The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Customers have heard us say over the years that the threat environment is an ever-evolving one. That means that one of our jobs in working to keep customers safe is to continually monitor the threat environment and make changes to adapt to it.
Today, we’re announcing modifications in Windows that adapts to recent changes in the threat environment. Specifically, we’re announcing changes to the behavior in AutoPlay so that it will no longer enable an AutoRun task for devices that are not removable optical media (CD/DVD.). However, the AutoRun task will still be enabled for media like CD-ROM. There are more details on the change over at the Windows 7 blog as well as at the Security Research and Defense (SRD) blog.
The reason we’re making this change is that we’ve seen an increase, since the start of 2009, in malicious software abusing the current default AutoRun settings to propagate through removable media like USB devices. The best known malicious software abusing AutoRun is Conficker, but it’s not alone in that regard: there is other malicious software that abuses this feature. You can get more details on this change and others in the threat environment from the Microsoft Malware Protection Center’s blog.
Because we’ve seen such a marked increase in malicious software abusing AutoRun to propagate, we’ve decided that it makes sense to adjust the balance between security and usability around removable media. We’ve tried to be very measured in this adjustment to maximize both customer convenience and protection. Since non-writable media such as CD-ROMs generally aren’t avenues for malicious software propagation (because they’re not writable) we felt it made sense to keep the current behavior around AutoPlay for these devices and make this change only for generic mass storage class devices.
This change will be present in the Release Candidate build of Windows 7. In addition, we are planning to release an update in the future for Windows Vista and Windows XP that will implement this new behavior.
Thanks.
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Hi,
During this month’s webcast we were able to address 15 questions in the time allotted, but have included the additional questions asked in this QA post. Most of the questions centered on the MS09-013: the Windows HTTP bulletin, MS09-014: Internet Explorer Bulletin, and MS08-015, the Blended Threat bulletin. We did address additional questions regarding the other bulletins, as well as, questions concerning Product Support Lifecycle.
Here is the link to the full Q&A so you can see all of the answers that were provided for these great questions:
http://blogs.technet.com/msrc/pages/monthly-security-bulletin-webcast-q-a-April-2009.aspx
Also, here is the link to the Q&A index page in case you want to view previous months:
http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx
As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:
Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Thanks!
Al Brown
Hello again,
This is Jerry Bryant letting you know that we have published the security bulletin webcast video. As you know, on Tuesday, we published a quick overview of the 8 bulletins we released on that day. Yesterday we conducted a live, public webcast, where we went in to more detail on each bulletin. The recording from that webcast is embedded below. Usually we include the questions and answers portion along with this but this month we will point you to the transcript which should be published here by tomorrow.
As always, we encourage you to register for and attend our monthly bulletin webcasts by going to http://www.microsoft.com/technet/security/current.aspx where you will find the registration links and other valuable security update information.
Jerry Bryant
*Postings are provided "AS IS" with no warranties, and confers no rights.*
April is here and is turning out to be a typical, busy month, if one can call it that. In general, when we have a large release, the number of updates ranges from 7-12. With this in mind, we released eight security updates this month: 5 rated as Critical, 2 rated as Important, and one rated as Moderate.
MS09-009
This bulletin addresses two remote code execution vulnerabilities in Microsoft Excel. An attacker could exploit the vulnerability by sending a user a malformed Microsoft Excel file. Upon opening the file code can run in the context of the logged on user. We are aware of public exploits of these vulnerabilities. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates.
A rating of Critical has only been assigned to Microsoft Office Excel 2000. The other applicable versions are rated as Important. If the Office Document Open Confirmation Tool has been downloaded and installed on a system with Microsoft Office Excel 2000, the user will first be prompted with a dialog box. This functionality is already built in to newer versions of Microsoft Office.
MS09-010
This bulletin addresses four remote code execution vulnerabilities in Microsoft WordPad and Microsoft Office text converters. An attacker could exploit the vulnerability by sending a user a malformed file. Upon opening the file code can run in the context of the logged on user. We are aware of public exploits of these vulnerabilities. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates.
A rating of Critical has only been assigned to Microsoft Office Word 2000 Service Pack 3. The other applicable versions are rated as Important. If the Office Document Open Confirmation Tool has been downloaded and installed on a system with Office Word 2000 Service Pack 3, the user will first be prompted with a dialog box. This functionality is built in to newer versions of Microsoft Office. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates. One of the mitigations is blogged about in greater detail than the bulletin. You can find this information on the Security Defense & Research blog.
The last thing I will mention is the fact that the Microsoft Security Intelligence Report Volume 6 provides insights into document file formats vulnerabilities and common exploitation techniques.
MS09-011
This bulletin addresses privately reported remote code execution vulnerability in Microsoft DirectX and is rated as Critical. An attacker could exploit this vulnerability by sending a malformed MJPEG file to a user of a system. If a user opened the file, code execution of the attacker’s choice would run in the context of the logged in user. Unregistering the quartz.dll or disabling the decoding of MJPEG content in Quartz.dll is a temporary measure that can be used while testing and deploying the update. Please see the bulletin to understand impact of the workarounds as they affect functionality.
MS09-012
This bulletin addresses several elevation of privilege vulnerabilities in Microsoft Windows and is rated as Important. The elevation of privilege vulnerabilities are commonly known as Token Kidnapping and was first described in Microsoft Security Advisory 951306. A supplemental blog will be posted here as well as a technical deep dive on the Security and Research Defense blog. It can be found here: http://blogs.technet.com/srd/
MS09-013
Microsoft Windows HTTP Services (WinHTTP) contains three vulnerabilities, two of which could allow for remote code execution running in the context of the logged on user. The bulletin is rated as Critical. WinHTTP is a technology within itself. As such, Internet Explorer does not use WinHTTP services.
MS09-014
Internet Explorer contains several remote code execution vulnerabilities and is rated as Critical. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol. This security update also addresses a vulnerability first described in Microsoft Security Advisory 953818. As you will see, MS09-015 also addresses this Advisory. Details as to why can be found in both bulletins.
MS09-015
This bulletin addresses a vulnerability in SearchPath which could allow for an elevation of privilege and is rated as Moderate. It’s worth mentioning here that this security update addresses the issue detailed in Advisory 953818: “Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform”. Among other information in the bulletin I want to note that we added a new api as a defense in depth measure. It is called SetSearchPathMode. This new API allows for a per-process mode when using the SearchPath function to locate files. This allows applications to force the current directory to be searched after the application and system locations. This defense in depth measure is not enabled by default. Please see the bulletin for additional information.
MS09-016
This bulletin address vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) and is rated as Important. These vulnerabilities could allow denial of service if an attacker sends specially crafted network packages to the affected system, or information disclosure or spoofing if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker.
There are several mitigating factors noted in bulletin; one of which I will note here regarding the cross-site scripting (XSS) vulnerability. ISA Server 2006 and Forefront TMG MBE deployments that do not have any Web publishing rules are not vulnerable by default. If ISA Server 2006 or Forefront TMG MBE is installed in a traditional firewall role and is not publishing any internal Web sites to the Internet, the vulnerable Web Filter will not be exposed (the port will be blocked).
My colleague Jonathan, in the MSRC, is providing guidance as it relates to suggestions for prioritization of the security updates. This information can be found at the Security Research & Defense blog site.
As a postscript to this posting I want to share some thoughts with you regarding the advisories.
Of the eight updates, five address vulnerabilities that Microsoft has issued security advisories for:
· Excel vulnerability: Security Advisory 968272 was released Feb. 24, 2009,
· WordPad: Security Advisory 960906 was released Dec. 9 2008, more related information can be found at Security Research & Defense blog.
· CarpetBombing: Security Advisory 953818 was released May 30, 2008, more related information can be found at Security Research & Defense blog
· Token Kidnapping: Security Advisory 951306 was released April 17, 2008, more related information can be found at Security Research & Defense blog.
The question becomes, why does it take so long for Microsoft to release a security update?
When we here at Microsoft are asked this question: our answer is “we want to get this right.” Or to put it another way, we are constantly asking ourselves during any given release cycle “are we doing the right thing for our customers?” If as a result of any given investigation, we find a variant of a vulnerability we are fixing; do we dig deeper to make sure we cover all our bases, or do we just fix what we can see and ship the update because of external pressures? “Are we doing the right thing for our customers?”
If we find, at the 11th hour, an application compatibility issue that breaks third party software, do we ship anyway because we don’t want to get bad press? “Are we doing the right thing for our customers”?
Do we spread out the release of open advisories so no one notices, but not ship them when ready? “Are we doing the right thing for our customer?”
I will say that we will do the right thing for our customers; we will dig deeper; we will hold a low quality update; and we will release an update when it is ready for broad distribution; no sooner or no later.
April 14: Updated to include hyperlinks for bulletins
Hello everyone,
As you can see from the April 2009 release summary, we addressed the Token Kidnapping issue with bulletin MS09-012. This issue allowed an attacker to gain full control of a server if the attacker can first run malicious code on the server as a lesser privileged user.
This issue was originally presented by Cesar Cerrudo in March of 2008 at Hack in the Box (Dubai) 2008. In April of 2008, we released an advisory to inform customers of actions they could take to protect themselves. We also updated the advisory in October of 2008, alerting customers to the availability of proof-of-concept code that demonstrates how to attack systems using token kidnapping techniques. Today we’ve released an update that protects from these issues without having to deploy workarounds. This release has been a long time in the making, so I wanted to take a moment and provide some insight into what it took to resolve this issue for customers.
First, what is Token Kidnapping? This is an elevation of privilege vulnerability that could allow an attacker to go from authenticated user to LocalSystem privileges. An attacker can escalate their privileges on a system if they can control the SeImpersonatePrivilege token. An attacker would need to be executing code in the context of a Windows service to use this exploit. For a more detailed look at the issue, refer to the SRD blog found here.
This case presented some interesting challenges in preparing the update to address the issue. First, there are two updates included in this bulletin. The first update addresses service isolation, while the second addresses processes running as service accounts. In order to secure these items, we took the work we did in Windows Vista to provide additional service hardening and implemented it in older operating systems like Windows XP, and Windows Server 2003. These changes are low-level and deeply engrained in the OS. When making these types of changes, many of the applications that have been written in the 5 to 10 years since the OS was released could be impacted as we are changing infrastructure. Typically, we only change code to this degree in a service pack release to ensure it receives the proper level of testing.
However, given the security risk, and even though we provided workarounds, we wanted to secure customers automatically. So we made the changes, and then did extensive testing to ensure this update is high-quality and did not impact existing implementations. For this bulletin, we ran over 600,000 different test scenarios, with over 6,000 variations tested in one configuration alone. We also needed to ensure we were not breaking 3rd-party applications by introducing this change. As a result, 2,500 application compatibility tests were also run. In addition to this testing, we selected over 1,000 systems within Microsoft to test the update before we released, and some key customers signed NDAs to do even more testing in their lab environments to make sure we didn’t break Line-of-Business application scenarios. One thing we did notice is that some 3rd-party applications may need to be updated to receive the same security benefits provides by this update. To facilitate this, the update also provides an infrastructure to 3rd-parties to isolate and secure their services. In Windows XP and Windows Server 2003, all processes running under the context of a single account will have full control over each other. This update provides 3rd-parties the ability to isolate and secure their services that hold SYSTEM token and run under the NetworkService or LocalService accounts. For more information on the usage of this registry key, see Microsoft Knowledge Base Article 956572.
While this update took some time to complete, our hope is that the majority of customers are protected either through the guidance we released a year ago or the update we released today. It is never an easy process to bring infrastructure from a newer OS to an older OS, but we considered this an important enough issue to do so. As you would expect, it wasn’t always an easy road, so I would like to thank all of the folks internally and externally that helped bring this update to the worldwide community. Specifically, I’d like to thank the following people who were key contributors in bringing this update to the world:
And special thanks go out to all of the many developers and testers who help made this release possible.
Thanks,
Dustin
MSRC
Links to related articles:
Service isolation explanation, SRD blog entry, Jonathan Ness, October, 2008
Token Kidnapping in Windows, Nazim’s IIS Security Blog, Nazim Lala, October, 2008
Hi Everyone,
Jerry Bryant again. Here is the overview video for the April 2009 bulletins. Please join us tomorrow at 11:00 am PDT (UTC –7) for our bulletin webcast where we will cover this months updates in more detail and try to answer all of your bulletin related questions.
We’ve seen some activity in the Conficker space in the past two days and this has caused some questions from customers. Specifically, there have been reports of two possible new variants of Conficker. Our colleagues over at the Microsoft Malware Protection Center (MMPC) have done a thorough analysis of both of these and have determined that there’s really only one new variant, which they’re calling Conficker.E. Most importantly, the signatures that protect against Conficker.A are also effective at protecting against Conficker.E. The other possible new variant is only a slightly modified version of Conficker.D and our Conficker.D signatures protect against it. Also, our virus encylopedia entry for Conficker.D has been updated to include information about this slightly modified version.
There’s more detailed information on Conficker.E on the MMPC blog and in the encyclopedia entry. But at a high level, this has similar propagation methods to Conficker.B (attempting to exploit MS08-067, attacking weak passwords on administrative shares and spreading via removable media like USB drives). However, it also has instructions so that it will also delete itself on May 3, 2009.
The important thing is that our guidance for protecting yourself remains the same. If your systems and security software are fully updated, you don’t need to be concerned about Conficker.
As always, we’re continuing our work with the Conficker Working Group and will update you as we have new, important information.
*This posting is provided "AS IS" with no warranties, and confers no rights*
Hello, Bill here.
I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release, scheduled for Tuesday, April 14, 2009 around 10 a.m. Pacific Daylight Time. This should help you plan for your deployment process for next week and address these vulnerabilities to protect your computing environments.
As part of this month’s security bulletin release process, we will issue eight security bulletins – five rated ‘Critical,’ two rated ‘Important,’ and one rated ‘Moderate.’ These bulletins address vulnerabilities in Microsoft Windows, Microsoft Excel, Internet Explorer, and Microsoft ISA Server. Depending on the bulletin, a restart may be required. The updates will be detectable using the Microsoft Baseline Security Analyzer.
As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.
We are also planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the “Other Information” section of the Advanced Notification.
As always, we’ll be holding the April edition of the monthly security bulletin webcast on Wednesday, April 15, 2009 at 11 a.m., Pacific Daylight Time. We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand, as well at the same URL: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032395126&EventCategory=4&culture=en-US&CountryCode=US. Furthermore, we’ll also be posting the text of the questions and answers as well as a video synopsis on this page.
You can register for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032395126&Culture=en-US
It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.
April 9 update: Changed "Pacific Standard Time" with "Pacific Daylight Time"
Hello, Bill here,
Today is the release of the Microsoft Security Intelligence Report volume 6. The report can be found here: http://www.microsoft.com/sir.
A section in the report is devoted to out-of-band (OOB) releases. So, I thought I would blog a bit about these types of releases in the broader context of update management.
Security update management is a security discipline in itself. It is a fundamental security pillar in the security protection landscape. It is comprised of risk assessment, deployment planning, and cost analysis to name a few. Efficiency and cost effective patch management relies heavily on predictability. Predictability is entirely dependent upon a software vendor’s release process. While this may be true, the threat landscape can change to the degree that predictability becomes a secondary consideration when it is outweighed by an imminent and potentially destructive threat. Understanding the nature of what drives the release of a security update is key to having a balanced patch management strategy.
Over the years Microsoft has been constantly striving to improve our release process to minimize the impact of security update deployment. In the early days, we would release updates at various times of the week and/or month without a predetermined schedule. It was probably easier to predict the weather in San Antonio Texas than it was to predict when an update would be released from Microsoft. Many years ago when in San Antonio, I remember temperatures of 40 degrees in the mornings and 80 degrees in the afternoons—in November.
In subsequent years we started to release updates on a more predictable schedule. And has matured to what we have today by releasing updates on the second Tuesday of each month.
Essentially, we established a significant measure of predictability. In spite of these improvements, it was predictably unpredictable when customers may be under imminent threat or active attack. Specifically, exploit code existing and being leveraged in the wild but no security update being available. Under such circumstances, we would have to expedite the release of a security update as soon as possible to protect customers from the immediate threat.
These types of releases are what we call out-of-band (OOB). In other words, updates were not released on the second Tuesday of the month; waiting for the scheduled release date would leave customers with limited recourse to protect them. To be sure, if Microsoft releases an OOB update, customers are at great risk of exploitation and should apply the update as soon as possible. As I noted earlier, predictability becomes a secondary consideration in light of an imminent or active threat.
What is also important to note is that OOB’s don’t really fit any type of pattern. In the last four years we have released eight OOB’s. So it’s reasonable to average this out to two OOB’s per year. But the numbers tell a different story in terms of distribution. There were two OOBs in the matter of several months in 2008. In contrast, 2004 yielded 3; 2005 yielded 0; 2006 yielded 2; and 2007 yielded 1. As you can see, the numbers are not necessarily a harbinger of things to come.
Here at Microsoft we are constantly focusing on improvements that we can make to lessen the impact of security update management. While Microsoft has refined processes that lend itself to a predicable release cycle, predictability becomes secondary to out-of- band releases if warranted to protect customers.
While not the focus of this blog post, there are other data that factor into a patch management strategy that falls under the rubric of vulnerability and exploit trends. This information as well as a closer analysis of OOB releases can be found in the newest version of the Microsoft Security Intelligence Report V6. The report can be found here: http://www.microsoft.com/sir.
Bill Sisk
Bill here,
I wanted to let you know that we have just posted Microsoft Security Advisory (969136).
This advisory contains information regarding public reports of a vulnerability in Microsoft Office PowerPoint that could allow for remote code execution if a user opens a specially crafted PowerPoint file.
At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. If you suspect that you were target for such an attack, you can scan your computer with the Windows Live OneCare safety scanner. The malicious PPT files are detected as Exploit:Win32/Apptom.gen. Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Products affected are Microsoft Office PowerPoint 2000 Service Pack 3, Microsoft Office PowerPoint 2002 Service Pack 3, Microsoft Office PowerPoint 2003 Service Pack 3, and Microsoft Office 2004 for Mac. Microsoft Office PowerPoint 2007 is not affected.
The advisory contains guidance and workarounds that customers can use to help protect themselves. We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.
To better help in understanding the issue, Microsoft security experts have provided additional technical details on the Microsoft Security Research & Defense blog and the Microsoft Malware Protection Center team blog.
We have activated our Software Security Incident Response Process (SSIRP) and we are continuing to investigate this issue. In addition, we are actively working with partners in the Microsoft Active Protections Program (MAPP) and the Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers.
April 3rd change: added Microsoft Office 2004 for Mac as affected product