The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.
What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.
The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.
However, customers who are using IIS 6.0 in the default configuration or following our recommended best practices don’t need to worry about this issue. If, however, you are running IIS in a configuration that allows both “write” and “execute” privileges on the same directory like this scenario requires, you should review our best practices and make changes to better secure your system from the threats that configuration can enable. Once again, here’s a list of best practices resources:
· IIS 6.0 Security Best Practices
· Securing Sites with Web Site Permissions
· IIS 6.0 Operations Guide
· Improving Web Application Security: Threats and Countermeasures
The IIS folks are evaluating a change to bring the behavior of IIS 6.0 in line with the other versions. In the meantime, they’ve put more information up about this on their weblog.
I hope this helps answer any questions.
Happy Holidays and Happy New Year.
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights*
Hi everyone,
On Dec. 23 we were made aware of a new claim of a vulnerability in Internet Information Services (IIS). We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration. Customers using out of the box configurations and who follow security best practices are at reduced risk of being impacted by issues like this.
Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.
This vulnerability was not responsibly disclosed to Microsoft and may put customers at risk. We continue to encourage responsible disclosure of vulnerabilities as we believe reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
I want to close by providing some resources and best practices for securely configuring IIS servers:
IIS 6.0 Security Best Practices http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx
Securing Sites with Web Site Permissions http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx
IIS 6.0 Operations Guide http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx
Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx
Thanks,
Jerry Bryant
Hello again. This is Jerry Bryant letting you know that the questions and answers from the December 2009 security bulletin webcast have now been posted here.
There is one question that I wanted to provide a little more information on and that references reports of KB973917 causing problems with Internet Information Services (IIS) 6.0 running on Windows Server 2003 SP2. There are scenarios where the system can be in a state where the correct core IIS .dll files are not in place. This may be the case if SP2 did not install correctly or if IIS 6.0 was installed on the system from a Windows Server 2003 Gold or SP1 CD after SP2 was installed. KB2009746 has more information on this and how to resolve the issue which is to essentially reinstall SP2 to get the right binaries on the machine.
To be clear, KB973917 references a non-security update that implements Extended Protection for Authentication in IIS. This is part of our overall work to address credential relaying attacks on Integrated Windows Authentication as described in Security Advisory 974926 that we released on Tuesday. The updates in question are not addressing vulnerabilities and I just wanted to clarify that point. To learn more about this work, please read the advisory and also this excellent blog post by Maarten Van Horenbeeck from the MSRC: http://blogs.technet.com/srd/archive/2009/12/08/extended-protection-for-authentication.aspx.
At this time, our Customer Service and Support group are not reporting any major issues with this month’s bulletins. If you do experience any issues obtaining or installing security updates, please visit https://consumersecuritysupport.microsoft.com for some great trouble shooting tips as well as various support options. You can also call 1-866-PCSafety (1-866-727-2338) in the US. For more regional contact numbers, please visit http://support.microsoft.com.
The video below is from the webcast where Adrian Stone and I went in to detail on each bulletin. As we have been saying, MS09-072 should have the highest priority this month. Especially for users of IE 6 and IE 7.
Our next webcast is scheduled for January 13 at 11:00 a.m. PST (UTC -8). Click HERE to register now.
Thank you!
Summary of Microsoft’s Security Bulletin Release for December 2009
As noted in our Advance Notification (ANS) last Thursday, for the December bulletin release we issued six security bulletins addressing 12 vulnerabilities. Affected products include Windows, Internet Explorer (IE) and Microsoft Office products.
In the ANS, we also noted that the bulletin for IE (MS09-072) is at the top of our deployment priority list this month. As you can see from our Severity and Exploitability Index slide (also referred to as the Risk and Impact slide), MS09-072 is the only bulletin this month that has both a Critical severity rating and our maximum Exploitability Index rating of 1. Of note, each of the five vulnerabilities addressed in this bulletin are Critical and each also have an Exploitability Index rating of 1. One of the vulnerabilities was the subject of Security Advisory 977981 due to public disclosure and affects IE 6 and IE 7 so customers running those versions should install this update as soon as possible.
The update for Active Directory Federation Services, MS09-070, is lower on the deployment list even though it has an Exploitability Index of 1. This is because an attacker would have to have valid logon credentials for the affected server in order to carry out an attack which gives this a severity rating of Important. The second critical vulnerability affecting Windows, MS09-071, is also lower in our deployment priority as indicated in the slide below. This is mainly due to an Exploitability Index rating of 2 which means that we do not expect to see reliable exploit code for the critical vulnerability within the first 30 days from bulletin release.
To follow up on something I mentioned in the ANS blog post, here is the promised table that maps the bulletin ID’s to the numbered bulletins from the ANS document that customers have asked us for:
Bulletin ID
Maps to bulletin number in the ANS
MS09-069
Bulletin 5
MS09-070
Bulletin 6
MS09-071
Bulletin 1
MS09-072
Bulletin 4
MS09-073
Bulletin 2
MS09-074
Bulletin 3
This month we also released two new advisories. The first one, 954157, concerns a Defense in Depth (DiD) update for the Indeo Codec. This update will go out through the Automatic Update system and applies to Windows XP and Windows Server 2003. The update blocks the codec from being used in IE and Windows Media Player in the Internet Zone and offers similar attack surface reduction as that built in to Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. For those not running any applications that use the Indeo Codec, you can unregister it to reduce overall attack surface which we recommend as a best practice, and have the exact same attack surface reduction as on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2
The other advisory, 974926, is the summary advisory for the work we have done around Extended Protection for Authentication. My colleague, MSRC program manager Maarten Van Horenbeeck, has written an extensive post on this subject on our Security Research & Defense blog.
Finally, we re-released MS08-037 for Windows 2000 SP4 systems. This is an Important class update that could result in spoofing. All Windows 2000 SP4 users should re-install the update to be fully protected from this issue.
As we do every month, Adrian Stone and I provide a quick overview of today’s updates in the video below.
We also encourage all customers to join us tomorrow for our live webcast where we will go in to details on all of these bulletins and answer your questions while on the air. Registration information:
Date: Wednesday Dec. 9 Time: 11:00 a.m. PST (UTC -8) Registration and event link: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032407802
Additional Blog Resources:
Advance Notification for the December 2009 Security Bulletin Release
For December we are planning to release six new security bulletins addressing 12 vulnerabilities in Windows, Internet Explorer (IE) and Microsoft Office products. Three of the bulletins have a maximum severity rating of Critical and three have a maximum severity rating of Important. To help customers plan for their deployment of these updates, I want to specifically call out that they touch all supported versions of Windows and IE. On the Office side, the bulletins impact Project, Word and Works 8.5. All of the updates for Windows will require a restart so please plan accordingly.
We want to make customers aware that we will be addressing the vulnerability discussed in Security Advisory 977981 in the IE bulletin on Tuesday. We know that customers are concerned about this issue and we are also aware that Proof of Concept (PoC) code is available publicly.
Here is a preview of the guidance we will be releasing with the bulletins on Tuesday: The IE update maps to bulletin number 4 in the ANS and will be at the top of our deployment priority list. The other critical update affecting Windows (bulletin number 1) will have a lower Exploitability Index rating, so while the impact is higher with a critical severity rating, the lower risk will drop the deployment priority down a little. The final critical update affecting Microsoft Project (bulletin number 3), is only critical for Project 2000. The other affected versions are important. That coupled with a lower Exploitability Index will also drive it down on the deployment priority list. Customers have asked us to map the numbered bulletins in the ANS to the final bulletin ID’s after release so we will be doing that in the blog post here on Tuesday.
We are targeting the release of these bulletins for next Tuesday Dec. 8 at 10:00 a.m. PST (UTC -8). We will post more guidance at that time both here on the MSRC blog and on the Security Research & Defense (SRD) blog. Our guidance will include risk and impact information, our deployment priority list and deeper technical information on the bulletins form the SRD team. Until then, please review the ANS page here.
Also next Wednesday please join Adrian Stone and myself as we host a live webcast where we go in to detail on each bulletin and answer all of your questions live with the help of a room full of subject matter experts on these updates. Here is the event information:
Date: Wednesday Dec. 9Time: 11:00 a.m. PST (UTC -8)Registration and event link: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032407802
I hope you can join us then!
We’ve received questions about public reports that customers might be experiencing system issues with the November Security Updates (which some are referring to “Black Screen” issues). We’ve investigated these reports and found that our November Security Updates are not making changes to the system that these reports say are responsible for these issues.
While these reports weren’t brought to us directly, from our research into them, it appears they’re saying that our security updates are making permission changes in the registry to the value for the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell key.
We’ve conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don’t believe the updates are related to the “black screen” behavior described in these reports.
We’ve also checked with our worldwide Customer Service and Support organization, and they’ve told us they’re not seeing “black screen” behavior as a broad customer issue. Because these reports were not brought to us directly, it’s impossible to know conclusively what might be causing a “black screen” in those limited instances where customers have seen it. However, we do know that “black screen” behavior is associated with some malware families such as Daonol.
This underscores the importance of our guidance to customers to contact our Customer Service and Support group any time they think they’re affected by malware or are experiencing issues with security updates. This enables us to determine what might be happening and take steps to help customers by documenting new malware families in our MMPC malware encyclopedia or documenting known issues in our security bulletins and the supporting Knowledge Base articles.
I hope this helps to clarify,
*Postings are provided "AS IS" with no warranties, and confers no rights.*