The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Lennart Wistrand here. This week we’ve seen both proof of concept code posted for a Windows Shell vulnerability. We have also seen limited exploits of a previously publicly disclosed vulnerability in DirectAnimation as well as limited exploits of a PowerPoint vulnerability.
We’ve made the Windows Shell advisory available to advise customers of this public PoC. The advisory calls out mitigating factors and workarounds and does also touch upon our plans around releasing a security update that addresses this. The advisory can be found here.
We’ve also made a small update to the DirectAnimation advisory to call out that we have seen very limited attacks occur. That advisory can be found here.
Finally, we’ve published a PowerPoint advisory as well regarding limited attacks using specially crafted PowerPoint files.
In each case, user interaction is required for a successful exploit to occur and our Safe Browsing guidance applies. Reading e-mail using Outlook or Outlook Express can, in and of itself, not put you at risk but if you click on a link in an e-mail from an untrusted source you could be at risk. Keep your anti-virus software up to date and use caution when browsing. Please refer to the advisories for a more in-depth discussion of this.
We are working overtime to help get all of you more secure and we do continue to encourage security researchers to work with us towards resolutions to vulnerabilities that are discovered.
-Lennart
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Hi everyone, Scott here to tell you about today’s out of band release. Everything should be available at this point.
With this particular vulnerability, the biggest concern we had was around risk. This one affected many different platforms in many scenarios that are considered by customers to be common usage. While the attacks we saw were very limited, our decision to go out of band on this release was really around the risk in combination with the attacks. Through some really top notch effort by all our testing teams, we were able to reach our quality bar far sooner than we originally anticipated. Yesterday we really became confident in our final checklists that we could release it and so we have done so. Please be sure you check out the security bulletin for all the information about this update:
http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
One thing to note, we recommend that you undo any of the previously recommended workarounds involving VGX.DLL before applying this update. Information on how to undo those workarounds is detailed in the bulletin. This is very important because if you do not revoke the VGX.DLL changes, the update could fail to install or deploy.
Lastly as Craig mentioned earlier, we’ve also re-released MS06-049 today. This bulletin was re-released to address a niche issue involving data corruption in combination with NTFS compression for Windows 2000 customers. The original update protected against the vulnerability, but we wanted to make sure we were addressing the compression issue for customers.
ThanksScott
Hey everyone, Craig Gehre here. We’re in the process of releasing out of band update MS06-055 to address the VML issue. At the moment, Windows Update, Microsoft Update, and Autoupdate are live. We’re in the process of publishing the bulletin, associated packages, and updated content for WSUS, MBSA1.2.1, EST, and MBSA 2.0 to the Microsoft download center and normal locations and those should be up shortly. Until that time the links might not work in the bulletin until the packages appear on the download center. The WSUSscan.cab for SMS and MBSA 2.0 users is also in process and will be published soon. We’ll provide a follow-on blog post shortly once we get everything up.
We're also re-releasing MS06-049 for Windows 2000 users and will have that information up shortly as well.
-Craig
Hi everyone, Scott Deacon here again. Wanted to update you on what we’ve seen to date with the VML issue. Attacks remain limited. There’s been some confusion about that, that somehow attacks are dramatic and widespread. We’re just not seeing that from our data, and our Microsoft Security Response Alliance partners aren’t seeing that at all either. Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability. We’ve made some progress in our testing pass for the update and are now evaluating releasing this outside the monthly cycle, as we do any time customers are under threat and we believe we can issue an update that meets our quality bar for widespread deployment. So right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release.
That last bit is important because we were made aware this morning of a third party “update” for this issue. We think it’s great that there are people out there working to help protect our customers. But as we’ve always said, we cannot endorse third party updates. As a best practice, customers should obtain security updates and guidance from the original software vendor. That’s because we carefully review and test security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility.
The MSRC cannot provide any similar assurance for third party security updates or mitigations.
But like I said the good news here is that around 24-48 hours ago we began to see we have the possibility of going out of band here and we will keep you posted as we go. The primary driver here is quality and protecting customers, not adherence to the monthly schedule.
[EDIT: Scott here, the above paragraph seems to be confusing some people. During each engineering process, especially for an update regarding an issue that is being exploited, we evaluate where we are in the testing on a constant basis. We’ve become more confident in the past couple of days in our ability to do an out of band release, that’s all.]
Morning, Scott here from the MSRC Operations team again, I wanted to let everyone know that we have just posted Microsoft Security Advisory (925568).
You can read more in the advisory, but after working with the folks from the X-Force team at ISS, we confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML). Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. We also want you to know that we’re aware that this vulnerability is being actively exploited. Thus far the attacks appear targeted and very limited. We’ve actually been working on an update that addresses this vulnerability and our goal is to have it ready for the October release, or before if we see widespread attacks.
You can find the advisory here: http://www.microsoft.com/technet/security/advisory/925568.mspx which contains a set of workarounds that customers can implement to protect themselves. We’ve also been adding detection to our various offerings. Customers can also visit Windows Live OneCare Safety Scanner and are encouraged to use the Full Service Scan option to check for and remove malicious software that take advantage of this vulnerability. Also, Windows Live OneCare users who’s current status is green, are already protected from known malware that uses this vulnerability to attempt to attack systems.
As always if you think you have been impacted by this issue we definitely encourage you to contact Product Support Services. You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security
Hey everyone this is Adrian Stone and I wanted to let you know about a very limited issue that some Windows 2000 customers are experiencing after the installation of MS06-049. We just became aware of this issue due to customer reports earlier this week, and have been verifying the reports and understanding the root cause of the issue for the past two days.
If you have installed MS06-049 on an NTFS formatted drive and enabled NTFS compression on individual folders, there is the potential for data corruption. This issue can occur when the system that is using NTFS file system compression has compressed files that are larger than 4 kilobytes and the files are either updated or created. The result is that the data becomes corrupted and unreadable and appears corrupted when read back. In the short term you can disable NTFS compression and the data integrity will not be affected and your system will still remain protected from the vulnerability after having installed MS06-049.
Since MS06-049 addressed a security issue on Windows 2000 only, no other platforms are affected by the NTFS compression issue.
We've followed our standard procedure for documenting known issues by noting this in Microsoft Knowledge Base Article 920958, updating the MS06-049 Bulletin and to notify our customers of the potential impact, and writing this blog entry.
In the near term we are working on a re-release for this update and will be revising and reissuing the MS06-049 files as soon as it ready and has completed enough testing to ensure it's quality. We will release it as soon as it is ready, we will not specifically wait for the October 10 Tuesday security release. The update will apply to all Windows 2000 systems and will automatically be distributed over Windows Update, Automatic Updates and WSUS.
If you have run into this issue please contact the Product Support Services team so that we can continue to get solid data regarding this and channel it back into our investigation of the issue. As always you can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.
I will keep you posted and let you know our progress as more information becomes available regarding the re-release or any additional info on this right here on the blog.
Thanks,
-A
Updated to correct the date for the October 2006 release.
Hello,
This is Christopher Budd.
Very quickly, I wanted to let you know that we’ve just posted Microsoft Security Advisory (925444).
This Advisory talks about how we are also aware of proof of concept code published publicly affecting Microsoft DirectAnimation Path ActiveX control, which is included in Daxctle.ocx. This vulnerability may allow an attacker to execute code on a user’s machine by convincing them to visit a malicious website using Internet Explorer. we are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time.
The Security Advisory details some things customers can do to protect themselves while we’re investigating this issue.
You can find the Advisory here: http://www.microsoft.com/technet/security/advisory/925444.mspx
Thank you.
Christopher
This is Christopher Budd. I wanted to take a moment to let you know that we've posted our security bulletins for September 2006. Specifically, this month, we're releasing:
We also re-released:
Both re-releases will be provided through the same channels as the original releases and customers who are using products affected by the re-releases should apply the new updates.
Finally, today, we’ve published two security advisories:
Finally, a reminder that tomorrow, as we do each month, we will be hosting a webcast to go over this month's release and take your questions. The webcast will be at 11 AM Pacific Time and then later available on-demand. You can register for it here.
I wanted to go ahead and let people know that we’ve posted our Advance Notification for September 2006 Microsoft Monthly Security Bulletin Release.
Next Tuesday, on September 12, 2006 at approximately 10:00 am PT we are slated to release three new security bulletins:
• Two Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Important.
• One Microsoft Security Bulletin affecting Microsoft Office. The highest Maximum Severity rating for these is Critical.
All of these updates will be detectable using the Microsoft Baseline Security Analyzer and some of these updates will require a restart.
We will also be making our regular monthly update to the Microsoft Windows Malicious Software Removal Tool.
We’ll have our regularly scheduled technical webcast on Wednesday, September 13th 2006 at 11:00 am PT. You can register for it here:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032305653&EventCategory=4&culture=en-US&CountryCode=US
Thanks.