Hi everyone. This is Maarten Van Horenbeeck. I just joined the Microsoft Security Response Center a few months ago, and am the program manager working on the issue described in Microsoft Security Advisory (961509), which we just released.

Earlier today, two researchers presented at a security conference on a novel way of implementing collision attacks on digital certificates signed using the MD5 algorithm. Attacks on MD5 have been known for some time, but were never considered to be very practical. This type of attack allows the generation of additional digital certificates with different content, but the same digital signature as an original certificate. While the presentation today didn’t release details that could be used for active attacks, we know that customers might have questions about this issue.

This is not a vulnerability in our products, it is in fact an issue that affects the industry as a whole. To reach out to our customers and provide guidance, we decided to release security advisory 961509 to help customers assess the risk posed by this new find. Over Christmas, Microsoft has also been working with several certificate authorities to make them aware of the issue and encourage them to move to more robust technologies. We hope this advisory helps address some of your concerns.

My colleague Damian Hasse at the Microsoft Security Response Center Engineering has compiled an overview of the techniques that you can consider to defend against any future exploitation on the Security Vulnerability Research and Defense (SVRD) blog. They review the effectiveness of techniques and tools such as Extended Validation certificates and certificate revocation checking in more depth.

Cheers,

Maarten

*This posting is provided "AS IS" with no warranties, and confers no rights*”

Happy holidays to everyone. While it’s been a snowy holiday season for us in the Pacific Northwest (some of us are still snowed in), the MSRC never closes and we are always working to help keep customers safe.

In that vein, we’ve received some questions about a vulnerability report that was initially posted late on Christmas eve.  When we saw it we set our teams to work over the holidays to investigate it. They’ve wrapped up their investigation and since we’ve gotten questions on it, I wanted to pass along what we’ve found.

If you haven’t seen it, there was a report about a possible issue affecting all versions of Microsoft Windows Media player.  The security researcher making the initial report didn’t contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list. After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player.

Those claims are false. We’ve found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn’t affect the rest of the system. My colleague, Jonathan Ness has gone through with more of the technical details here.

Unfortunately, the researcher chose not to come to us with this initial report. If he had, we would’ve done the exact same investigation we just completed. When we were done, we would have let them know what we found, asked him if he thinks we might have missed something, continued the investigation if there was more information and ultimately closed the case if we didn’t find a vulnerability. This is how we handle all of the cases we investigate with responsible researchers every year. And even when people choose not to report issues responsibly, we do the same thing: launch an investigation to fully research the claims and take action to appropriately address any and all issues that we find in that investigation. While we don’t normally talk publically about issues that aren’t vulnerabilities, we’ve gotten enough questions about this that it seemed a good chance to both answer those questions and explain some more of how we do things in the MSRC.

For this particular case, we actually found this issue as part of our ongoing code maintenance and actually it’s already addressed in Windows Server 2003 SP2 and will be addressed in other versions in the future. And we hope that the researcher will work with us directly the next time he thinks he found an issue. We always say that every new case with a security researcher starts the relationship off fresh: we’re happy to work with anyone who reports an issue to us responsibly, regardless of past issues.

Thanks,

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hello, Bill here,

I want to provide you with a quick update regarding our recently released security advisory.

In the advisory we provide a workaround to help customers protect themselves from attackers trying to exploit this vulnerability.  Customers have told us that it’s helpful when we provide information and guidance on how to automate the deployment of workarounds, so we have taken this a step further and worked with the SQL Engineering Team to providing Enterprise and Business Users a script that applies the workaround on all running instances of SQL Server on the local computer. Essentially, the script iterates through the running instances of SQL Server and denies execute permissions on sp_replwritetovarbin to “public” on all the affected versions. You can find additional information on this script and how to use it in Knowledge Base Article 961040.

I also want to bring to your attention an entry that was posted yesterday, and updated today, at the Security Vulnerability Research & Defense blog. The blog covers a number of technical details related to this vulnerability to help customers better understand the risks, mitigations, and attack surface of the vulnerability and how attackers might use it.

Lastly, I wanted to note that we are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers.

Bill Sisk

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hello, Bill here,

I wanted to let you know that we have just posted Microsoft Security Advisory (961040).

This advisory contains information regarding public reports of a vulnerability in SQL Server that could allow for remote code execution. We are aware that exploit code has been published on the Internet; however, we are not aware of any attacks attempting to use the reported vulnerability.

To successfully exploit this vulnerability an attacker must be local, or remote, authenticated user on the system.  However, if an attacker has already compromised a web server via SQL injection, they could exploit this vulnerability as an unauthenticated user.

It’s important to note that systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 SP3 and Microsoft SQL Server 2008 are not affected by this issue.  Also, because, by default, Microsoft SQL Server Desktop Engine 2000 (MSDE 2000) and SQL Server 2005 Express do not allow remote connections, attackers would have to already have local access to machines running MSDE 2000 and SQL Server 2005 Express to exploit this vulnerability.

The advisory contains workarounds that customers can use to help protect themselves. Our investigation of this exploit code has verified that it does not affect systems that apply the workarounds listed in the advisory.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information. In the meantime, we encourage customers to review the advisory and implement the workarounds.

Bill Sisk

Hello, Mike here,

Today we released security update MS08-078, protecting customers from active attacks against Internet Explorer.   This update will be applied automatically to hundreds of millions of customers through automatic updates over the next few days.  And, for our enterprise customers - with multiple systems within their networks – this update can be deployed through all standard security update management systems including, SCCM, SMS, WSUS, and Windows Update as of 10AM PST today. 

As with all security updates from Microsoft, we have verified that this update meets the quality, deployment and application compatibility criteria. It is a high-quality update, ready for broad release, and we encourage customers to test and deploy this update as quickly as possible.  

Given the extremely short fix timeline and the attention on this issue I wanted to share some of the work going on behind the scenes as we readied this update for release.

In addition to these workarounds, we were able to share detailed information with our partners in the Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA), allowing protections to be created for over 24 different security partners' products. This is further validation of our commitment to ‘community based defense’ and means customers that hadn’t yet applied the workarounds, and maybe weren’t even using Microsoft products, were also protected from known attacks.

Along with this information sharing, we also continually monitored the threat environment, noting when the attacks began to change in nature and scope.  In fact, the folks in our MMPC published a detailed blogs both last Thursday and over the weekend discussing this changing threat environment to ensure customers were aware of the evolving risk.

And early yesterday we gave our worldwide customers a heads-up that an update was planned for release this morning. 

Finally, after rigorous development and testing, we released the update to customers.  Some customers that follow us closely, might know that saying “the update” is a bit misleading, as it is actually over 300 distinct updates for over six versions of Internet Explorer that apply to over 50 different languages.  And despite this huge number of distinct updates, they’re all being offered to customers automatically, regardless of their specific Internet Explorer configuration.

Even with that, the release Emergency Response process isn’t over.  There is additional support to customers and additional refinement of our product development efforts. The MSRC and development teams will incorporate learning back into the Security Development Lifecycle.  And The MSRC and our Customer Support teams are standing by ready to assist. There are two special webcasts today, open to anyone, and are standing by ready to answer questions, and you may register by clicking on the links below: 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi this is Christopher Budd,

We’ve just published our Advance Notification for an out-of-band security bulletin release. We plan to release the security update tomorrow, Dec. 17, 2008 to address the vulnerability we’ve discussed in Microsoft Security Advisory 961051. Our target time, as always, is 10:00 a.m. Pacific Time. We’ll be holding two special webcasts to give you details and take your questions.

·        December 17, 2008 1:00 PM Pacific Time

·        December 18,2008 11:00 AM Pacific Time

A reminder that this information is subject to change and that when we do release this security bulletin, we’ll let you know through the MSRC weblog.

Thanks,

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi this is Christopher Budd,

I wanted to give you a quick update on a couple of new things today related to Microsoft Security Advisory 961051.

We’ve made another revision to the advisory today. Our research teams are working around the clock to help identify better, more effective workarounds to give customers more options to evaluate and we’ve updated the advisory with the latest information from their research.

We’ve also posted some additional details and information on the Security Vulnerability Research and Defense blog. This includes a Vista-specific workaround as well as additional information to help your analysis of the different workaround options.

Based on customer questions, we’ve made changes in the advisory to help make clearer that each of the multiple workarounds outlined provides effective protections against the known attacks. Applying any one of these workarounds by themselves effective, however, we are providing multiple workarounds in the advisory to give you as many options to evaluate for your organization as possible.

That said, the recommendation that we made yesterday still holds: evaluate applying a combination of workarounds that both sets the Internet Explorer security settings to High and blocks access to OLEDB32.dll. We have outlined three different options for blocking access to OLEDB32.dll: any one of them is sufficient to use in combination with setting the Internet Explorer security settings to High to provide protections. Our research has shown that this combination provides the most effective protections against the current attacks and possible future attacks.

Our work continues around developing a security update as well as our ongoing monitoring of the threat environment. Our teams are continuing their research into workarounds and as we confirm new information, we will continue to post updates in the security advisory or the MSRC weblogs.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hello,

This is Christopher Budd,

We’ve just posted a revision to Microsoft Security Advisory (961051) with the latest information from our ongoing work around this issue.

While the known attacks are only targeting Internet Explorer 7, we have found that the underlying vulnerability affects all currently supported versions of Internet Explorer. We have updated the advisory to include this information.

We’ve also added additional workarounds to the advisory and updated our guidance to recommend that you evaluate implementing two of the workarounds together for the most effective protection. Specifically, we’re recommending both setting the Internet zone security setting to High and using ACLs to disable Ole32db.dll. Our research so far has shown that these two steps together provide the most effective protections for this issue.

Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems. My colleagues over in the Microsoft Malware Protection Center (MMPC) have posted information about some of the malicious software they’ve detected in these attacks. We have also seen some trending that may indicate attempts to utilize SQL injection attacks against Websites to load attack code on those websites. If you’re a website operator, you might want to review Microsoft Security Advisory (954462) which provides information on tools you can use to analyze your Website’s code to help protect against SQL Injection attacks.

We are continuing our work on this issue including the development of a security update. We are also continuing our ongoing work with partners in the Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA) to provide information that they can use to provide additional protections for customers.

Most importantly, we will continue to provide updated information as we have it through our Advisory and the MSRC weblog.

Thanks.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hello, Bill here,

I wanted to let you know that we have just posted Microsoft Security Advisory (961051). This advisory contains information regarding new attacks against a new vulnerability in Internet Explorer.

At this time, we are aware of limited attacks attempting to use the reported vulnerability, but we will continue to track this issue. 

The advisory contains workarounds that customers can use to help protect themselves. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release or out-of-cycle, if necessary.

We will continue to monitor the situation via our ongoing Software Security Incident Response Process (SSIRP) and post updates to the advisory and the MSRC blog as we become aware of any important new information. In addition, we are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers.

In the meantime, we encourage customers to review the advisory and implement the workarounds.

Bill Sisk

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi,

This is Christopher Budd. I wanted to let you know that we’ve just released our security bulletins for December. The new bulletins for this month are:

·        MS08-070: Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349) which is rated “Critical”

·        MS08-071: Vulnerabilities in GDI Could Allow Remote Code Execution (956802) which is rated “Critical”

·        MS08-072: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173) which is rated “Critical”

·        MS08-073: Cumulative Security Update for Internet Explorer (958215) which is rated “Critical”

·        MS08-074: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070) which is rated “Critical”

·        MS08-075: Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349) which is rated “Critical”

·        MS08-076: Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807) which is rated “Important”

·        MS08-077: Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175) which is rated “Important”

In addition, today we’ve published Microsoft Security Advisory 960906 regarding new reports of a vulnerability in the Wordpad Converter for Word 97 files affecting Windows 2000 SP4, Windows XP SP2 and Windows Server 2003 SP1 and SP2. We are aware of very limited and targeted attacks seeking to exploit this vulnerability. The advisory details workarounds that you can evaluate while we develop a security update for this issue.

As we do each month, our colleagues over at the Security Vulnerability Research and Defense blog have more information and details on today’s security updates including MS08-076 that addresses a vulnerability similar to what we addressed with MS08-068. In my posting last month about MS08-068 I noted how we’ve been doing a lot of work to address the difficult issues around the SMBRelay attack. This new bulletin is borne out of that same ongoing effort andthat work is still going on: there are other related issues we’re still working on. You can expect to see more updates in the future out of this ongoing project.

This month the Windows Malicious Software Removal Tool is adding detection for two new families: Win32/FakeXPA and Win32/Yektel. Our colleagues over at the Microsoft Malware Protection Center (MMPC) have posted information on these new families on their blog.

Finally, please join us tomorrow for our monthly TechNet webcast where we review this month’s security bulletins and, most importantly, answer your questions about this month’s release. You can register for the webcast here.

Thanks.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*