Today, we’re releasing guidance and security updates to help better protect customers from responsibly reported security vulnerabilities discovered in the Microsoft Active Template Library (ATL). 

Because libraries function as building blocks that can be used to build software, vulnerabilities in software libraries can be complex issues and benefit from what we call community based defense – broad collaboration and action from Microsoft, the security community and industry. Because of this, in addition to the updates and guidance we’re releasing today, we’ve been actively engaged with the industry through programs like the Microsoft Active Protections Program (MAPP), Microsoft Security Vulnerability Research (MSVR) and working with organizations such as Industry Consortium for the Advancement of Security on the Internet (ICASI) to provide a broad, industry-wide response to help better protect customers. While this is a complex issue, we believe a broad, industry-wide response can help minimize the impact to customers.

The vulnerability that we addressed with Microsoft Security Bulletin MS09-032 was a result of this issue. While that issue was attacked before a security update was released, that is the only known attack that we’re aware of against an issue related to vulnerabilities in the ATL. However, we are releasing our guidance and updates outside of our regular monthly release cycle because our updates are of appropriate quality for broad distribution, we are aware of one attack which was addressed through MS09-032, and we believe that there is a greater risk to customer safety from broader disclosure of this issue if we wait until our next scheduled release on August 11, 2009.

We have focused our efforts on this issue around two main fronts:

1.       Helping developers to identify and address instances where the ATL vulnerability manifests in their controls or components

2.       Mitigating the impact of future attacks on customers

Some of the steps that we’re taking to help developers include:

1.       Releasing MS09-035 for Visual Studio which provides an updated copy of the ATL that developers can use to build new controls and components if needed.  It is important to note that not all controls built using the vulnerable versions of the ATL are vulnerable – this will depend on decisions the developer made when building the control or component.

2.       Posting a special developer resource page with detailed information on how developers can identify if their control or component is exploitable using the vulnerabilities in the ATL

3.       Working with ICASI who is partnering with Verizon Business to offer customers a no-charge service that will scan developers’ controls and components and provide initial indications if the control or component is vulnerable and what potential next steps customers or developers should take to modify the control.

4.       Working with vendors responsible for widely used controls and components through our Microsoft Security Vulnerability Research to help them identify and address instances where the ATL vulnerability manifests in their controls or components.

5.       Reiterating our commitment to third party developers to set “killbits” for their ActiveX controls on request in a Microsoft Update.

Some of the steps we’re taking to mitigate the impact of future attacks on customers include:

1.       Releasing MS09-034 for Internet Explorer. While Internet Explorer is not itself vulnerable to the ATL issue, the IE team has built a defense-in-depth change that can help protect against attempts to attack controls or components containing the ATL vulnerabilities. More detailed information on how this works is provided at the Security Research and Defense blog. This update also addresses an issue where attackers can attempt to bypass the “killbit” protections in IE. Finally, this update also addresses three unrelated, responsibly disclosed vulnerabilities.

2.       Providing information to our MAPP partners to help ensure security protection providers have key technical information to help them build protections for customers more quickly.

3.       Committing to set “killbits” in a Microsoft Update for vulnerable third-party ActiveX controls identified as vulnerable or under attack when no vendor can be identified.

Home Users and IT Pros should go ahead deploy the IE update, MS09-034 so they can benefit from the protections it introduces. Additionally, Internet Explorer 8 provides additional security enhancements that can further lessen the impact of this issue. There’s more details on that at the IE blog. Also, enabling automatic updates for third-party software (where available) may help you get the latest updates for those products.

Developers should take the same steps as home users and IT Pros but should also review the information we’ve provided to help you determine if the ATL vulnerability manifests in your component or control. Additionally, you should consider using the service offered by ICASI who is partnering with Verizon Business to identify any components or controls that are vulnerable.

Because we know folks will have additional questions, we’ve posted additional information on our security blogs. Our colleagues at the Security Research and Defense blog have several posts related to this that Jonathan Ness points to in his overview post. Michael Howard over at the SDL blog has one going into some more detail around the actual underlying issue. Katie Moussouris and Adrian Stone talk about MSVR’s work with other vendors on this issue over at the Ecostrat blog. And, finally, Ryan Smith, Mark Dowd and David Dewey, the security researchers who brought this issue to us, discuss their work on the issue with us over at the BlueHat blog.

Our worldwide security teams have been mobilized working around the clock to deliver these protections to customers and we will be continuing to watch the threat landscape closely. We will work closely with our partners in the industry and notify customers with any new information about this situation through our security advisory and the MSRC weblog.

Thanks.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today Adrian Stone and I conducted the security bulletin webcast for June covering the six bulletins we released yesterday and Security Advisory 973472 (vulnerability in Office Web Components).

There were several questions about MS09-028 and MS09-032. These security updates addressed two open security advisories (971778 and 972890 respectively). One common question was “if I installed the Fix it workaround in the advisory, do I need to uninstall it before installing the update in the bulletin?”. The answer to that question is no, you can install the security update right on top of the Fix it workaround.

Another area where we were asked for clarification was if the cumulative security update of ActiveX Kill Bits contained the kill bit for the OWC advisory (973472). Good question. The kill bit provided in the advisory is not part of MS09-032. The issue discussed in the advisory is still under investigation and when that is complete, we will take appropriate action to protect customers. Meanwhile, we encourage all customers to evaluate and apply the workaround as quickly as possible.

With that, here is the complete list of questions and answers and I invite you to view the video below from today’s webcast.

More viewing and listening options: Windows Media Video (WMV) Windows Media Audio (WMA) Large Preview Image (PNG) Small Preview Image (PNG) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) Zune Video (WMV)

Please join us August 12th for our next regularly scheduled webcast following the August bulletin release where we will again have a room full of subject matter experts to answer all of your questions.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Summary of Microsoft’s monthly security bulletin release for July 2009.

This month we are releasing six bulletins. Three of those affect Windows and are rated Critical. All three of those also have an Exploitability Index rating of “1” which means that we believe that consistent exploit code in the wild is highly likely within the first 30 days. In fact, as we discussed in the advance notification blog post last week, two of those are under active attack and were discussed in security advisories which are being replaced with the release of these bulletins.

The remaining three bulletins are all rated Important and affect Microsoft Office Publisher, Microsoft ISA Server, and both Virtual PC and Virtual Server. The first two also have Exploitability Index ratings of “1” so please consider this while doing your risk assessment.

In total, we are addressing nine vulnerabilities this month. All of these vulnerabilities have an Exploitability Index rating of “1” except for the single vuln being addressed in the Virtual PC bulletin, MS09-033 which is rated a “2”.

In the video below, Adrian Stone and I provide a little more discussion on risk and impact concerning this month’s bulletins and Security Advisory 973472 which we released yesterday, July 13, 2009, for Office Web Components:

More viewing and listening options: Windows Media Video (WMV) Windows Media Audio (WMA) Large Preview Image (PNG) Small Preview Image (PNG) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) Zune Video (WMV)

We invite you to attend our regular monthly webcast tomorrow where we will go in to detail on each bulletin and address your questions with the help of a room full of subject matter experts. Please also check the Security Research and Defense blog for additional technical information on these updates. 

Webcast info: Wednesday, July 15, 2009, at 11:00 a.m. PDT (UTC –7). Click HERE to register.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

Hi Everyone,

This is Dave Forstrom, group manager for our security response communications team.  We have just posted Microsoft Security Advisory 973472, which highlights a vulnerability in Microsoft Office Web Components. Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we’ve only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user.

Products affected are Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the  2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.

We’re currently investigating the issue as part of our Software Security Incident Response Process (SSIRP) and working to develop a security update.  This update will be released once it reaches an appropriate level of quality for broad distribution.

Additionally, we are actively working with partners in our Microsoft Active Protections Program (MAPP) as well as the Microsoft Security Response Alliance (MSRA) to share information that they can use to provide broader protections to customers.

Although the Microsoft Office Web Components ActiveX control has been deprecated for some time now, we still recommend customers implement the workarounds as provided in the Advisory. This can be done either manually, using the instructions in the Workaround section, or automatically, using the solution found in Microsoft Knowledge Base Article 973472.

For more technical details on the Advisory, please see what our colleagues have written over on the Security Research & Defense blog.

As always, be sure to check back here on the MSRC blog or in the Advisory for any additional information or updates that develop.

Thanks,

Dave

*This posting is provided "AS IS" with no warranties, and confers no rights*

Hi everyone, Mike Reavey here.

You’ve probably seen in Jerry’s Advance Notification posting today announcing that we’re on track to release an update to address the issue discussed in Microsoft Security Advisory 972890.

We’ve gotten some questions from customers about when we got the first report of this vulnerability and how long the investigation has taken relative to the outbreak of attacks against this vulnerability.

Before I go into the details, the key thing I want customers to understand is that this is an issue that was responsibly reported to us and we have been driving in our standard process towards a security update. While in the middle of that process, attackers found this same vulnerability and began attacks against it. We were far enough in the process that we could provide information that customers can use to protect themselves in the interim while we complete that investigation and deliver a security update that you can deploy broadly with confidence. Like Jerry said, we’re targeting next Tuesday to release this update.  

In terms of timeline, we received the original report from Ryan Smith and Alex Wheeler with IBM ISS X-Force in the early Spring of 2008. The CVE number assigned to this, CVE-2008-0015, can make it look older but that’s because IBM (like Microsoft) gets CVE numbers in large blocks and assigned them sequentially to issues.

Once we got the report, we started an investigation and confirmed that this ActiveX control that ships with Windows did expose an exploitable vulnerability that could be exploited by malicious websites.

We always aim to be thorough in our investigations.  For any issue that is reported to us, we strive to address not only the vulnerabilities brought to us but also to find any similar or related issues to ensure the update provides as comprehensive security as possible. And once we confirmed that issue we expanded our investigation to be thorough.

In the case of this particular issue, part of our investigation showed other interfaces were vulnerable, in this ActiveX Control, not only the one seen used in attacks.

Another thing our investigation showed is that there was no known use for these interfaces in Internet Explorer. In fact, as part of our security work on Vista, these interfaces had been disabled in Internet Explorer.

Based on that, our engineering teams felt the best approach to protect customers would be to prevent these any interfaces with no know use in Internet Explorer (45 in total), from loading in Internet Explorer in earlier versions of Windows.

However, disabling or removing functionality is a more radical step than updating code to address an unchecked buffer, for example. When we disable or remove functionality, we have to engage in even more research and testing than usual, to ensure that we can take this step and not cause more harm than good by inadvertently “breaking” applications. For something like this, we have to ensure not only our applications but also major third-party applications are not hurt by this. Otherwise, if our update “breaks” a major application, customers won’t deploy the update but the bad guys will have information about the vulnerability that they can use to attack it.

We were far enough along in our process that we felt comfortable taking this information from our investigation and giving it to customers so they could take immediate action to protect themselves while we finish our security update. To make it even easier for customers to protect themselves, we also implemented the “FixIt” that automatically implements the killbits.

Customers who have already implemented the killbits manually or through the FixIt workaround won’t need to implement next week’s security update, though we recommend that you apply the update to ensure that reporting accurately shows that the systems are fully protected.

We’re on track to release the security update next Tuesday. But if you haven’t implemented the killbits already, we recommend that you go ahead and do that to protect yourself against the attacks.

I hope this helps answer any questions you might have.

Thanks.

Mike

*This posting is provided "AS IS" with no warranties, and confers no rights*

Advance Notification for the July 2009 Security Bulletin Release

Our Advance Notification was published today and indicates that next Tuesday, July 14 at 10:00 a.m. PDT (UTC -8), we will be releasing a total of 6 security bulletins consisting of:

·          Three Critical updates affecting Windows.

·          One Important update affecting Publisher.

·          One Important update affecting Internet Security and Acceleration (ISA) Server.

·          One Important update affecting Virtual PC and Virtual Server.

I want to provide some clarity on two of the pending Windows updates mentioned. First, we will be addressing the issue discussed in Security Advisory 971778 concerning a vulnerability in DirectShow. As noted in the advisory, we are aware of limited active attacks and we have been working aggressively to get a quality update shipped to customers.

Second, our engineering teams have been working around the clock to produce an update for the issue discussed in Security Advisory 972890 (vulnerability in the Microsoft Video ActiveX Control) and we believe that they will be able to release an update of appropriate quality for broad distribution that protects against the attacks we detailed in the advisory and in an MSRC blog post by Christopher Budd. In the mean time, we encourage customers to continue to enable the workaround by running the “Microsoft Fix it” solution in the associated knowledge base article (KB972890).

As you know, this information may change between now and next Tuesday. We will do our best to keep you updated if it does.

Some notes on restart requirements: One of the three updates for Windows will require a restart, the others may if the DLL being updated is in use. This goes for the Publisher update as well. To reduce your chances of requiring a restart, please see Knowledge Base article 887012. Both the ISA Server and Virtual PC/Virtual Server updates require restarts. Note however that the Virtual PC/Virtual Server update will not prompt you so you should factor a manual restart in to your deployment plans as soon as possible.

On release day, look for additional information on both this blog and the Security Research and Defense blog.  If you have questions or would like more information about this month’s release, please plan to attend our regularly scheduled security bulletin webcast on Wednesday, July 15, 2009, at 11:00 a.m. PDT (UTC –7). Click HERE to register.  

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

I wanted to let you know that we have just posted Microsoft Security Advisory 972890 that discusses new, limited attacks against a Microsoft Video ActiveX Control affecting Windows XP and Windows Server 2003.

Specifically, we’re aware of a code execution vulnerability within this control that can enable an attacker to run code as the logged-on user if they browse to a malicious site.

We have an investigation into this issue under way as part of our Software Security Incident Response Process (SSIRP) and are working to develop a security update to address the issue.

In the meantime, our investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer.  Therefore, we’re recommending that all customers go ahead and implement the workaround outlined in the Security Advisory: setting all killbits associated with this particular control. While Windows Vista and Windows Server 2008 customers are not affected by this vulnerability, we are recommending that they also set these killbits as a defense-in-depth measure. Once that killbit is set, any attempt by malicious websites to exploit the vulnerability would not succeed.

As we did with Microsoft Security Advisory 971778, we are providing a way to automatically implement the workaround. Once again, go to the KB article for the advisory and follow the instructions under “Fix It For Me”.

My colleagues have posted some more details in the Security Research and Defense blog as well.

We are also actively working with partners in the Microsoft Active Protections Program (MAPP) and the Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers.

As always, we’ll provide more information as we have it through our advisory, the MSRC weblog or both.

Thanks

 Christopher Budd

*This posting is provided "AS IS" with no warranties, and confers no rights*