The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hey folks - Mike Reavey here, I wanted to follow up on our Security Advisory we released on Tuesday about the re-release of MS06-042 for IE 6.0 SP1 customers.
We've resolved the issues that delayed the re-release and have released the revised update.
The revised update fully resolves the security vulnerability we discussed in the Advisory. We also have resolved the issues that we discovered prior to the planned release on Tuesday.
We are now urging IE 6.0 SP1 customers to go ahead and deploy this revised update as soon as possible.
Now that the revised update is out, I wanted to address something that’s really been concerning customers and some confusion regarding the nature of the issue we discovered and whether it warranted holding the release.
It’s important to note that the security vulnerability introduced by MS06-042 was only on Internet Explorer 6.0 SP1. A large number of our customers running Internet Explorer 6.0 SP1 are running it on Windows 2000, as that is the most current version of Internet Explorer for that platform. Those customers rely heavily on deployment tools such as the Microsoft Baseline Security Analyzer (MBSA) and the Inventory Tool for Microsoft Updates (ITMU). The problem we discovered late in testing was related to a background technology used by those deployment technologies.
That would have meant that a significant portion of customers would have been unable to deploy the update if we had tried to release it on August 22nd as originally stated. This is very important. Because while some customers still using Internet Explorer 6.0 SP1 do utilize other detection and deployment technologies, a large portion still rely on the deployment technologies like MBSA and the ITMU due to their support of older products and infrastructures. Because this directly affects the ability of those customers most affected by the re-release to protect themselves, we delayed the release to successfully address this issue so that all customers could protect themselves fully.
We simply cannot leave those customers behind on a security release. We feel it this was the right call to make, and it was not an easy one. However, we worked around the clock and were able to address the issue and re-release quickly.
Mike
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Hi, Scott here from the MSRC operations team. I just wanted to drop a few lines to clarify the recent buzz/ activity on a PowerPoint zero day that occured over the weekend.
Our investigation has proven thus far that customers who are up to date with Office security updates are NOT affected. Meaning this is NOT a zero day. Malware in the malicious .ppt leverages a previously fixed vulnerability in Microsoft Office to drop the payload.
To be attacked and become infected requires a user to open the malicious .ppt file on a system that doesn’t have the latest Office security updates.
As always we recommend customers treat .ppt files (for that matter any Office file) from unknown or untrusted sources as suspicious, keep your AntiVirus sigs up to date and very importantly deploy security updates.
I hope this helps to clarify the current situation on the reported PowerPoint issue!
BTW - If you think you have been impacted by the Malware we definitely encourage you to contact Product Support Services. You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.
Thanks
Scott
Hi everyone, Stephen Toulouse here. We wanted to provide you with information about the MS06-042 re-release that was scheduled to occur today. As posted on August 15th, we noted we would be re-releasing MS06-042 today to address a crashing issue that could occur if you are using HTTP 1.1 in combination with Internet Explorer 6.0 SP1. Late last night we discovered an issue that led us to the difficult but necessary decision to not release this update today. Providing the update in its current state would have resulted in customers being unable to deploy the update. Once that issue is resolved we will of course release the update.
The far more difficult problem revolves around the nature of the crash itself. Shortly after the release of MS06-042, independent security researchers responsibly disclosed to us the fact that they had discovered the crash was exploitable. We worked with them responsibly during the creation of the update. As soon as we knew we would have to halt the re-release, we informed the third party researchers. Due to the fact we did not want to communicate the existence of the exploitability of the crash prior to an update being available, we also began the process of holding our communication on the issue so that attackers would not have clear public information available that the current problem was exploitable.
This was another difficult decision on our part. There was no intent here to misrepresent the issue as not being exploitable. Often times however, we find ourselves in the position of having to strike a balance between providing information equally to users who would use the information to protect themselves, and attackers who, history has proven, will immediately use the information for criminal purposes. In this case, we felt that, due to the fact the platform and specific vector of the crash was known, publicly disclosing that it was an exploitable security vulnerability prior to our being able to provide customers with an update to address it would have breached our position on responsible disclosure and would have put customers at increased risk.
Unfortunately, one of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform. Up until now, we have not seen any attacks using this vulnerability, nor have we seen broad awareness of this vulnerability. Since the exploitability of this is public now however, there is certainly increased risk of attack. We have issued a security advisory detailing workarounds and mitigations for the vulnerability while we have our teams working at full speed to resolve the quality issue and release the update as soon as it meets our quality bar.
The Internet Explorer team, as part of our original intended communications on this event, had worked up a blog entry on what they learned from the incident and what processes have changed. Now that the issue is public, while we are working to provide the update, they have made that posting available here.
To be clear, this issue does not impact other versions of Internet Explorer, such as Internet Explorer on Windows XP SP2 or Internet Explorer on Windows Server 2003 or Windows Server 2003 SP1. As always, we will be using the blog and our security advisory to keep you up to date if we now see attacks as the result of the public information.
S.
[EDIT: Changed title from "Canceled" to "Postponed" since we will indeed be re-releasing the update in the future]
Hey folks - Mike Reavey here, we've made an update to MS06-042 to let customers know of an issue they might see after applying the update to Internet Explorer 6 Service Pack 1 systems. The issue is limited to IE6SP1 only, and then only when visiting a website that use HTTP 1.1 and compression. Since MS06-042 resolves a number of security vulnerabilities we recommend customers continue to deploy the update, but we do plan to revise *only* the IE6SP1 update and re-release the bulletin with more information by August 22nd for all IE6SP1 customers. As a reminder, Known Issues relating to security updates are tracked in the main Knowledge Base article for each bulletin, in this case Knowledge Base Article 918899. Within this article there's more information on how to get a hotfix that helps customers avoid this issue, as well as workarounds.
So I am back to give what I hope is the last update on the recent MS06-040 exploit. By the way, this is Adrian Stone again. As many of you know from the recent posts, and recent Advisory publication we have been working all weekend to stay on top of the Win32/Graweg issue so I thought it would be a good idea to update you with the current status as various enterprises and organizations around the world have come online.
We have been seeing activity related to Graweg taper off. From our analysis and our work with our partners in the MSRA we still believe that this has been a relatively contained issue that has only affected Windows 2000. However we are in no way underplaying the severity of the vulnerability addressed in MS06-040: we continue to urge customers to deploy and test the update with a heightened sense of urgency.
It also looks like the message to download and install the update has also been heard loud and clear as we see customers continuing to download and deploy the MS06-040 update. Speaking of downloading updates I also want to clarify some questions I have heard lately regarding why some customers have seen MS06-040 downloaded or installed while some of the other updates have not appeared yet during the same interval. With Windows Update we have the ability to prioritize updates in order to ensure that we are providing the broadest customer distribution possible for a particular update or set of updates given the relative threat. Prioritizing of the updates is done taking into account the threats identified with each individual release. As we have seen and has been identified by others the threat presented by the vulnerability addressed in MS06-040 prompted us to do everything possible to ensure that customers received the update with the highest possible priority. The is a normal behavior and if you have not seen the rest of this months updates yet on your computer rest assured they are coming and this is perfectly normal. If you want to read more about how Windows Update works feel free to check out this article: http://www.microsoft.com/technet/updatemanagement/windowsupdate/default.mspx
We've also made a minor update to the MS06-040 security bulletin today to add additional information about what the impact might be of blocking ports 139 and 445 within a corporate environments, as well as a pointer to documentation of a known issue affecting some applications that copy very large chunks of memory after the update is applied. In working with our support personnel, this is only affecting a small set of customers and no changes are planned to the updates included in MS06-040 - so customers are still recommended to apply that update as soon as possible.
Rest assured we will keep monitoring the situation and if we identify any new threats affecting MS06-040 we will announce it here on the blog and of course give authoritative guidance on the current Advisory that is published.
Thanks,
-A
Hey everyone, it’s Adrian. Wanted to drop in and let you know where we are in our investigation of Win32/Graweg. As I’m sure you’ve seen by now on our AV partner sites, this is rated as a low threat and doesn’t at this time replicate automatically from machine to machine. So it’s impact in terms of infection base appears to be extremely small. We’ve updated the security advisory related to MS06-040. What we know right now is that the attack affects specifically Windows 2000 computers who have not applied the MS06-040 update. Thus far we have not seen this attack impacting any other versions. We urge everyone to apply the update however, and should the situation change we will post more information and guidance as it becomes available.
-Adrian
Stepto here. It’s a late, late Saturday night. We’ve been made aware of a recent SANS Internet Storm Center diary post several hours ago regarding an active exploit on MS06-040. We wanted to let you know what we’ve been doing about the situation and what we know. Our AV teams have labeled this Win32/Graweg.A and Win32/Graweg.B and have added detection to http://safety.live.com already as well as our various other offerings such as Windows Onecare.
So far, this appears to be an extremely targeted attack, very much unlike what we have seen in the past with recent internet-wide worms. In fact, our initial investigation reveals this isn’t a worm in the “autospreading” classic sense, and it appears to target Windows 2000.
Very few customers appear to be impacted, and we want to stress that if you have the MS06-040 update installed you are not affected.
While all that could change based on the actions of the criminals, it’s important to scope the situation and take the opportunity to stress that everyone should apply this update.
We’ll be working through the night on this of course. I want to say it again: It’s critical that everyone certainly deploy MS06-040 across their systems ASAP. But also I want to stress our initial indicators are not showing an internet-wide impact or some type of efficient automated attack. We’ll update the blog and our other communication on this should we see that happen. Right now, we are gathering information that we will provide to law enforcement as needed, and are sharing information with all of our Microsoft Security Response Alliance partners.
One last thing. You’ve heard me say it a lot, but it bears repeating:
Customers who believe they have been attacked should contact their local FBI office or report their situation to http://www.ic3.gov/. Customers outside the U.S. should contact the national law enforcement agency in their country. Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.
Hey folks - Mike Reavey here, providing you with a quick update on MS06-040. This morning we released Security Advisory 922437 because we're aware of exploit code that has been published on the Internet for the vulnerability that is addressed by Microsoft security bulletin MS06-040. We've verified that this exploit code can allow remote code to execute on Windows 2000 and Windows XP Service Pack 1 only. In its current state, this code does not affect Windows XP Service Pack 2, Windows Server 2003, or Windows Server 2003 Service Pack 1. Also, we've verified that this exploit code does not affect customers who have installed the MS06-040 update on their systems.
We continue to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows, or using their deployment infrastructure in their enterprise or small business and restart their systems.
As a reminder, Microsoft is aware of very limited, targeted attacks that exploited the vulnerability prior to the release of the update, but we're not currently seeing broad attacks that use this newly posted exploit code or of additional customer impact at this time. However, we continue to actively monitor this situation with our Microsoft Security Response Alliance partners and will keep customers informed and provide customer guidance as necessary.
Hi Christopher Budd here,
We're into the second day of our August 2006 release and I wanted to check back and let folks know how things are going with this release.
It's been about 30 hours since we posted the security updates and I'm happy to be able to say we've had well over 100 million downloads of the update for MS06-040 (that's nearly 3.5 million per hour!!). So our thanks to everyone for working hard and helping us get this out to protect their systems.
We're also seeing good progress and downloads on the other updates this month, including MS06-048, the update that addresses the PowerPoint issue we originally issued Microsoft Security Advisory 922970 about.
While we were aware of very, very limited exploitation of the vulnerability addressed by MS06-040 at the time of bulletin release yesterday we have not seen signs of widespread malicious activity so far. But, be assured that, like we always do, we've got our Emergency Response process teams watching for any possible malicious activity along with our partners in the MSRA. If we see anything, we'll respond as quickly as possible and work to provide customers with guidance and assistance. And of course, like we did with Sasser and Zotob, should a malicious attack occur, our teams are ready to assist our partners in law enforcement with their investigations.
I thought you all might want an idea of how things are looking from our side and we'll let you know of any important information around this issue.
And finally, I wanted to thank everyone for joining us for today's webcast. And, a reminder that you can get this through on-demand starting tomorrow, so if you missed today's broadcast, you can still listen to it and get information from all the great questions.
Thanks again!
Christopher