Tuesday, April 10, 2007

Microsoft's April Patch Tuesday

Today is again Microsoft Patch Tuesday, the day on which Microsoft announces patches to a series of vulnerabilities and security researchers scramble to learn as much as possible about the vulnerabilities.

Today Microsoft released 5 advisories that impact all of their operating systems. Of highest concern are those that can be exploited remotely, and of these, there were three. Here's the summary:

  • MS07-018 -- Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution

    Microsoft's Content Management Server, which allows users to "quickly deploy scalable, reliable and dynamic personalized e-business web sites," can be compromised via a "crafted HTTP request." Users of MCMS are advised to make their sites Read Only until they apply the related patch.

  • MS07-019 -- Vulnerability in Universal Plug and Play Could Allow Remote Code Execution

    Universal Plug and Play is a technology intended to make it easy for computers and devices to interact with limited manual configuration. It's frequently used to configure port forwarding on routers, and peer-to-peer networking of PCs.

    This bug affects all versions of Microsoft Windows XP through Service Pack 2. The built-in firewall on XP SP2 will restrict attacks to the local network segment. A properly configured firewall between the vulnerable computer and the Internet will stop attacks exploiting this vulnerability. To make sure your firewall prevents these attacks, check your settings and see if UDP port 1900 and TCP port 2869 are blocked.

    Update: although Microsoft's advisory says only XP is affected, reports are coming in saying that Windows 2000 is affected as well.

  • MS07-020 -- Vulnerability in Microsoft Agent Could Allow Remote Code Execution

    Remember that annoying animated paper clip that used to show up when you opened a Microsoft Office document? That's the Microsoft Agent and its still around. It can be used by any application or web site to provide an interactive question and answer dialog. Unfortunately, it can also be used by a malicious website to run arbitrary code on a user's system.

    Internet Explorer 7 is not affected. All operating systems with Internet Explorer 6 or below are vulnerable. To workaround the vulnerability, disable the Microsoft User Agent by following the instructions in the advisory. Or install the patch or update to IE 7.

  • MS07-021 -- Vulnerabilities in CSRSS Could Allow Remote Code Execution

    CSRSS is the Windows Client/Server Run-time Subsystem (winsrv.dll). It's a core part of the operating system on all versions of Windows from 2000 through Vista. This vulnerability has had exploits in the wild since December 2006. Luckily, most of the exploits for this are local privilege escalation exploits, meaning that a piece of malicious software can use this vulnerability to gain full control of a system. However, Microsoft says that there are remote exploitation vectors that are exploitable by malicious websites. Although more details on this attack vector are net yet public, it is likely that it won't be long before we see code that remotely exploits this vulnerability. We'll keep an eye out for this.

    Also in this advisory are another local privilege escalation and a denial of service involving the Client/Server Run-time subsystem.

  • It should be mentioned that the recent MS07-017 advisory (the ANI file format vulnerability) was supposed to be announced today, but was announced and released a week early due to widespread exploitation.

Bottom line: it's time to update your Windows machines using Windows Update or Microsoft Update. And make sure your intrusion prevention, firewall, and anti-virus products are up-to-date.

Note from the sponsor: a combination of eSoft's Firewall, Intrusion Prevention, and Gateway Anti-Virus products will protect customers from remote exploitation of the vulnerabilities announced today.

No comments: