The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hi everyone,
As usual the holiday season is a busy time for everyone including those of us here in the MSRC. I hope that everyone has finished their holiday shopping so they can enjoy the long weekend. This is Mike Reavey by the way in case anyone was wondering.
Aside from discussing the holidays, the reason I am dropping in on the blog is that right now we are closely monitoring developments related to a public posting of proof of concept code targeting an issue with the Client Server Run-Time Subsystem. The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems. Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings and we have activated our emergency response process involving a multitude of folks who are investigating the issue in depth to determine the full scope and potential impact to Microsoft’s customers. Currently we have not observed any public exploitation or attack activity regarding this issue. While I know this is a vulnerability that impacts Windows Vista I still have every confidence that Windows Vista is our most secure platform to date. As always, we here at the MSRC encourage everyone to enable a firewall, apply all security updates and install anti-virus and anti-spyware software.
Regardless of it being the holiday season the MSRC will be monitoring overall threat conditions for this and any other issue reported to us. If we do see anything that we believe puts Microsoft customers at risk, or significant new developments, we will update everyone through our standard mechanisms including this blog and if need be, an Advisory with additional details.
Happy Holidays,Mike
*This posting is provided "AS IS" with no warranties, and confers no rights.*
We wanted to follow up with Office for Mac users on what to do if you installed the pre-release security updates released on Tuesday. Because the Office for Mac update that was erroneously released had additional, non-security fixes, the Office for Mac team would like to distribute a new update to its customers that includes all the fixes unrelated to security. We are planning to release the new update by the end of next week.
Customers who downloaded the pre-release security update for Office for Mac on Tuesday should install this new update when it is released. This new update will remove the pre-release version and install the fully tested application fixes; we suggest that all Office for Mac users download the new update.
We are sorry for any confusion this may have caused.
Thanks,
Mike
Hey everyone, Alexandra Huft here. I wanted to try and summarize/clarify for everyone the three current Word Zero-Day issues that have been reported to Microsoft.
First, I wanted everyone to know that we’re actively investigating and monitoring all of these issues through our Software Security Incident Response Process and we are working on developing and testing security updates for the three issues, which we’ll release as part of our release process once they’ve reached an appropriate level of quality.
1. CVE-2006-5994 – This issue is discussed in Microsoft Security Advisory 929433. Our ongoing monitoring indicates that this is subject to very limited and targeted attacks.
2. CVE-2006-6456 – This issue is discussed in our blog posting from December 10. Our ongoing monitoring indicates that this also is currently subject to very limited and targeted attacks. Our investigation so far indicates that this issue affects Word 2000, Word 2002, Word 2003 and Word Viewer 2003.
3. CVE-2006-6561 – This is a new issue. At this time we’re aware only of Proof of Concept code: we’re not aware of any attacks at this time. Our initial investigation indicates that this issue affects Word 2000, Word 2002 and Word Viewer 2003.
The guidance, as far as steps that customers can take to protect themselves, that we’ve provided in Microsoft Security Advisory 929433 applies to all three issues. Our teams are continuing their research to find additional workarounds and if we have new information we’ll post that updated information in the advisory.
If you think you may have been impacted by this issue we definitely encourage you to contact Product Support Services. You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security
Hope the information above helps to clarify the situation for everyone.
Alexandra
We’ve seen some questions from customers about some security updates that posted for a while today for Office for Mac that they didn’t see any security bulletins for.
I wanted to let you know that these weren’t security updates related to this month’s release or the two Word issues we’ve written about in Security Advisory 929433 and on our weblog: those investigations are still underway and we’ll release updates for those issues once we’ve met the appropriate quality bar. The updates posted in error were pre-release binaries that had been staged internally as part of our testing for an upcoming release. Due to human error, they were accidentally published to the public websites before our full testing release process was complete.
As soon as we discovered the error, we moved quickly to address it and remove the pre-release binaries from our public sites.
Once our investigation into this issue is complete and we have security updates that meet our quality bar for release, we’ll release those final security updates for all products affected along with a security bulletin. We’re also taking steps to ensure a mistake like this doesn’t happen again.
We recommend that anyone who may have installed these pre-release updates to uninstall them.
I’m sorry for any confusion this might have caused.
Thanks.
*This posting is provided "AS IS" with no warranties, and confers no rights. *
Hello, this is Christopher Budd.
I wanted to let you know that as part of our standard monthly bulletin release process we’ve released our security bulletins for December 2006.
· Microsoft Windows (MS06-072)
· maximum severity rating of Critical
· vulnerabilities could allow an attacker to remotely take complete control of an affected system.
· Microsoft Visual Studios 2005 (MS06-073)
· Microsoft Windows (MS06-074)
· maximum severity rating of Important
· Microsoft Windows (MS06-075)
· Microsoft Windows (MS06-076)
· Microsoft Windows (MS06-077)
· Microsoft Windows (MS06-078)
I do want to note that we added a seventh update as part this release since we published the Advanced Notification last Thursday. We added MS06-078 which addresses two vulnerabilities in Windows Media Format, one of which we discussed in a posting last Thursday.
Finally a reminder that we’ll be doing our regular monthly Security Bulletin webcast on Wednesday, December 13, 2006 11:00 AM Pacific Time (US & Canada).
You can sign up for it here:http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032317233&EventCategory=4&culture=en-US&CountryCode=US
Christopher
Hi All,
Scott Deacon here, well a busy week extends into a busy weekend for the MSRC!!
We are investigating reports of another new vulnerability in Microsoft Word – initial investigation has shown that this is a different issue to that reported in Microsoft Security Advisory 929433.
Our initial investigation has discovered that Word 2000, Word 2002, Word 2003 and the Word Viewer 2003 are affected, but Word 2007 is NOT affected by the vulnerability.
From the initial reports and investigation we can confirm that the vulnerability is being exploited on a very, very limited and targeted basis.
We're tracking this issue through our Software Security Incident Response Process and as always, we'll continue to monitor the situation and provide updates should the situation change or we become aware of new information.
Have a good weekend all!
Scott
Updated: After further investigation, we have found that Word 2000 is affected by this vulnerability and have updated the posting accordingly.
Hi, this is Christopher Budd.
We’ve gotten some question from customers about what we mean when we say we’re aware of “very limited, targeted attacks” in a security advisory. I wanted to take a moment and help give some clarity.
When we talk about “very limited, targeted attacks” we specifically mean this in contrast to attacks that affect a broad number of customers randomly. Unlike these broad, random attacks, these very limited, targeted attacks are carried out against a very small number of customers (sometimes only one or two even) and are carried out in a very deliberate fashion against a specific organization or organizations.
Where the goal of these broad, random attacks is large in scope, the goal of these very limited, targeted attacks is generally to introduce malicious software on to the systems of the specific organizations that have been targeted. For example, in investigating the issue that we just issued Microsoft Security Advisory 929433 on, part of our investigation showed that the attacks were specifically attempting to introduce malicious software rather than propagate themselves to additional customers. As part of our Software Security Incident Response Process (SSIRP), we have provided information about this malicious software to our AV partners through partner programs such as those in the Microsoft Security Response Alliance (MSRA) so that they can build signatures to detect the malicious software. The Windows Live OneCare Safety Scanner also contains signatures for this malicious software.
One of our goals when we issue a security advisory is to give you information to help you understand the risks posed by an issue. One thing we know that customers want to know about is what the scope of an attack is. Through our work with partners, with customers, and internal investigations, we’re sometimes able to tell if an attack is a broad, random attack, or if it’s a very limited, targeted attack. When we’re able to do this, we include it in our security sdvisory as another piece of information to help you understand what’s going on, so you can make a better informed risk assessments.
I hope this helps to clarify the statement. Of course, if an attack is broad, or if an attack is limited, we still treat every issue as a priority and teams continue to actively investigate this issue.
Hey everyone this is Alexandra Huft
I wanted to let you know that we’re aware of proof-of-concept code published publicly affecting Windows Media ASX file format. We are currently investigating this report. We are not currently aware of attempts to exploit this vulnerability.
The ASX file format is an XML-based media file format which is processed by Windows Media Player. An attacker could construct a malformed ASX file and use it to cause Media Player to overrun a heap-allocated buffer, potentially leading to remote code execution.
We are also investigating other attack vectors to reach the same vulnerable code.
As part of our investigation, we are working with our MSRA partners to monitor and secure the ecosystem.
Hello,
This is Christopher Budd and I'm posting here today to let you know that we've posted our Advanced Notification for the December 2006 Microsoft Monthly Security Bulletin Release.
Next Tuesday, on December 12, 2006 at approximately 10:00 am PT we are slated to release six new security bulletins:
We will also be making our regular monthly update to the Microsoft Windows Malicious Software Removal Tool.
And a reminder that we'll have our regularly scheduled technical webcast on Wednesday, December 13, 2006 at 11:00 am PT. You can register for it here:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032317233&EventCategory=4&culture=en-US&CountryCode=US
I wanted to let people know that we just posted Microsoft Security Advisory (929433) which involves Microsoft Word. We are currently investigating a report of a proof of concept which may allow an attacker to execute code on a user’s machine by convincing them to open a specially-crafted Word document. We are aware of limited attacks attempting to use the vulnerability reported.
I will keep everyone up to date as new or additional information becomes available.