The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hello,
This is Christopher Budd. I wanted to follow up our posting on the November 2006 Monthly Bulletin release to let folks know that MS06-071 has been made available for SUS 1.0. Those of you who are SUS 1.0 administrators should begin to see those updates show up for your approval.
Thanks.
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights.*
This is Adrian Stone. I wanted to let you know that we just posted Microsoft Security Advisory (928604). Microsoft is aware of public proof of concept code targeting the vulnerability addressed by security update MS06-070. At this time Microsoft has not seen any indications of active exploitation of the vulnerability.
We're tracking this issue through our Software Security Incident Response Process and there is information in the advisory with steps that customers can take to help protect themselves.
As always, we'll continue to monitor the situation and provide updates to the advisory should the situation change or we become aware of new information.
Cheers,
Adrian
Hey folks - Mike Reavey here. I wanted to let you know we’ve released our security bulletins for the month of November 2006 here today.
We’re releasing six new security bulletins today:
· Microsoft Windows (MS06-066)
· maximum severity rating of Important
· vulnerabilities could allow an attacker to remotely take complete control of an affected system.
· Microsoft Windows (MS06-067)
· maximum severity rating of Critical
· Microsoft Windows (MS06-068)
· Microsoft Windows (MS06-069)
· Microsoft Windows (MS06-070)
· Microsoft XML Core Services (MS06-071)
Regarding MS06-071, I wanted to call out a couple of things. This update addresses an issue we first discussed in Microsoft Security Advisory (927892).
First, with this month’s release, Microsoft has changed the servicing model for Microsoft XML Core Services to include Windows Update in addition to Microsoft Update. This means that customers will now be able to obtain security updates for Microsoft XML Core Services through Windows Update, and Software Update Services (SUS) in addition to Microsoft Update, and Windows Software Update Services (WSUS).
Now, because this update is on Windows Update for distribution, we don’t want customers to be confused and think this is a vulnerability in any version of Windows: the vulnerability is actually in Microsoft XML Core Services not in Windows.
But we’ve gone ahead and put this update on Windows update to give the broadest possible coverage to protect customers for this issue and any possible future issues in Microsoft XML Core Services.
The other thing I want to mention about MS06-071 is information for our SUS 1.0 customers. Our goal every month is to release all updates through all our deployment channels simultaneously. While we were able to move quickly to release this update, we were not able to complete the work required to make it available through Software Update Services 1.0 today. The update is available through all other channels, and Software Update Services customers can obtain this update directly from the Download Center or through WSUS. We are working to make this update available through SUS as quickly as possible and expect to release it with the next SUS 1.0 update.
On final bit of SUS information: we had announced that SUS 1.0 would be retired on December 6, 2006. In response to customer feedback, and to provide customers with additional time to migrate off Software Update Services (SUS) 1.0, we’ve gone ahead and announced an extension to the end of support date to Tuesday, July 10, 2007. So we want to encourage anyone still running SUS 1.0 to migrated to Windows Server Update Services, (WSUS) before July 2007. There’s information on WSUS here: http://www.microsoft.com/updateservices.
Finally, like we do every month, we’ll be holding our monthly Security Bulletin webcast, where we’ll go over the month’s release and answer your questions on the air. You can register for this month’s webcast here:http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032313212&EventCategory=4&culture=en-US&CountryCode=US
Mike
Hi everyone. Brian and Jonathan, software security engineers from the SWI team here. Alexandra Huft from the MSRC team asked us to write a guest blog entry giving an update into the technical investigation of the PowerPoint 2003 proof-of-concept code published a few weeks ago which was previously blogged about here (http://blogs.technet.com/msrc/archive/2006/10/12/poc-published-for-ms-office-2003-powerpoint.aspx).
The short story is that this issue turned out to not be exploitable for remote code execution. It was a PowerPoint crashing bug not a PowerPoint security vulnerability. The PowerPoint team has developed a fix for this bug and it will go into the next available ship vehicle for PowerPoint. The longer story is below.
The document produced by the published perl script generates a malformed PPT file. The file includes a container object with a 'position' value that is larger than the corresponding container's record length. So, when parsing this container, PowerPoint attempts to use this attacker-supplied position value to find a node in a list but the position is out of the list's bounds. The function that should be returning a legitimate object for later use by PowerPoint instead returns NULL due to the out-of-bounds position value. This return value is not checked for a NULL value before the address is operated on as an object. The reference of this NULL object pointer is what causes the exception.
Here's what that sequence of events looks like from an assembly level:
0:000> u 3001cdbc
POWERPNT+0x1cdbc:
3001cdbc e8dfdfffff call POWERPNT+0x1ada0 (3001ada0) <---- This function returns NULL & the return value is not checked
3001cdc1 8b7610 mov esi,dword ptr [esi+10h]
3001cdc4 2b7514 sub esi,dword ptr [ebp+14h]
3001cdc7 8bf8 mov edi,eax <--- eax is NULL
3001cdc9 8d45e0 lea eax,[ebp-20h]
3001cdcc 8bcf mov ecx,edi <--- ecx is NULL
3001cdce 50 push eax
3001cdcf e8e8e1ffff call POWERPNT+0x1afbc (3001afbc) <---- call into the function that will cause the NULL deref
3001cdd4 3b7d18 cmp edi,dword ptr [ebp+18h]
3001cdd7 0f848fddffff je POWERPNT+0x1ab6c (3001ab6c)
0:000> u 3001afbc
POWERPNT+0x1afbc:
3001afbc 8b01 mov eax,dword ptr [ecx] <--- This is the actual instruction that causes the exception
0:000> lmvm powerpnt
start end module name
30000000 3061d000 POWERPNT (export symbols) POWERPNT.EXE
Loaded symbol image file: POWERPNT.EXE
Image path: c:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
Image name: POWERPNT.EXE
Timestamp: Tue Sep 26 17:15:28 2006 (4519C2A0)
CheckSum: 00624FE1
ImageSize: 0061D000
File version: 11.0.8110.0
Product version: 11.0.8110.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04e4
CompanyName: Microsoft Corporation
ProductName: Microsoft Office 2003
InternalName: POWERPNT
OriginalFilename: POWERPNT.EXE
ProductVersion: 11.0.8110
FileVersion: 11.0.8110
FileDescription: Microsoft Office PowerPoint
LegalCopyright: Copyright ¬ 1987-2003 Microsoft Corporation. All rights reserved.
We hope this additional details clear up any questions our customers may have had about why the MSRC does not consider this a product security vulnerability
Thanks,
Brian and Jonathan
This is Christopher Budd, program manager here at the MSRC. It's the Thursday before the second Tuesday and so I wanted to go ahead and let people know that we've posted our Advance Notification for November 2006 Microsoft Monthly Security Bulletin Release. Next Tuesday, on Nov. 14, 2006 at approximately 10:00 am PT we are slated to release six new security bulletins:
We will also be making our regular monthly update to the Microsoft Windows Malicious Software Removal Tool. We'll have our regularly scheduled technical webcast on Wednesday, Nov. 15, 2006 at 11:00 am PT. You can register for it here:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032313212&EventCategory=4&culture=en-US&CountryCode=US
Ben Richeson here. I wanted to let you know that we just posted Microsoft Security Advisory (927892) about our investigation of public reports of a vulnerability in the XMLHTTP 4.0 ActiveX Control, part of Microsoft XML Core Services 4.0 on Windows. We are aware of limited attacks that are attempting to use the reported vulnerability.
-Ben
Christopher Budd here. Very quickly, I wanted to let people know that we just posted Microsoft Security Advisory (927709) that talks about public proof of concept code published on an issue in the WMI Object Broker ActiveX control. We are aware of the possibility of limited attacks that are attempting to use the reported vulnerability.
We're tracking this issue through our Software Security Incident Response Process and we have information in the advisory as far as steps customers can take to protect themselves.