only" locks up the target machine. A typical attacker that goes through the work of tricking users to click on a link will use an exploit that allows him to control the target machine after execution. For Microsoft the vulnerability represents a trigger to review and improve the part of the SDL process that did not catch the flaw.

Laurent is doing excellent security research work here on Windows 7 just as 2 months ago, but the discussion on "full" vs. "responsible" disclosure will certainly be revived by his post. While we do not know the exact details for Laurent’s exchange with Microsoft, we believe that "responsible disclosure" is the more productive mechanism to improve Internet security by fostering collaboration.


Patch Tuesday Bottomline – November 2009

Today Microsoft released patches for 6 security updates that address 15 individual vulnerabilities. Three patches were rated as critical and the other 3 are rates as important. Here is a recap of today’s advisory:

  • MS09-065 was rated as Critical due to the EOT (Embedded Open Type Font) vulnerability in which an attacker can execute arbitrary commands on the victim’s computer. This can be achieved by enticing the victim to visit a web page with malicious EOT fonts or open an e-mail which contains malicious content. A proof of concept that causes the application to crash is publicly disclosed. All Windows operating systems except Windows 7 and Windows 2008 R2 are affected.
    We can expect working exploits soon and this is the most critical vulnerability to address – for users that cannot patch the vulnerability immediately Microsoft has provided also some workarounds in a detailed blog post including instructions on how to use GPOs to roll them out in an automated way.
  • MS09-063 and MS09-064 are critical as well as they allow a remote un-authenticated attacker to send malicious packets to the affected systems to cause a remote code execution. MS09-063 is limited to attacks from the local subnet.
  • MS09-067 and MS09-068 affect Microsoft Excel and Word. They are standard file format issues that affect consumers and enterprise users alike.
  • Three of the six advisories (MS09-063, MS09-064 and MS09-066) have listening ports open which can be targeted for network based attacks.

The newer OS versions Windows 7 and Windows 2008 R2 were not affected by any of the bulletins released today, a good indication of the progress that Microsoft has made in securing the base Operating System.

In a similar way the security features included in the new Office 2010 would have prevented both MS09-067 and MS09-068. We saw a demo of these features the other day at BlueHat and the strict sandboxing imposed on files that are received through e-mail or Internet download should take care of 2 of the main attack vectors for this type of exploit.