The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hello everyone,
Yesterday Adrian Stone from the Microsoft Security Response Center (MSRC) and I hosted a live webcast to discuss Security Bulletin MS10-002 and Security Advisory 979682 in more detail with customers.
Below is the video of that presentation and you can find the question & answer transcript here. We spent over an hour answering customer questions during the webcast. They were all good. Below the video, I am including a set of links to resources we referred to during the presentation.
Thanks to all who attended!
Resources:
Blogs
Bulletins, Advisories, Notifications & Newsletters
Security Centers
Other Resources
Jerry Bryant Senior Security Communications Manager Lead
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Hello,
Today we released Security Bulletin MS10-002 out-of-band to address vulnerabilities in Internet Explorer. All customers using currently supported versions of Windows and Internet Explorer should apply this update as soon as possible. Once applied, customers are protected against the known attacks that have been widely publicized. For customers using automatic updates, this update will automatically be applied once it is released.
I also wanted to clarify some information that we included in our update to Security Advisory 979352 yesterday. We let customers know that there are other applications that may use mshtml.dll as a rendering engine and if those applications allow active scripting, they can be used as an attack vector. Customers who install today’s update are NOT vulnerable and are protected from all known attack vectors. These applications are NOT vulnerable and no security updates are needed for them. Installing today’s Internet Explorer update addresses the vulnerability across all applications.
As we noted in our blog post yesterday, this Internet Explorer security update was already planned for release in February. When the attack discussed in Security Advisory 979352 was first brought to our attention on Jan 11, we quickly released an advisory for customers three days later. As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September.
For a detailed review of today’s bulletin, please join Adrian Stone and I today for a live webcast where we will try to answer your questions in real time. Registration information:
Date: Thursday Jan 21 Time: 1:00 p.m. PST (UTC -8) Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032440627
Hope to see you there!
Jerry Bryant
Today we released Security Advisory 979682 to address an Elevation of Privilege (EoP) vulnerability in the Windows kernel, affecting all currently supported versions of 32-bit Windows. 64-bit versions of Windows, including Windows Server 2008 R2, are not affected. The advisory provides customers with actionable guidance to help with protections against exploit of this vulnerability.
To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system. An attacker could then elevate their privileges to the administrative level and run programs of their choice on the system.
To help mitigate exploit of this vulnerability, customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications, can disable the NTVDM subsystem. Information on this workaround can be found in the Advisory.
We are not currently aware of any active attacks against this vulnerability and believe risk to customers, at this time, is limited. We continue to recommend customers review the mitigations and workarounds detailed in the Security Advisory.
We are also working with our Microsoft Active Protections Program (MAPP) partners to help provide broader protections for customers.
Our teams are continuing to work on an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out-of-band.
The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.
We will also keep customers apprised of any additional details and updates through the MSRC Blog.
Thanks,
Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing MS10-002 tomorrow, January 21st, 2010. We are planning to release the update as close to 10:00 a.m. PST (UTC -8) as possible. This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized. We recommend that customers install the update as soon as it is available. For customers using automatic updates, this update will automatically be applied once it is released.
Today we also updated Security Advisory 979352 to include technical details addressing additional customer questions.
The updated Security Advisory includes guidance in relation to reports of proof of concept (POC) code that bypasses Data Execution Prevention (DEP) and additional information on the exploitability of, and mitigations and workarounds for, Microsoft products that use mshtml.dll.
Based on our comprehensive monitoring of the threat landscape, we continue to see only limited attacks. To date, the only successful attacks that we are aware of have been against Internet Explorer 6.
We continue to recommend that customers update to Internet Explorer 8 to benefit from the improved security protection it offers.
Additional Technical Details Related to Security Advisory 979352
Data Execution Prevention (DEP) Bypass
There is a report of a new exploit that bypasses Data Execution Prevention (DEP). We have analyzed the Proof-of-Concept (POC) exploit code and have found that Windows Vista and later versions of Windows offer more effective protections in blocking the exploit due to the improved security protection offered by Address Space Layout Randomization (ASLR).
On Windows XP, which does not benefit from the improved security protection provided by ASLR, attacks using the DEP bypass techniques are likely to be more effective.
The DEP bypass exploit is not, at this time, publicly available and we have not seen it used in attacks.
Additional details on the DEP bypass exploit are provided in a Security Research and Defense Blog published today.
Microsoft E-Mail Products That Render using mshtml.dll Protected by Default
There have been reports that supported versions of Outlook, Outlook Express and Windows Live Mail are affected by the vulnerability in Security Advisory 979352.
For customers using the default configuration of all supported versions of Outlook, Outlook Express and Windows Live Mail the risk of exploit using Outlook as an attack vector is low. We are unaware of active exploit against supported versions of Outlook, Outlook Express or Windows Live.
By default, Outlook, Outlook Express and Windows Live Mail open HTML e-mail messages in the Restricted sites zone, which helps mitigate attacks seeking to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used. Additionally, Outlook 2007 uses a different component to render HTML e-mail, removing the risk of the exploit.
If customers have modified their default configuration to not run in Restricted sites zone, their environments will be in a less secure, more vulnerable, state.
Other products may also use the HTML rendering engine for Internet Explorer and could expose this vulnerability. Any successful attack would require bypassing the default security mechanisms used by each individual application. Therefore customers who use these default application configurations may have reduced risk from being exploited through additional vectors.
Office Applications with Active Scripting Enabled Potentially Vulnerable
We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file. Customers would have to open a malicious file to be at risk of exploitation.
To prevent exploitation, we recommend that customers disable ActiveX Controls in Microsoft Office.
Detailed information on how to disable ActiveX Controls is included in the Security Advisory.
To be clear, applying the update for Internet Explorer addresses the issue across all products that may use mshtml.dll. Customers should install the update to be protected.
We continue to monitor the situation and will keep customers apprised of any changes to the situation or threat landscape through the Microsoft Security Response Center Blog.
Please join us Thursday, January 21 at 1:00 p.m. PST (UTC – 8) for a public webcast where we will present information on the bulletin and take customer questions. Registration information:
*This posting is provided "AS IS" with no warranties, and confers no rights*
We wanted to provide a quick update on the threat landscape and announce that we will release a security update out-of-band to help protect customers from this vulnerability.
Based on our comprehensive monitoring of the threat landscape we continue to see very limited, and in some cases, targeted attacks. To date, the only successful attacks that we are aware of have been against Internet Explorer 6. We continue to recommend customers update to Internet Explorer 8 to benefit from the improved security protection it offers. We also recommend customers consider deploying the workarounds and mitigations provided in Security Advisory 979352.
Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.
We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time. We will provide the specific timing of the release tomorrow.
As always, we’re continuing to investigate this situation, so customers should look for the latest updates here on the Microsoft Security Response Center blog.
Thank you,
George Stathakopoulos General Manager Trustworthy Computing Security
For today’s update we want to share some insight on the current threat landscape for Security Advisory 979352, some new resources we have published and the current status on producing a security update.
As we’ve previously reported, attacks remain targeted to a very limited number of corporations and are only effective against Internet Explorer 6.
We have not seen successful attacks on Internet Explorer 8. We continue to recommend customers update to Internet Explorer 8 to benefit from the improved security protection it offers.
Additionally at this time, we have not seen any successful attacks against Internet Explorer 7. However, earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista. We are actively investigating, but cannot confirm, these claims.
Today we also published a guidance page, including an online video, for home users who may be confused, or concerned, about this security vulnerability and want to know what they should do to protect themselves from the known attacks. This page is located here.
Jonathan Ness from our Security Research & Defense team has also provided a video explaining Data Execution Prevention (DEP). While this technology offers a key mitigation against known attacks, how it works is somewhat complicated, so this video is to help people unfamiliar with DEP, better understand it.
Customers have been asking us when we will have an update available for this issue and if we will release the update out-of-band. We want to let customers know that we will release this security update as soon as the appropriate amount of testing has been completed. While we cannot yet give a date of when that will be we will keep customers updated.
We will continue to monitor the threat landscape, and we will provide daily updates as things develop.
Thanks!
*This posting is provided "AS IS" with no warranties, and confers no rights
Hi All,
We wanted to provide you some insight into the vulnerability reported in Microsoft Security Advisory 979352, which is related to our ongoing investigation into the recently publicized attacks against Google and other large corporate networks. We understand that there is a lot of noise about this topic right now and we know that our customers are receiving a lot of information about this situation from a variety of sources, so we want to provide some additional insight.
First, we will provide an update on the threat landscape – there has been a lot of speculation, so we’ll share detailed information on what Microsoft is seeing in terms of attacks across all of our monitoring systems. Second, we’ll highlight what customers should do to protect themselves. Finally, I will provide an update on the continuing work at Microsoft to respond to this situation and help protect our customers.
In terms of the threat landscape, we are only seeing very limited number of targeted attacks against a small subset of corporations. The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6. Based on a rigorous analysis of multiple sources, we are not aware of any successful attacks against IE7 and IE8 at this time. This is likely due to improved security protections provided by newer versions of Internet Explorer and Windows as described in our recent Security Research and Defense Blog. In summary, we are not seeing any widespread attacks by any means, and thus far we are not seeing attacks focused on consumers.
That said, we remain vigilant about this threat evolving and want to be sure our customers take appropriate action to protect themselves. That is why we continue to recommend that customers using IE6 or IE7, upgrade to IE8 as soon as possible to benefit from the improved security protections it offers. Customers who are using Windows XP SP2 should be sure to upgrade to both IE8 and enable Data Execution Protection (DEP), or upgrade to Windows XP SP3 which enables DEP by default, as soon as possible. Additionally customers should consider implementing the workarounds and mitigations provided in the Security Advisory.
Additionally, even though we are only seeing limited targeted attacks today, we know that can change at any time. That is why through our Software Security Incident Response Plan (SSIRP), we actively monitor the threat landscape through our broad telemetry systems, including the Microsoft Malware Protection Center (MMPC), our Customer Service and Support group, and through our partners in the Microsoft Active Protection Program (MAPP) and the Microsoft Security Response Alliance (MSRA).
We want to assure you that we have teams working around the clock worldwide to develop a security update of appropriate quality for broad distribution to address this vulnerability.
We will continue to monitor this situation. Should we see any change in the threat landscape, we will update you as soon as possible, or otherwise provide you with daily updates here at the MSRC blog.
Hello again. To close out our January security bulletin release, we have posted the questions and answers from Wednesday’s webcast and embedded the video below. Since we only had one bulletin, the presentation was pretty short and most of the questions were concerning the Adobe Flash Player advisory we released.
Please join us next month for our February Security Bulletin Webcast where we will again be presenting detailed information on our bulletins and taking your questions live with the help of a room full of very smart people who work hard to release these updates.
Date: Wednesday Feb 10 Time: 11:00 a.m. PST (UTC -8) Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679
Today we updated Security Advisory 979352 to let customers know that we are aware that exploit code for the vulnerability used in recent attacks against IE 6 users, has now been made public. Information on which versions of Internet Explorer are vulnerable and what customers can do to protect themselves is included in the updated Security Advisory.
Additionally our Security Research & Defense team has written up a blog with additional technical details on the exploit, the vulnerability, mitigations and workarounds.
We continue to recommend customers review the information in the Advisory, implement the workarounds and mitigations, consider updating to Internet Explorer 8 which includes important protections not present in IE 6, and follow the information on our Protect Your PC website.
Senior Security Communications Manager Lead
Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks. Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer. Additionally, we are cooperating with Google and other companies, as well as authorities and other industry partners.
Microsoft remains committed to taking the appropriate action to help protect our customers. We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with protections against exploit of this vulnerability. Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.
It is important to note that complex attacks targeting specific corporate networks are becoming more prevalent in the threat landscape, therefore organizations should follow defense-in-depth best practices, and deploy multiple layers of protection to improve their security posture. In addition, Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user’s machine. Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.
Customers can also set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. You can find details on implementing these settings in the advisory.
Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.
We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.
-Mike Reavey