The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hello everyone,
This is Christopher Budd. I wanted to let you know we’ve just posted a couple of Security Advisories related to important updates.
We often use Security Advisories to let you know when we’re aware of security incidents that can affect customers. We also use Security Advisories to let you know about important information that can relate to your overall security. In this case, we’re letting you know about two non-security updates that we think it’s important for you to review.
The first advisory is Microsoft Security Advisory (927891). This advisory is to let you know about an update to the Windows Installer, sometimes called the MSI installer. This update applies to currently supported versions of Windows except Windows Vista. The update addresses an issue you may experience where systems may become unresponsive when Windows Update or Microsoft update is scanning them. This update is being released through Windows Update, Microsoft Update and Automatic Updates. I want to note that this update will install correctly even if you’re experiencing this issue. However, the issue may prevent you from installing other updates (including security updates) until you apply this new update, so we encourage customers to apply this right away.
The second advisory is Microsoft Security Advisory (937696). This advisory announces the availability of the Microsoft Office Isolated Conversion Environment (MOICE) feature. It also lets you know more widely of the ability to restrict opening or saving types of files in Microsoft Office 2003 and the 2007 Microsoft Office system (called "file block" by some). In the 2007 Microsoft Office system, this capability is part of the 2007 Office System Administrative Templates. For Office 2003, this capability is included in MS07-023 for Excel, MS07-024 for Word, and non-security update 933669 for PowerPoint.
My colleague David LeBlanc first mentioned MOICE a couple of weeks ago. MOICE provides new security mitigation technologies designed to convert specific Microsoft Office files types. Additionally, the ability to restrict opening or saving types of files provides a mechanism that can control and block specific Microsoft Office file types. Taken together, both of these are designed to make it easier for customers to protect themselves from Microsoft Office files that may contain malicious software, such as unsolicited Microsoft Office files received from unknown or known sources. To help you understand more of what MOICE and the ability to restrict opening or saving types of files do, I’ve asked my colleague Jonathan to go into some more technical detail below.
We encourage you to review both advisories and deploy the updates and tools as appropriate.
Thanks.
Christopher
More Information on MOICE and Restricting Opening or Saving Types of Files
Hi everyone. Jonathan from the SWI team here. David LeBlanc, one of the architects of the MOICE tool, wrote a great intro to the tool that you can find here. As David mentioned, the 2007 Office system’s new “Metro” file format received lots of additional security testing time and is more resilient by design to file format-based attacks. The code in the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats which parses legacy documents to convert them to the new format has been through this same rigorous security testing cycle as the 2007 Office system. Bottom line, the new stuff is much safer. And now with the MOICE tool, those of you have not yet upgraded to the 2007 release can take advantage of these enhancements today.
The MOICE tool works to help protect you from malicious Office documents by capturing the legacy file format associations and diverting file open requests to this new process. First, it converts the document to the new Office Open XML format. It then converts back to the legacy binary format before handing off to the regular Office application to open the document. As David discussed in detail, this conversion happens in an isolated, low-rights environment which helps protect against attempts to exploit the conversion.
MOICE captures the file associations for the following file types:
· .doc (Word document)
· .xls (Excel spreadsheet)
· .xlt (Excel Template)
· .xla (Excel Addin)
· .ppt (Powerpoint document)
· .pot (Powerpoint Template
· .pps (PowerPoint slideshow)
Because a malicious user could try to bypass this conversion by renaming his malicious evil.doc file to evil.rtf, it’s also important to block other file types not handled by MOICE that Office still opens. That’s where the restricting open and saving types of files comes in: to block RTF and other file types not in the list above. The combination of MOICE + restricting opening or saving types of files helps to ensure that all files in the legacy binary file format go through this isolated conversion process before regular Office operates on them.
I’m looking forward to David’s blog series on the technology behind the isolated conversion process. I have heard him talk about it and it is really impressive.
Thanks
Jonathan
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Hello there,
Since this is my first post, I suppose a quick introduction is in order. I am Mark Griesi, a member of the Security Response Communications Team. My role on the team is much the same as my colleague Christopher Budd, who I know you are all familiar with.
I wanted to let you know that we have updated the detection logic for the May 8th Security and Non-Security Updates for Office 2007, with the exception of the Junk Mail Filter update. In some cases, the original detection logic may not have offered the updates or the updates may not have been installed successfully on systems running Windows Vista. The changes to the detection logic only pertain to MS07-023 and MS07-025. MS07-024 did not require an update since it doesn’t affect Office 2007.
It’s important to note that there has been no change to the actual binaries in the updates themselves. If you have already successfully installed the updates using Microsoft Update, you will not be offered the update again. The updates will also be available through WSUS and SMS/ITMU. If you're an administrator of one of those systems, you will see new versions of the updates and will need to approve them. Approving these new updates should have no impact on machines that have already installed the previous updates successfully.
So for those of you out there, such as myself, who are running Office 2007 on Windows Vista, please go ahead and install these updates if they are offered to you.
Please take a look at the Knowledge Base articles KB934233 and KB934873 for more details on this issue.
Until next time,
Mark Griesi
Hello everyone, this is Christopher Budd.
I wanted to let people know that as part of our regular process, we’ve made an update to the Master KB article for MS07-027, 931768.
Specifically, we’ve added an entry pointing to a new KB article, 937409, that discusses an issue that can occur for IE 7 customers who have changed the default locations of the “Temporary Internet Files” after they apply MS07-027.
The update fully protects against the vulnerabilities detailed in the bulletin. The issue here is that after applying the update, these users may then see the File Download – Security Warning dialog box raised when starting IE. After you close the dialog, you then cannot start IE. This is because the permissions on the custom Temporary Internet Files directory are not the same as the permissions on the default Temporary Internet Files directory. The KB details two options to address this. You can either reset the Temporary Internet Files directory back to the default directory, or change the permissions on the custom directory to match those on the default Temporary Internet Files directory. The KB contains specific steps on how to do either of these.
Because this occurs in a customized installation, this isn’t a widespread issue. But we did want to make people aware of it. My colleague Geoffrey Silva has written about this on the IE Team weblog here.
This is Mark Miller again to let you know about some additional changes we are making this month. In April, we announced changes to our blog site. This month we are announcing changes to our Advanced Notification Service (ANS) as well as some changes we are planning to make to the format of our security bulletins in June.
ANS changes:
As you know, the Thursday before Tuesday’s normal security update release, we send out an advanced notification letting you know what platforms are going to be impacted by the security updates and the maximum severity rating. The information is currently grouped and rolled up by platform (Windows, Office, etc.). This was implemented based on customer feedback that more time and information was needed to plan for testing and deployment. We’ve received positive feedback on the ANS, but customers have also told us that additional information would be even more helpful. Based on that, we are incorporating additional detail about the upcoming security updates. We plan to implement this change with June’s ANS release on Thursday, June 7.
The new ANS is essentially a subset of the monthly bulletin summary we publish the second Tuesday of each month. As such, the ANS will now be published at the same URL used for that months security bulletin summary page (example below). For those not familiar with the monthly bulletin summary, it is a high level overview of the bulletins released for a given month that includes a list of bulletins, severity rating, impact, affected software, download locations for the updates, general deployment information and a single list of acknowledgements thanking those who have practiced responsible disclosure in reporting the vulnerabilities the bulletins address. Moving forward, the ANS subset will contain the following for each bulletin and not be grouped by just the platform:
· Maximum Severity Rating
· Impact of Vulnerability
· Detection information
· Affected Software
Once the security bulletins are released on the second Tuesday of the month, the bulletin summary page will be updated with complete details. For reference, the bulletin summary for May can be found here: http://www.microsoft.com/technet/security/bulletin/ms07-may.mspx.
The old location of the ANS will now become a simple landing page describing the service and the monthly bulletin summary page will serve as the ANS. For June, the ANS will be located here when its published on the 7th at 10:00 AM Pacific time: http://www.microsoft.com/technet/security/Bulletin/ms07-jun.mspx
As always, you can subscribe to the ANS and other alerts here: http://www.microsoft.com/technet/security/bulletin/notify.mspx.
Security Bulletin Design Changes:
We’ve also spent a lot of time talking to customers about the layout of our security bulletins and how we can improve them. Customers very clearly pointed out that they were satisfied with the level of technical detail in the bulletins but needed to be able to more quickly determine the severity of the bulletin and its applicability to their environment. With that in mind, we set out to accomplish the following goals:
· Move all applicable decision making information to the top of the page
· Create a table of affected products (instead of a list) with links to the download location of the updates
· Change the section titles to be more representative of the content under them
· Re-arrange content to areas that make them more intuitive to find
· Reduce some of the repetitive content in the bulletin
Rather than try to fully describe the changes to the bulletin format, we have provided a sample of an actual bulletin (MS07-016 Cumulative Security Update for Internet Explorer (928090)) for you to preview:
http://www.microsoft.com/technet/security/bulletin/ms07-016-example-of-new-layout.mspx
We hope that these changes make your decision making process more efficient. We will continue to listen to your feedback and implement additional changes as needed.
Thanks! We appreciate all the feedback!
Hi, Andrew Cushman the new director of the MSRC here.
I’m thrilled to join this kickass team. I ‘m excited by the chance to continue delivering industry leading security response and by the chance to more closely integrate my other responsibilities with the MSRC team.
Over the past couple years I led Microsoft’s Security Outreach Initiative. I was part of a small team responsible for Microsoft’s engagement of the security research community. That team was responsible for the Security Researcher Appreciation receptions at the Black Hat conferences, for “hacker” conference sponsorship, for community outreach programs and for the internal Microsoft BlueHat security conference.
And BlueHat is the reason for this blog post. On Wednesday May 9th we kicked off the fifth BlueHat security conference with talks presented to executives and senior engineering leaders from across the company. BlueHat v5 continues on Thursday with general sessions for the engineering teams. We have a full day of content planned of interest to engineers on our newest products XBox, Mobile, Security Products, Live and Web Apps. The agenda and speaker bios can be found here.
http://www.microsoft.com/technet/security/bluehat/2007spring.mspx
Included below is a short description of the event along with the why we do this and what we learn.
Additionally here’s more background on BlueHat from a couple channel9 videos from past events http://channel9.msdn.com/ShowPost.aspx?PostID=194518#194518.
The BlueHat goals are two-fold
- Expose senior product leaders and front line engineers to the threats and attack tools and methodologies used in the real world. Take the security threat from the theoretical/intellectual level of, ”I understand what a buffer overflow is”, to “OMG that’s what it’s like.” BlueHat connects with employees at a visceral in order and *really* brings the message home. You can read about security issues and still be somewhat detached, but when someone breaks your product in front of a few hundred peers - that’s a real catalyst for change.
- Expose security researchers (and the security community) to Microsoft engineers and business leaders. In the past there’s been the perception that MS doesn’t “get” security and that we don’t really care about security or customer protection. BlueHat gives us a chance to open up on our home turf and gives the researchers an opportunity to interact with all levels of the organization. They too get to experience first-hand that Microsoft does have smart, passionate engineers that do care about security.
I’m super excited about v5. It’s a great line up of engaging speakers with fantastic content. Stay tuned, we’ll be sure to post updates on the BlueHat blog (http://blogs.technet.com/bluehat) and likely on the SDL blog (http://blogs.msdn.com/sdl/)in the week ahead.
Andrew
Sr. Director Security Response and Community
This is Christopher Budd. I wanted to let you know that our bulletins for May 2007 have just posted. This includes the security update for the DNS issue discussed in Microsoft Security Advisory 935964.
This month, we’re releasing three bulletins affecting Microsoft Office. These have a maximum severity of Critical for earlier versions and Important for more recent versions:
Note that MS07-024 addresses the issue first discussed in Microsoft Security Advisory 933052.
We are also releasing one bulletin affecting Microsoft Exchange with a maximum severity of Critical:
Additionally, we are issuing two bulletins affecting Microsoft Windows, each with a maximum severity of Critical:
And we are releasing one bulletin affecting Microsoft CAPICOM and BizTalk with a maximum severity of critical:
We are also issuing an updated version of the Microsoft Windows Malicious Software Removal Tool today as well.
A reminder that we’ll be holding our webcast tomorrow May 9, 2007 at 11 AM Pacific Time to review the bulletins and answer questions you might have on-the-air. You can register for it here:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032327015&EventCategory=4&culture=en-US&CountryCode=US
It’s the Thursday before May 8, 2007, the date for the May 2007 monthly security bulletin release. As we do each month on this day, we’ve posted our Advance Notification. In it, we try to provide you with information about what we’re planning to release on Tuesday to help with your planning for the release.
This month, we’re planning to release:
· Two Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
· Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
· One Microsoft Security Bulletin affecting Microsoft Exchange. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
· One Microsoft Security Bulletin affecting Microsoft CAPICOM and BizTalk. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool
We also have an update to the Microsoft Windows Malicious Software Removal Tool, and we are planning to release one high-priority non-security update on Windows Update and six high-priority non-security updates through Microsoft Update.
I also wanted to follow-up on a posting I made last Friday and let everyone know that we haven’t seen any new information around attacks against the issue we discussed in Microsoft Security Advisory 935964. Also, the listing of updates slated for Tuesday does include the update we’ve been working on for this issue.
I do want to remind everyone that the information in the Advance Notification is subject to change as we continue testing until we release on Tuesday. If anything changes or we have new information, we will let you know through the MSRC weblog.
Finally, we will be holding our usual webcast the day after release to answer on-the-air questions you might have. This month’s webcast will be on Wednesday May 9, 2007 at 11 AM Pacific Time. It will also be available as an on-demand webcast afterwards. You can register for it here: