Thursday, July 12, 2007

Patch Tuesday and Browser 0-days

After a small pause, Threat Center Live is back. We've been very busy at Threat Center building up our honeypots, honeymonkeys, and other systems for finding live malware and exploits in the wild. We've also been busy tracking down and writing signatures for a variety of vulnerabilities. Here's a rundown of the latest news:

The first (as far as I am aware) cross *browser* exploit has been discovered. It affects Windows machines with both Internet Explorer and Firefox installed and uses a trick to cause Internet Explorer (and presumably Outlook, Outlook Express, and other programs that use the same engine as IE) to launch firefox and pass arbitrary javascript code to it in a trusted context -- meaning that applications can be launched without any user interaction. There are some good demonstrations of the exploit here and here, and with these examples I think we can expect malicious exploits as early as today. Note that this is a vulnerability with firefox, but it can only be exploited if someone is using IE despite having firefox installed.

Next in the security roundup from the last couple of days is Microsoft's July Patch Tuesday. This is the first patch tuesday in quite awhile in which there were no fixes for Internet Explorer, Outlook, or Outlook Express. However, our series of patches for Microsoft Office products remains uninterrupted. Here's the breakdown of what you need to know:

  • MS07-036 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

    3 vulnerabilities in Excel can allow a malicious Excel file to execute arbitrary code. Although no proof-of-concept exploits have been released to the public, the eSoft Threat Prevention Team was able to reconstruct an exploit from the information in Microsoft's advisory. We believe this is a serious threat. As always, do not open unsolicited file attachments and keep your antivirus signatures up-to-date. eSoft products have zero day protection for this vulnerability when and if exploits start to circulate.

  • MS07-037 -- Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution

    Malformed Microsoft Publisher files opened with Publisher 2007 can cause arbitrary code to be executed on a host computer. We recommend blocking .pub files at the gateway to protect against this threat.

  • MS07-038 -- Vulnerability in Windows Vista Firewall Could Allow Information Disclosure
    It appears that this vulnerability could allow an attacker to see what services are running on a machine even if those services are firewalled. The vulnerability involves the encapsulation of IPv6 packets inside IPv4 packets. This kind of traffic cannot be blocked at the firewall as it is legitimate traffic. If you don't use IPv6, then you should follow the directions in Microsoft's advisory to disable Teredo. They offer three different ways to block this traffic, the easiest of which is to use the Vista Firewall to block Teredo packets in and out of a machine.

  • MS07-039 -- Vulnerability in Windows Active Directory Could Allow Remote Code Execution

    Few organizations will allow LDAP access to their Active Directory service through the firewall, so this threat shouldn't be too large for most installations. However, there's always those organizations with non-standard setups and the insider threat. At this point we don't have enough information to give this a full analysis. No public exploits exist.

  • MS07-040 -- Vulnerabilities in .NET Framework Could Allow Remote Code Execution

    This is in fact three vulnerabilities. Most intrusion prevention systems should have protected against the null-byte vulnerability already in a more generic form. The other two vulnerabilities are a bit more ambiguous as to what programs are vulnerable and how they could be exploited. We're keeping a close eye on this one as a variety of applications use the .NET framework and this could impact many of them.

  • MS07-041 -- Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution

    This is in fact a rehash of an older known vulnerability in IIS 5.1 on WinXP SP2. It was previously thought to be only a denial of service issue. Many intrusion prevention systems likely already catch attempts to exploit this vulnerability. The exploit is a specially crafted URL, but as the affected software is very outdated there are probably very few vulnerable installations and therefore a low likelihood of someone developing a working exploit that does more than denial of service.

As usual, follow best security practices and patch your systems as soon as possible.

Note from the sponsor: eSoft's Intrusion Prevention and Gateway AntiVirus Softpaks provide protection against all known exploits of the above vulnerabilities and for some of the vlnerabilities, all theoretical exploit vectors.

No comments: