The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hey everyone, this is Adrian Stone from the MSRC and I wanted to take a moment to clarify some recent reports about a vulnerability that was not addressed in this month's MS06-035 security update. As soon as we heard about the posting, we initiated our Software Security Incident Response Process to investigate. We now have a good understanding of the issue and we are conducting a thorough investigation into this area of code to make sure we can deliver a security update that is complete and meets our quality bar. Here's what we've found so far:
* While this appears to have beeen found after the release of MS06-035, this does not affect the same code path or functionality or vulnerability that was addressed by the update.
* Unlike some of the current speculation that we have observed, the current PoC is limited to a denial of service that would cause the target host to blue screen. At this time we have not identified any possibilities with this issue that could allow remote code execution.
* We have not observed or received any reports of the PoC being used to actively attack systems.
Some reports have said that the workarounds we detailed in MS06-035 would apply to this issue and those are accurate. Specifically, blocking unsolicited in bound traffic and to block ports 135-139 and 445 from untrusted networks.
We in the MSRC are working in conjunction with our hard working partners looking at the issue to determine next steps. We will continue to monitor the situation and if need be we will update the Blog with any breaking news right here.
I hope this clears things up with some of the details regarding the PoC posting and its relation to MS06-035.
If you think you are being attacked or impacted by the DoS we definitely want to encourage you to contact Product Support Services. You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:
Thanks,
-Adrian
*This posting is provided "AS IS" with no warranties, and confers no rights.*
What’s that? A post from Craig Gehre, and it’s not release day? Yes, it is me again. As most of you know, we monitor the post release environment very carefully to make sure that all the deployment tools are working as intended and people are able to get the updates. I wanted to note that last night we fixed a couple of issues from last week's release that we had been tracking. They weren’t widespread, but as some admins out there may have noticed, we released a new wsusscan.cab late last night. The two issues we fixed are related to MS06-034.
One issue was that even though you installed the update you could still be getting it reoffered to you via Windows Update, Microsoft Update, Automatic Update, or WSUS. In some cases we were detecting on a file you may not even have on your system. This has been resolved.
The second issue was that If you were running Windows Server 2003 SP1 you may not have been re-offered the update after unknowingly failed install. If you installed the update while IIS was using the file “ASP.dll”, the package may appear to install correctly, but it did not. KB917537 has more info on this.
Both of these issues were addressed last night. Because the second issue might have involved a silent failure, we recommend all Windows 2003 SP1 users rerun detection on these systems to make sure that their systems have updated properly.
BTW, Two weeks to BlackHat. Will you be there?
-Craig
Stepto here again. We've just posted the advisory on the PowerPoint vulnerability. It can be found here:
http://www.microsoft.com/technet/security/advisory/922970.mspx
S.
Stepto here. We’ve been made aware of a vulnerability affecting PowerPoint that we wanted to let you know about, that appears to be involved in very targeted attacks. Like most of the recent Office vulnerabilities we’ve seen, a user must first open a malicious document that is sent as an email attachment or otherwise provided to them by an attacker. (Again, like the recently addressed issues, opening the malicious file out of email in the recent versions of PowerPoint will prompt you to be careful about opening the attachment, it won’t trigger the attack automatically)
So remember to be very careful opening unsolicited attachments from both known and unknown sources.
We’ve activated our security response process and we have added detection to the Windows Live Safety Center for up-to-date removal of malicious software we’ve seen that attempts to exploit the vulnerability. The Windows Live Safety Center is located at the following website:
http://safety.live.com
We’ve kept the Office team engaged on a state of high alert over the past couple of months for vulnerabilities relating to Office. Right now they are working on an update to address the issue. We’ll be documenting this through the weekend in the form of a security advisory and will post it as soon as we are confident in the protection steps (we’re targeting Monday morning)
I wanted to let you know of another issue that has popped up. We received reports a few hours ago that users of SUS 1.0 were not being offered security updates for Windows 2003 for the bulletins we just released yesterday. We just pushed the fix for this issue live. That means that all SUS 1.0 users will want to re-sync to get the latest SUS 1.0 cabs.
This isn’t related to the WSUS issues yesterday, nor is there action needed for those of you using WSUS or SMS. Again, all the teams involved will be looking into how this happened. I don’t enjoy being the bearer of bad news but definitely thought you all should know that this is happening.
Craig
Two blog entries in one day. Not what I intended, honest.
Those of you that use SMS or WSUS have probably been struggling with the download of WSUSscan.cab. The reason for the delay is that we had problems in our virus scanning labs right before the cab gets pushed live. The issue was resolved and the new cab for the July security release is now live. If you pulled down WSUSscan.cab before 6:30 PM PDT you will want to resync and get the latest cab file. Otherwise you will not be detecting and deploying the latest July releases.
We are looking at how to prevent this in the future, as we understand it really is frustrating to deal with. In a future blog posting I hope to outline to you all the pieces of a security release and why when one piece fails other parts do not. It can be a bit confusing at times especially when you see some items live and others not. Christopher Budd likens it to a space shuttle launch, where many parallel processes are going all at the same time.
Today we released 7 new security bulletins. We had some publishing issues pop up this morning that I think you should be aware of. The below items went live a bit later than the normal 10AM-ish time. We are working on getting these items live and you should start seeing them soon.
BTW this is Craig Gehre of the MSRC. Soooo not wanting to do the “Craig here, etc. etc.” thing: I need to work on my opening lines.
Bulletins released today:
Don't forget to tune into the monthly technical webcast
Hello, this is Mike Reavey.
I wanted to take a moment and pass on some information about a claim that was posted late Friday about a possible unchecked boundary condition vulnerability in Microsoft Word. The claim was that this could enable an attacker to execute malicous code by convincing a user to open a malformed Word document.
As soon as we saw the claim, we initiated our Security Incident Response Process to investigate. Our teams have worked on this investigation over the weekend and we’ve been able to determine that the claim is not accurate: while the Word application will exit unexpectedly, this is not a remotely exploitable vulnerability in Microsoft Word.
As always, we encourage anyone who thinks they’ve found a vulnerability in a Microsoft product to contact us directly in the MSRC at secure@microsoft.com so that we can work with you to investigate what you’ve found and take steps to help protect customers.
Thanks.
Mike
Hello,
This is Christopher Budd.
It’s the Thursday before the second Tuesday of the month, and that means we’ve posted our Advanced Notification for the July 2006 Microsoft Monthly Security Bulletin Release.
Next Tuesday, on July 11, 2006 at approximately 10:00 am PT we are slated to release seven new security bulletins:
• Four Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical.
• Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical.
All of these updates will be detectable using the Microsoft Baseline Security Analyzer or the Enterprise Scan Tool and some of these updates will require a restart.
We will also be making our regular monthly update to the Microsoft Windows Malicious Software Removal Tool.
We’ll have our regularly scheduled technical webcast on Wednesday, July 12th 2006 at 11:00 am PT. You can register for it here:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032301379&EventCategory=4&culture=en-US&CountryCode=US
Christopher