The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
We’ve just released Microsoft Security Advisory 971778 today. This discusses a new vulnerability in Microsoft DirectShow affecting Windows 2000, Windows XP and Windows Server 2003 that is under limited attack. The advisory outlines information about the vulnerability and steps customers can take to protect themselves while we’re working on a security update to address the issue.
Our investigation has shown that the vulnerable code was removed as part of our work building Windows Vista. This means that Windows Vista and versions of Windows since Windows Vista (Windows Server 2008, Windows 7) are not vulnerable.
The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.
Our investigation has found three workarounds that you can implement to protect yourself and we’ve documented these in the security advisory. In addition, we’ve got more technical details on the workarounds and the issue over at the Security Research and Defense (SRD) blog.
Most importantly, we have found one workaround in particular that is simple and effective and protects against the vulnerability with limited impact. In fact, this particular workaround is simple enough that we’ve been able to give you a way to automatically implement the workaround with the click of a button. Our Customer Service and Support (CSS) group has a new capability called “Fix it” that can automatically apply simple solutions to your system. We’ve gone ahead and built a “Fix it” that implements the “Disable the parsing of QuickTime content in quartz.dll” registry change workaround. We have also built a "Fix it" that will undo the workaround automatically.
To automatically implement the workaround, go to the KB article for the advisory. In the KB article, there’s a section titled “Fix it for me”. Click on the “Fix this problem” button under "Enable Workaround" in that section. You will then be offered an installer package from the Microsoft website. After you’ve confirmed that you trust the source of this package, run it on your system. The package will automatically set the appropriate registry keys on your system to implement the workaround. When you want to undo the workaround, click on the "Fix this problem" button under "Disable Workaround" in the same section.
We’re also sharing information about this vulnerability and the limited attacks that we’ve seen with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers.
As always, we’ll continue monitoring the situation and providing more information through the security advisory and the MSRC weblog.
Thanks
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights*
I wanted to let you know that we have just posted Microsoft Security Advisory (971492).
This advisory contains information regarding public reports of a vulnerability in Microsoft Internet Information Services (IIS) that could allow Elevation of Privilege. Products affected are IIS 5.0, IIS 5.1, and IIS 6.0. The advisory contains guidance and workarounds that customers can use to help protect themselves. We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.
At this time, we are not aware of any known attacks that attempt to use this vulnerability.
An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.
Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
To better help understand the issue, Microsoft security experts have provided additional technical details on the Microsoft Security Research & Defense blog.
We have activated our Software Security Incident Response Process (SSIRP) and we are continuing to investigate this issue. In addition, we are actively working with partners in the Microsoft Active Protections Program (MAPP) and the Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers.
Christopher Budd
*This posting is provided "AS IS" with no warranties, and confers no rights.*
In the May 2009 security bulletin webcast, we addressed several questions relating to MS09-017 in addition to questions about WSUS and MBSA. For those questions that came in after we concluded the webcast, we have provided answers in the published Q&A which you can find here: http://blogs.technet.com/msrc/pages/monthly-security-bulletin-webcast-q-a-May-2009.aspx
Also, here is the link to the Q&A index page in case you want to view previous months: http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx
Here is the video of the session that includes our detailed look at the bulletin and the live questions and answers session:
As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:
Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Please join us for our next live webcast on June 10, 2009 at 11:00 am PDT (UTC –7). Follow this link to pre-register: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032395225
Hope to see you then!
Jerry Bryant
Summary of Microsoft’s monthly security bulletin release for May 2009.
Today we released one security bulletin, MS09-017, affecting our PowerPoint products. This update addresses several vulnerabilities including the issue described in Microsoft Security Advisory 969136. In that advisory, we noted that we were aware of limited, targeted attacks.
The security of our customers is important to us and due to these active attacks, we have released the updates for one product line (all versions of Microsoft Office for Windows) so that the majority of our customers can protect their systems. We are able to do this because the updates were ready within the predictable release cycle for the entire product line. Updates for the additional products (Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5 and Microsoft Works 9.0) will be released when testing is complete and we can ensure high quality. When ready, we will revise the bulletin and notify customers.
Risk and Impact
To help with risk assessment and impact analysis, Microsoft provides detailed information in the vulnerability information section of the bulletin as well as the Exploitability Index. The aggregate severity of the bulletin is critical and we give it a 1 on the Exploitability Index which means consistent exploit code is likely (and indeed already in the wild for one vulnerability in this update). Of the 14 vulnerabilities being addressed, there are some things to note:
Mitigations and Workarounds
For mitigations and workarounds, I will simply reiterate the information previously stated in the Security Research & Defense blog:
There are a couple workarounds you can apply in your environment to protect yourself from potential attacks. If your environment has mostly already migrated to using PPTX, you can temporarily disable the binary file format in your organization using the FileBlock registry configuration described in the MS09-017 security bulletin. Alternatively, you can temporarily force all legacy PowerPoint files to open in the Microsoft Isolated Conversion Environment (MOICE). The steps to enable MOICE are listed in the MS09-017 security bulletin.
More Information
In the following 8 minute video, I sit down with Adrian Stone from the MSRC to cover this release in a little more detail:
As always, our friends in the MSRC have provided further analysis in the Security Research and Defense blog so have a look at that and if you have questions, please join us for our regular live webcast tomorrow (Wednesday May 13, 2009) at 11:00 am PDT (UTC –7). Click HERE to register.
On the malware front, the Microsoft Malware Protection Center (MMPC) has added two new items to the Malicious Software Removal Tool (MSRT): Win32/Winwebsec and Win32/FakePowav.B. Customers can download the Malicious Software Removal Tool (MSRT) here. Additional details can also be found on the Microsoft Malware Protection Center blog.
Support
Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
Thanks,
Summary of the May 2009 Advance Notification for the 5/12/2009 security bulletin release.
Today we are letting customers know that next week we will be releasing one security bulletin affecting Microsoft Office PowerPoint with an aggregate severity rating of critical. Customers should review the Advance Notification and prepare appropriately for deployment.
The update should not require a restart unless the updated files are in use at the time they are installed. Customers can also detect systems requiring the update using the Microsoft Baseline Security Analyzer. Note that since this is an Office related update, it will not be available via Windows Update but will be available through the Microsoft Update service.
We are also planning to release at least one high priority, non-security update and additional detections to the Microsoft Windows Malicious Software Removal Tool.
After the bulletin is released, look for additional information on both this blog and the Security Research and Defense blog. If you have questions or would like more information about this month’s release, please plan to attend our regularly scheduled security bulletin webcast on Wednesday, May 13, 2009, at 11:00 am PDT (UTC –7). Click HERE to register.
As always, this preliminary information is subject to change.
Thanks!