Tuesday, May 8, 2007

Microsoft's May Patch Tuesday

Today is again Microsoft Patch Tuesday, the day on which Microsoft announces patches to a series of vulnerabilities and security researchers scramble to learn as much as possible about the vulnerabilities.

Of the announced issues, here are the ones you should be most concerned about:
  • MS07-024 and MS07-025 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

    4 vulnerabilities affecting mostly Microsoft Word, but also all other applications in the Office suite could be used to compromise your computer if you were to open a malicious Office document. Important to note is that Microsoft Word Viewer and Microsoft Office on the Mac are also vulnerable. It almost goes without saying that you should never open office documents from untrusted sources. And remember, those e-mail forwards from your good friend didn't start with your friend and should be looked at with just as much suspicion as if they came from a total stranger.

  • MS07-026 -- Vulnerabilities in Exchange Server Could Allow Remote Code Execution
    If you run Exchange Server to handle your mail, you need to update it now. There are four separate issues including two Denial of Service (specially crafted e-mail will cause the mail server service to hang or quit), one "information leakage" and one remote code execution.

    The first concern is the remote code execution. This vulnerability relates to malformed MIME-encoded attachments.

    We aren't aware of any exploits at this time and details are still scarce, but that could change very quickly.

    The second concern is the "information leakage." E-mails sent with attached HTML files can cause problems for people using Outlook Web Access -- Microsoft's web-based e-mail reader. Essentially, a malicious script could be run in a trusted context and used to steal login credentials, e-mails, and more. This is a cross-site scripting vulnerability and has been shown in similar cases to be a pretty serious breach of security even though it doesn't allow remote code execution.

  • MS07-027 and MS07-028 -- Internet Explorer Multiple (Six) Remote Code Execution Vulnerabilities

    This is the bread and butter of these Patch Tuesdays: Internet Explorer issues. And despite IE7's enhanced security, it is vulnerable to most of these issues as well. As usual, ActiveX objects are the culprit. Microsoft wanted to allow website designers to be able to write full Windows applications and have them run inside Internet Explorer to create a "rich" web experience. Unfortunately, in doing this, Microsoft made two mistakes: every software component on Microsoft systems can be accessed by a web site. This means that software that wasn't intended to be run in Internet Explorer can be and in many of these cases there are exploitable bugs in the software.

    The usual way to deal with this is to explicitly disable specific ActiveX objects by using their "kill bits." Microsoft has a Knowledge Base article with instructions. Also, you can use the Group Policy Editor to set the kill bits on your entire domain. Here are the recommended "kills" from this batch up updates:

    CLSIDDLLComments
    D4FE6227-1288-11D0-9097-00AA004254A0msdauth.dllWindows Media component
    BE4191FB-59EF-4825-AEFC-109727951E42chtskdic.dll 
    17E3A1C3-EA8A-4970-AF29-7F54610B1D4CCAPICOMProvides encryption capabilities to programmers.
    FBAB033B-CDD0-4C5E-81AB-AEA575CD1338CAPICOM 


    Note that there are vulnerabilities being patched here that cannot be addressed by setting these kill bits, so your best bet is to upgrade as soon as possible. But still create policies in the Group Policy Editor in case an unpatched machine finds its way onto your network.

  • MS07-029 -- Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution

    We first mentioned this flaw -- and the exploits circulating in the wild -- on April 13th. The flaw has received a lot of press, but isn't a concern for most people. Only Microsoft-based DNS servers running on the Internet without any kind of firewall on them or between them and the Internet are susceptible to an external attack. And if a worm taking advantage of this exploit got into a local network, it would likely not be able to compromise more than one machine. Despite that disclaimer, its a serious bug that could allow someone to take full control of one of your servers, so this patch is here none too soon. For mitigation details, see our post from above referenced post.


Bottom line: it's time to update your Windows machines using Windows Update or Microsoft Update. And as always, make sure your intrusion prevention, firewall, and anti-virus products are up-to-date.

Note from the sponsor: a combination of eSoft's Firewall, Intrusion Prevention, and Gateway Anti-Virus products will protect customers from all known exploits of today's announced vulnerabilities.