The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hello,
This is Christopher Budd. We’ve gotten some questions from customers about a new public claim of a spoofing vulnerability affecting IE 7. Because Microsoft had previously determined that this actually isn’t a security vulnerability, there has been some confusion over these new reports. So, I wanted to take a moment and explain what’s going on here to help people understand the issue.
The newly reported issue is actually a repeat of an issue reported in 2004. This report highlighted that IE and other browsers are designed to allow sites to load pages in browser windows from other sites. This is actually an important design consideration for many websites, especially line-of-business sites, that re-use windows to provide a consistent customer experience. However, an example of how this could be used to mislead users would be for an untrusted site to pop-up a browser window over a trusted site. To make this compelling, the pop-up window would be created without an address-bar. The combination of these events could then be used to add untrusted content to legitimate-looking pop-up windows in a phishing or spoofing attack.
Like we always do, we investigated that claim thoroughly in 2004. We found that in all cases, for this to represent a threat for phishing or spoofing attacks, a user would have to decide to trust the authenticity of the page without verifying the page’s address (because there was no address bar) and without verifying an SSL connection (like we recommend on our website). In other words, the scenario requires that you intentionally not use the security features specifically put in place to help protect against phishing and spoofing attacks. Because of that, we said in 2004 that this issue doesn’t represent a security vulnerability as we have defined it on our website.
Now, that said, we take all reports seriously even when they’re not security vulnerabilities. In this case, we did look at the scenario in question and asked ourselves what we could do to help improve our anti-phishing and anti-spoofing features so that customers can better protect themselves. We decided that one thing we could do was to add a feature to IE 7 where it always shows the actual URL of the web page, even in pop-up windows. So we added a pop-up window address bar, enabling users to more accurately make a trust decision.
In fact, there is a test page as part of this claim and if you look at the page using IE7 you can see the actual URL of the page in the pop-up window.
They key thing is that what we said about the issue in 2004 still applies: that you should never decide to trust a web page without first verifying both the address of the web page and an SSL connection.
I hope this helps to explain and clarify the issue.
Thank you.
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Hi Everyone Scott here from the MSRC operations team with a real quick update, I wanted to let everyone know that we are fully aware of the recent Proof of Concept (POC) code posting regarding ADODB.Connection.
We have initiated our Software Security Incident Response Process to investigate this issue. Once we have completed the investigation and understand if there is a threat to customers we will take the appropriate action to protect and provide guidance – as required. As always we are working with our MSRA partners to monitor and secure the ecosystem.
I'll do my best to keep everyone up to date as the investigation progresses.
Cheers
Scott.
This is Christopher Budd. I wanted to take a moment and let people know some information about a new public report about a possible vulnerability in Internet Explorer we’ve received today. As soon as we learned of the report we started an investigation into the issue and we have some information we can share on this.
First, this is an issue with how URLs are displayed in the address bar. Specifically, we’ve seen that this occurs in a pop-up window after a user clicks a specially formed link on an untrusted website or in an untrusted e-mail.
Now, while the full URL is actually present in the address bar, the left part of the URL is not initially displayed. But, you can see the full URL if you either click in the browser window or in the address bar and then scroll within the address bar.
We’re not aware of any attacks that are attempting to use this, but as always we will continue to monitor the situation throughout our investigation.
Now, our general guidance as far as things you can do to help protect yourself against phishing attacks can help protect here. Specifically that you should never enter personal information into a website unless you’ve verified the server’s name by using SSL. We talk about this on our website here.
The other thing I wanted to mention is that in IE 7, the Microsoft Phishing Filter can help protect should any phishing sites attempt to exploit this issue in a couple of ways.
First, the Phishing Filter’s browser-based heuristics can help to protect you. These heuristics analyze Web pages in real time and then can warn you about suspicious characteristics if it finds any on the page. If someone attempts to use this issue in a phishing site, the Phishing Filter’s heuristics may detect that site as such and warn you.
Another way the Phishing Filter can help protect you is through our online service. If a site that attempts to exploit this issue is reported to us and confirmed to be a phishing site, we will add it to the Microsoft Phishing Filter’s online service and it will be flagged as a phishing site when viewed in IE7.
The Microsoft Phishing Filter online service is designed to allow us to update it fairly quickly with information as sites are reported and confirmed by us. As sites are added to the online service, this information is made available to all users running IE7 which provides protections broadly to customers quickly.
If you’re new to the Microsoft Phishing Filter, (like I am), it might be good to know how you can report a site that you believe is a phishing site. You can report a site you suspect as a phishing site in the IE7 tools menu under Phishing Filter by clicking on “report this website.” You can also report a site that is flagged as suspicious you believe is a phishing site by clicking the “report this website” link in the IE7 warning badge.
Note too that you’ll need to be sure to “opt-in” to use the Phishing Filter.
We do have this issue under investigation and as always, once we complete our investigation we’ll take appropriate steps to protect our customers.
I hope this helps to clarify things.
Thanks.
Hi, this is Christopher Budd.
We’ve gotten some questions here today about public reports claiming there’s a new vulnerability in Internet Explorer 7. This is an issue that we have under investigation and so we have some technical information we can share about the issue.
These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express.
While we are aware that the issue has been publicly disclosed, we’re not aware of it being used in any attacks against customers.
We do have this under investigation and are monitoring the situation closely and we’ll take appropriate action to protect our customers once we’ve completed the investigation.
I hope that helps to clarify.
¡Hola everyone!, Ben Richeson here. I just want to take a quick moment here to introduce myself as one of the newest members to the MSRC as well as to post (my first blog entry!) about an update to MS06-061.
Today, MS06-061 has been re-released to re-offer a revised version of the security update to customers with Windows 2000 Service Pack 4 only. While the original version of MS06-061 for Windows 2000 did fully protect against the vulnerabilities discussed in the bulletin, it did not correctly set the kill bit for Microsoft XML Parser 2.6. The revised version we released today protects against all the vulnerabilities discussed in MS06-061 and correctly sets the kill bit for Microsoft XML Parser 2.6. We are recommending all Windows 2000 customers go ahead and deploy this revised version. All other customers need take no action with this re-release.
Also, additional information has been included in the security bulletin for customers wishing to remove the security update for Microsoft XML Core Services 4.0 and Microsoft XML Core Services 6.0.
Thanks,
-Ben
Hey everyone this is Alexandra Huft,
I wanted to let you know that we’ve been made aware of proof of concept code published publicly affecting Microsoft Office 2003 PowerPoint. We are currently investigating this report. The reported proof of concept may allow an attacker to execute code on a user’s machine by convincing them to open a specially-crafted PowerPoint file. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time.
As part of our investigation, we are working with our MSRA partners to monitor and secure the ecosystem.
Alexandra
Hey everyone, Craig Gehre here. We’re in the process of releasing our October 2006 Security Bulletins and I wanted to go ahead and update you on it.
We're releasing ten new Security Bulletins this month:
MS06-056 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of Moderate.
MS06-057 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of Critical.
MS06-058 addresses a vulnerability in Microsoft Office and has a maximum severity rating of Critical for earlier versions of Office and a maximum severity rating of Important for more recent versions of Office.
MS06-059 addresses a vulnerability in Microsoft Office and has a maximum severity rating of Critical for earlier versions of Office and a maximum severity rating of Important for more recent versions of Office.
MS06-060 addresses a vulnerability in Microsoft Office and has a maximum severity rating of critical for earlier versions of Office and a maximum severity rating of Important for more recent versions of Office.
MS06-061 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of Critical.
MS06-062 addresses a vulnerability in Microsoft Office and has a maximum severity rating of Critical for earlier versions of Office and a maximum severity rating of Important for more recent versions of Office.
MS06-063 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of Important.
MS06-064 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of Low.
MS06-065 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of Moderate.
Also, I wanted to give you a heads up on a delay in our release process.
Due to some network issues experienced on the Microsoft Update platform, the October security updates released today are not yet currently available via:
To be clear, it’s a delay due to the networking for these systems: there are no issues with the security updates themselves. Also, this issue doesn’t affect customers using Software Update Services (SUS), Windows Update v4 or Office Update.
Those of you affected by this delay who want to deploy the updates immediately can go ahead and download and deploy these updates manually by visiting http://www.microsoft.com/technet/security for the list of bulletins released today and then downloading the updates directly from the links in the bulletin.
Technical teams are engaged and have been working around the clock to resolve this problem and we anticipate that updates will be made available via the Microsoft Update platform by end of today October 10th.
We will post an update when the situation has been resolved and the updates are again available via this distribution channel.
-Craig
Craig again, I wanted to let you know that our teams have resolved the network issues with Microsoft Update. You should start seeing content replicated out to Microsoft Update, Automatic Updates, Windows Server Update Services (WSUS), Windows Update v6.
This is Christopher Budd.
It’s the Thursday before the second Tuesday and so I wanted to go ahead and let people know that we’ve posted our Advance Notification for October 2006 Microsoft Monthly Security Bulletin Release.
Next Tuesday, on October 10, 2006 at approximately 10:00 am PT we are slated to release eleven new security bulletins:
We will also be making our regular monthly update to the Microsoft Windows Malicious Software Removal Tool.
We’ll have our regularly scheduled technical webcast on Wednesday, October 11th 2006 at 11:00 am PT. You can register for it here:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032308775&EventCategory=4&culture=en-US&CountryCode=US