Hi there,

This is Mike of the MSRC,

The case of the MDB attack vector

The MSRC on Friday afternoon posted an advisory about limited, targeted attacks using JET database files, commonly referenced as file type MDB.  Many of you probably remember that MDB files are on the unsafe file type list (http://support.microsoft.com/kb/925330), and are blocked from being opened by Outlook, are commonly removed from incoming email by Exchange, and trigger scary prompts similar to EXEs when clicked on with IE.  So why the hubbub?

First – let me describe the attacks we’ve seen:

We have seen two malicious JET database files sent in by anti-virus companies.  These files make it clear that some attackers have figured out a way to workaround the mitigations built into Outlook. 

These new attacks, discussed in Friday’s security advisory, use the exact same vulnerability as was posted in a November 2007 full-disclosure posting by cocoruder.  In fact, very little was changed about the file compared to cocoruder’s POC file which launched calc.exe.  It uses the same column number overflow.  Even as far back as March 2005, HexView posted a similar vulnerability in msjet40.dll column handling.  You’ll notice that both the HexView and the cocoruder posting mention that they first submitted their samples to the MSRC, but the MSRC replied back that they would not address the issues via a security bulletin because any attempt to attack customers using these issues was heavily mitigated by the blocking mentioned earlier in this post.

So how is this new JET database file attack different than the previous JET database file issues? 

Everything changed with the discovery of this new attack vector that allowed an attacker to load an MDB file via opening a Microsoft Word document.  The previous guidance does not work against this new attack.  The attack sequence is not the dangerous multi-step process of requiring a customer to first change their Outlook and Exchange settings from the secure default of blocking MDB files and then opening the MDB file.  Instead, it could occur by having a customer save two DOC files to the hard drive and opening one of them.  So that’s why we alerted customers to these attacks and are re-investigating JET parsing flaws – this is a new attack vector discovered that we didn’t know about previously.

So now what are we going to do about JET database files?  

Well, a lot of this is still under investigation as part of the SSIRP process.  We’re investigating if we can ship a security update that prevents Word documents from loading MDB files without prompting.  This would block this new vector and would be a great solution if we can find a way to make it work without affecting custom applications.  Also, we already have a new version of msjet40.dll that fixes the known attacks.  In fact, we have already shipped it in Windows Server 2003 SP2, Windows Vista, and it is included in beta versions of Windows XP SP3. We’re investigating what it would take to release those fixes as part of the security update as a defense-in-depth change. 

Even after we determine a fix plan for these issues, JET database files (filetype MDB) will remain on the unsafe filetype list because they can run code by design.  MDB files opened by Access can run arbitrary VBA script code specified in the MDB file – that’s why they’re marked as unsafe and blocked by Outlook, Exchange, etc.  So even if we tried to, we could not secure this file format – it will always present attackers an opportunity to run code.  We currently do not plan to turn off the VBA functionality present as part of opening an MDB files as many customers use that feature in their applications and wouldn’t apply the security update anyway.  So we will continue to recommend that you never, ever open MDB files received unexpectedly.

So what should customers do in the meantime? 

Well, first, I recommend you read the security advisory. There’s some solid guidance in there, for example, enterprise administrators can block JET files, even those renamed from MDB, at the gateway.  We’ve even shared samples with folks in the MSRA. For end-users, we will continue to recommend that you never, ever open attachments received unexpectedly.  Finally, I’d recommend that you continue to monitor this blog and the MSRC blog as we’ll update you on the results of our investigation through each of those.

Mike Reavey

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hello, this is Tim Rains.

Very quickly, I wanted to let you know that we've just re-released MS08-014 for Microsoft Office Excel 2003 Service Pack 2 and Service Pack 3 only.

The original version released on March 11, 2008 did fully protect against the security issues discussed in the bulletin.  However, after release we discovered  that the security update caused a calculation error in Microsoft Excel 2003 when a Real Time Data source was used in a user-created Visual Basic for Applications solution (in other words a custom-built VBA function).  For additional details, please refer to KB950340.

If you're not running Microsoft Excel 2003, this re-release doesn't apply to you and you don't need to take any action. 

If you are running Microsoft Excel 2003 Service Pack 2 or Service Pack 3, you should use the guidance provided in Knowledge Base article KB950340 to deploy the new update.  It is being released through all the same distribution channels as the original MS08-014 security update. It is also supported by the same detection and deployment tools as the original update.

Thanks.

Tim

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Bill here.

I wanted to let you know that we have updated bulletin MS08-014 to provide additional information on a newly identified issue that causes Microsoft Excel 2003 calculations to return an incorrect result when a Real Time Data source is used.  The issue affects a specific scenario and may not affect you. Please see the bulletin for additional details.

Our teams are testing a fix and will release it once it meets our quality bar for broad distribution.

Cheers,

Bill Sisk

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hello, Bill here.

I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, March 11, 2008 around 10 a.m. Pacific Standard Time.

It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release:

·        Four Microsoft Security Bulletins rated Critical. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

Finally, we are planning to release three high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as two high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS).

As always, we’ll be holding the March edition of the monthly security bulletin webcast on Wednesday, March 12, 2008 at 11 a.m., Pacific Standard Time.  We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well.

You can register for the webcast here:

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032357217&Culture=en-US

Thanks,

Bill Sisk