The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Adrian here again. Just wanted to post real quickly to let you know we’re looking into new public proof of concept code around a possible vulnerability in Microsoft Windows. So far we’re not aware of any attacks attempting to use vulnerability or any customer impact, but we wanted to let everyone know we’re investigating.
What we know at the moment is that the vulnerability can be attacked through Internet Explorer and requires user interaction on the page before the attack can occur. As always, customers who believe they are affected can contact Product Support Services. You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.
-Adrian
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Hey everyone, this is Adrian Stone here and up until recently I was the newest member of the MSRC. I wanted to use my first post to let everyone know that we have updated MS06-025 complete with updated binaries for the affected platforms.
As many of you may know, there were some issues identified after the initial release affecting some users who required the use of legacy dial-up connections that use a terminal window, or dial-up scripting, or used scripts to change device configuration parameters. Additional details are covered in the bulletin
I want to thank everyone out there for working with our folks in Product Support Services as well as well as the feedback we received to at the MSRC indicating that there may have been an issue. I definitely want to thank everyone even more for their patience while the guys over in Windows Sustained Engineering having been living and breathing RRAS for the last week getting it all sorted out.
On what I hope is last time I hear "Hey Adrian what is RRAS anyway and what does this update address?" RASMAN is the service that has been affected by the update which belongs to RRAS the technology. It seems that this has been the question that I have been hearing for about the last week.
Well that’s all for now folks and I can say that this has been one of the more interesting releases that I have been a part of since joining the MSRC. Now I am definitely ready to move on to next months update cycle.
- Adrian
We've had several questions regarding some recent issues that have affected Microsoft Excel over the last week. So, I thought I'd take a minute to review each, what the security impact could be for each issue, and what we're doing to resolve the issues.
We’re currently investigating three issues that have mentioned Microsoft Excel. The first one involves a vulnerability in Microsoft Excel itself. This issue has been assigned vulnerability identifier CVE-2006-3059. (The vulnerability identifiers are included within all of our security bulletins and security advisories and are a great way to help differentiate issues.) We released Security Advisory 921365 on Monday that has a full overview of this vulnerability, along with mitigations and workarounds. A couple key points - customers using Excel 2002 (included with Office XP) or Excel 2003 (included with Office 2003) will be warned before opening the attachment from an e-mail or a Web page, so remain careful when opening unsolicited files. Also, in the advisory there are instructions on how to modify the Access Control List (ACL) of a registry key that can block exploitation on Excel 2003. We've reached out to our partners in the MSRA and are sharing generic detection information for the vulnerability itself. The Office product team is currently testing updates that resolve the issue, and we expect to have it ready for release on or before July 11th.
Another issue was reported early this week that we discussed in the following post: http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx. This vulnerability has been assigned vulnerability identifier CVE-2006-3086. The vulnerability is in a Windows component, Hlink.dll, however it affects customers that open a specially crafted office document, and then click on a hyperlink within that document. Customers using Office XP or Office 2003 will get the same prompts as with CVE-2006-3059 when opening documents, so once again, being cautions when opening Office documents helps here as well. However, in our testing of the public posting we've seen that after the document is opened, for an attack to be successful, a user would still need to click on a link within that document and will be given a second prompt asking if the user does in fact intend on navigating to that destination. While the dialog doesn’t present a security-specific warning, the destination will include attack code, and does not look like a legitimate destination. So some social engineering would be required to make this attack successful. However, the fact that social engineering is required hasn’t stopped us from working quickly. We’re currently testing a fix for this issue and are investigating workarounds for customers.
The third was reported on Tuesday and that issue involves a method that allows an ActiveX control to be loaded within an Office document. The public posting on this has an example that involves an Excel document, so some folks may confuse this with the two issues above. This behavior is by design and by itself does not represent a security risk to customers. However, an attacker could use this functionality to automatically load a vulnerable ActiveX control already present on a user's system through an Office document. It is important to note that this is not a vulnerability and recent versions of Office respect the "Killbit" functionality of Windows that prevents vulnerable ActiveX controls from loading once they have received a kill bit through a Microsoft Security Bulletin. We're not aware of any vulnerable ActiveX controls that could allow remote code execution in this context or of attempts to use this method of attack or of customer impact at this time. We will continue to investigate the public reports to help provide additional guidance for customers as necessary.
--Mike
Hi everyone, Stephen Toulouse here. We've see that detailed exploit code has been published on the Internet for the vulnerability addressed by Microsoft security bulletin MS06-025. So per the usual when something like this happens so quickly after release we wanted to highlight that fact, and let you know that we're not currently aware of any active attacks utilizing this exploit code at this time. But the MSRC is monitoring this situation to keep customers informed and to provide customer guidance as necessary.
We have confirmed that the exploit code does not affect users who have installed the update detailed in MS06-025 on their computers. So we continue to recommend that customers apply the that update. In addition, We've posted a security advisory regarding this issue to provide additional guidance. The security advisory can be found at the following location:
We'll certainly keep an eye out on this issue and keep you posted if we see anything further.
S.
Hi everyone, Stephen Toulouse here. Just posting a brief note about two quick things regarding the blog.
When we originally set it up we used my user account and it's been our communal account for making posts. Unfortunately every post showed up as from "stepto". That's fixed now and posts will show up as being from "msrcteam".
Also we've added support for pingbacks and trackbacks!
Hi everyone Christopher Budd here.
I wanted to give you some information about the recent posting of proof of concept PERL script that claims to demonstrate a vulnerability in Excel's processing of long links. As soon as we received these reports we immediately began an investigation into the posting. I wanted to let you know information we have based on that investigation.
First, I want to be clear that this proof of concept code and not an attack. We’re not aware of any attacks based on this code based on our work with our Microsoft Security Response Alliance partners.
Second, our investigation so far has shown that while the posting claims this is a vulnerability in Excel, it actually is a vulnerability in hlink.dll which is a Windows component that handles operations involving hyperlinks. Any attempt to exploit this vulnerability would require convincing a user to open a specially-crafted Excel document. The user would then also have to locate and click on a specially-crafted long link in that document. We have not found any way to attempt to exploit this vulnerability that involves simply opening a document: a user must locate a click a hyperlink in the document.
As a reminder, it’s important to make sure that you only accept and open files from a trusted source, as well as be careful what websites you visit.
It’s early into our investigation but we have our teams working hard on it. Once it’s complete, we’ll take the appropriate action to protect our customers based on our findings.
We’ll be closely monitoring the situation with our Microsoft Security Response Alliance partners for any changes. And, as always, we’ll provide updates through our blog as we have more information.
Christopher
Hi everyone, Mike Reavey here. Just wanted to let you know we have posted our mitigations and workarounds researched throughout the weekend in the for of a security advisory. It can be found here:
Hi everyone. Stephen Toulouse here. As we do every month, after release the Customer Support Service Group, the MSRC, and the affected product groups all monitor uptake of the updates and keep a sharp eye out for any issues that might be causing problems. There were 12 updates this month and of course we’ve been watching closely for signs of problems. So far there’ve been no issues with a vast majority of the updates, but one issue we are tracking has to do with MS06-025, very specifically related to dial up users that use dial up scripting, a very old piece of functionality not widely in use anymore. (Users using dial up for Internet or Remote Access Services who do not use dial-up scripting or terminal windows are unaffected. Users who use Virtual Private Network (VPN) connections are also not affected by this at all as dial-up scripting is not used in VPN connections.)
We’re going to be making an update to KB article 911280 listing the known issues for the MS06-025 bulletin so people are aware of the issue. The Knowledge Base article can be viewed at the following location:
We’ll keep you posted as always with how things are going with the release should we spot any other niche problems.
Hey everyone, Mike Reavey here again. We’re headed into the weekend and I wanted to check in and provide you with some more information about the Excel issue we are investigating. As of right now it’s still just a single customer impacted. But I want to reiterate that all of our various protection tools detect this malware and remove it.
The MSRC, together with the SWI team, have identified some workarounds that help stop the attack. However we’re concerned that they might have an impact to the usability of Excel. Based on some of the customer feedback regarding the recent Word workarounds, we want to take the extra time to fully vet our guidance.
Of course, the Excel team is hard at work putting together the plan for an update as well. We’re working on an advisory through the weekend and will post it as soon as we are confident in the protection steps.
- Mike
Hi everyone, Mike Reavey here. We've received a single report from a customer being impacted by an attack using a new vulnerability in Microsoft Excel.
Here's what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker. (note that opening it out of email will prompt you to be careful about opening the attachment) So remember to be very careful opening unsolicited attachments from both known and unknown sources.
We’ve activated our security response process and we have added detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit the vulnerability. The Windows Live Safety Center is located at the following website:
http://safety.live.com
We’re also actively sharing that information with our Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks. We’ve got the Office team engaged of course and they are hard at work investigating the vulnerability.
As always, customers who believe they are affected can contact Product Support Services. You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.
We’ll post more information here on the blog as we get it.
-Mike