Qualys Blog

493 posts

Microsoft Advisory on client side XSS – 2501696

Today Microsoft published today Security Advisory 2501696 describing a vulnerability (CVE-2011-0096) in the MHTML handler present on all versions of Windows. The vulnerability allows the execution of an XSS attack from a webpage going through Internet Explorer.

The XSS attack can be used to run JavaScript code on the user’s Internet Explorer instance, which gives the attacker a way to get at information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering.

The advisory 2501696 describes a work around that disables scripting inside the MHTML handler by setting the corresponding keys in the Windows registry. We expect the release of a FixIt to automate the application of the work around for security conscious end users.

The vulnerability was originally disclosed on the WooYun website The same site disclosed in December a vulnerability in the CSS handler of Internet Explorer "css.css" (CVE-2010-3971). The vulnerability has been acknowledged by Microsoft and Security Advisory 2488013 includes a workaround and a FixIt link to apply.

While the vulnerability is located in a Windows component Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules.

Microsoft’s SRD blog has a detailed description of the attack and provides HTML files for local testing.

Patch Tuesday Bottomline – January 2011

Microsoft January 2011 Patch Tuesday represents a slow start of 2011 as far as number of patches go. But while there are only two bulletins, there are a number of additional open and documented security issues that IT admins should be aware of.

MS11-002 is the more important one of the two bulletins. It is a critically rated vulnerability in the MDAC OS component, affects all versions of the Windows Operating system and can be triggered by browsing to a malicious website. We recommend patching immediately.

MS11-001 provides a patch for a DLL-preloading issue in the Windows Backup Tool. It is rated important and is only applies to Windows Vista. While DLL preloading is an old systemic issue in Windows and many other operating systems, it gained new attention in August of last year, when many vulnerable applications were identified. Secunia maintains a list of Microsoft and 3rd party applications that have been shown vulnerable to the DLL preloading attacks. The list has over 200 vulnerable programs at http://secunia.com/advisories/windows_insecure_library_loading/ and includes the Vista Backup vulnerability that is being fixed today (SA41122). Given the scope of the DLL preloading vulnerabilities we highly recommend implementing the work-around that Microsoft describes in Security Advisory 2269637 and KB2264107, which neutralizes the most common attack vectors on the operating system level.

Microsoft has acknowledged five additional security issues of varying severity. The most important vulnerability known as "css.css" affects all versions of Internet Explorer and is rated critical. The exploit code is public and targeted attacks have been observed. Microsoft has recommended in Security Advisory 2488013 using the Enhanced Mitigation Experience Toolkit (EMET) to protect Internet Explorer against this flaw. EMET is a separate download and installation and requires manual followup configuration steps. We recommend installing EMET if you have technical end-users that can follow the necessary configuration steps.

A more scalable workaround for the problem has been introduced today. Microsoft is using using the Windows Application Compatibility Toolkit in a unique and creative way to apply a hotpatch to the vulnerable component "mshtml.dll" and to prevent the recursive loading of CSS stylesheets which is the root cause of the vulnerability. The workaround is delivered as MSI file, which makes it easily installable with automated tools. To our knowledge this is the first time that Microsoft has used this Toolkit for security enhancements and we believe it is an interesting new way to deliver temporary security fixes to Windows users. More information on the hotpatch mechanism can be found at Microsoft’s SRD blog

Let us know what you think of this new mechanism and if you will deploy his workaround. E-mail us at wkandek@qualys.com

Patch Tuesday – Preview for January 2011 – Update 2

Update 2
Microsoft published their worksheet for the risk assessment of the current advisories and the open 0-days on their SRD blog. The "css.css" IE vulnerability is ranked highest, then the current Windows Explorer "thumbnail", but it also lists the DoS vulnerability in the FTP service of IIS, cross_fuzz and WMI ActiveX. Good information for anybody involved in security, patching and mitigation.

Update 1
Microsoft is working on some helpful guidelines for the risk assessment of the current advisories and the open 0-days. Their highest priority is the Internet Explorer "css.css" issue(KB2488013), which has a suggested work around of using EMET. The Windows Explorer "thumbnail" issue can be addressed by setting the permissions on the DLL in question, which is easy to do and has only a very limited usability impact (instead of displaying thumbnails of image files explorer will only show generic icons). It is also automated in the FixIt link in the advisory itself and can be easily script by IT admins – recommended. Microsoft continues to work on reproducing the "cross_fuzz" vulnerability, but believes that it would be difficult to use it in a real-world exploit.

January 2011’s Patch Tuesday will be low volume. Microsoft announced 2 Bulletins: MS11-001 and MS11-002, the first one rated important and only affecting Windows Vista, while the second one is rated critical and affecting all versions of Windows, including Windows 7 and 2008R2.

But there is also potential for further updates this month, as Microsoft has acknowledged 2 open 0-days. One was confirmed just yesterday on Jan 5th in Security Advisory 2490606 (a vulnerability in Windows Graphics Rendering Engine) and the other on Dec 22th in Security Advisory 2488013, a vulnerability affecting Internet Explorer. Both flaws are reportedly used in targeted attacks and users should look at the mitigation steps outlined in the advisories. KB2490606 has a Microsoft Fixit Button, that home users and small businesses can use to implement the mitigation instructions.

The security community is discussing 2 additional vulnerabilities in Internet Explorer and proof of concept code exists. We expect Microsoft to acknowledged them soon. The SANS ISC has an overview that list the open issues. We will keep this blog updated as new developments occur.