Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

April, 2011

  • MS11-034: Addressing vulnerabilities in the win32k subsystem

    Today we released security bulletin MS11-034 to address vulnerabilities in the win32k subsystem. This update addresses externally reported issues as well as several internally found vulnerabilities that were discovered as part of our variant investigation.

    The bulletin may appear to address an alarmingly large number of issues. However, if you dig into the issues themselves, you’ll find that the 30 vulnerabilities addressed in this update really just share three separate vulnerability root causes: insufficient validation or locking of win32k objects after a user-mode callback. The security researcher who discovered these issues, Tarjei Mandt, applied the same technique to every different win32k object type. This blog post aims to outline the differences between the three vulnerability subclasses as well as cover additional details of the vulnerabilities fixed in this month's update.

    Vulnerability Classes

    The first vulnerability class pertains to the absence of locking win32k objects. Objects that are not locked prior to executing user-mode callbacks, therefore objects can be manipulated once control has been passed back to the user via callback. This means an object can be modified or freed before returning back to the kernel. Our observations indicate that memory re-use can be leveraged to gain elevation of privileges in some cases.

    The second vulnerability class pertains to the absence of validation on menu items after a user-mode callback returns resulting in a typical use-after-free vulnerability. A malicious user could destroy a menu during the user-mode callback causing certain kernel functions to operate on dangling pointers.

    The third vulnerability class pertains to the absence of validation of DDE conversation objects after user-mode callbacks which could result in a NULL pointer dereference. This can allow a standard user to elevate privileges or to cause a denial of service condition depending on the usage of the object after the user-mode callback. Investigation indicated that elevation of privileges was possible for at least a couple of the reported DDE vulnerabilities.

    Finally, we would like to clarify the exploitability of these issues. These vulnerabilities can allow a standard user to elevate privileges because arbitrary code can be executed while the CPU is running in Supervisor mode. None of the vulnerabilities we've addressed in this month's update can be triggered remotely, hence the Important severity rating.  For a local attacker able to run code on a compromised system, most of the vulnerabilities fixed in this package are straightforward to exploit.

    Acknowledgement

    Thanks to Thomas Garnier in the UK Science team, Jonathan Ness, Matt Miller, and Tarjei Mandt

    - Richard van Eeden and Brian Cavenah, MSRC Engineering

  • Assessing the risk of the April security updates

    Today we released 17 security bulletins. Nine have a maximum severity rating of Critical and eight have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

    Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes
    MS11-018
    (IE)
    Victim browses to a malicious webpage. Critical 1 We are aware of targeted attacks leveraging both CVE-2011-0094 and CVE-2011-1345. IE8 and IE9 not vulnerable to CVE-2011-0094. IE9 not vulnerable to CVE-2011-1345.
    MS11-019
    (SMB Client)
    Victim makes an outbound connection to a malicious SMB server which responds with a malicious SMB packet, potentially executing code on the client in ring0. Critical 1 Likely to see reliable exploits developed within next 30 days for CVE-2011-0660. Windows 7 SP1 vulnerable to CVE-2011-0660 for denial of service only.
    MS11-020
    (SMB Server)
    Attacker sends malicious network traffic to a victim running the Server service, potentially executing code in ring0. Critical 1 Likely to see reliable exploits developed within next 30 days. Many home routers and enterprise perimeter firewalls block SMB ports (139, 445).
    MS11-027
    (IE killbits)
    Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed for one or more of these ActiveX controls. CVE-2011-1243 affects only Windows XP users who have never used Windows Messenger.
    MS11-028
    (.NET)
    Victim browses to a malicious webpage that offers an XBAP application. Could also be used by a malicious ASP.Net application to bypass CAS restrictions. Critical 1 Vulnerability itself is exploitable (hence the “1” rating). However, we do not typically see XBAP exploits in the wild. Remains to be seen if attackers will attempt to exploit this. Silverlight not affected.
    MS11-032
    (Opentype Font driver)
    Victim using explorer.exe browses to a folder containing a malicious OTF file. Could also be used as a local elevation of privilege for an attacker already able to run code on a machine. Critical 1* Likely to see reliable exploits developed within next 30 days. Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector.
    MS11-029
    (GDIplus.dll)
    Victim opens malicious Word document or opens a malicious EMF file. Critical 1 Likely to see reliable exploit developed in next 30 days. Office 2003 and later versions of Office are not affected. Windows 7 also not affected.
    MS11-031
    (VBScript / JScript)
    Victim browses to a malicious webpage. Critical 2 Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in next 30 days. 32-bit platforms unlikely to be exploited for code execution unless running with /3GB boot option.
    MS11-030
    (DNS link-local name resolution)
    Attacker sends a malicious link local multicast name resolution (LLMNR) request to victims on the same local link, potentially executing code as NetworkService on nearby systems. Critical 2 Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in first 30 days. Does not affect systems using the (default) Public network profile.
    MS11-026
    (MHTML)
    Victim browses to a malicious website that steals browser cookies for other trusted website. Important n/a We are aware of public exploits that attempt to leverage CVE-2011-0096. No direct code execution. This is an information disclosure threat.
    MS11-021
    (Excel)
    Victim opens a malicious Excel spreadsheet (XLS). Important 1 Likely to see reliable exploit developed in next 30 days.  
    MS11-022
    (PowerPoint)
    Victim opens a malicious PowerPoint presentation (PPT). Important 1 Likely to see reliable exploit developed in next 30 days.  
    MS11-023
    (Excel)
    Victim opens a malicious Excel spreadsheet (XLS). Important 1 CVE-2011-0107 (DLL Preloading vulnerability) has been disclosed publicly.

    The other CVE addressed in this bulletin (CVE-2011-0977) would be more difficult to exploit for code execution.
    Office 2010 not affected.
    MS11-033
    (Wordpad converter)
    Victim opens malicious RTF, WRI, or DOC file with Wordpad. Important 2 Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in first 30 days. Windows Vista and later versions of Windows are not affected.
    MS11-034
    (win32k.sys)
    Attacker running code on a machine already elevates from low-privileged account to SYSTEM. Important 1 Likely to see an exploit released granting a local attacker SYSTEM level access. 30 of this month’s 64 vulnerabilities being addressed in this bulletin. More information about the high vulnerability count in this month’s SRD blog post.
    MS11-025
    (DLL Preloading)
    Victim browses to a malicious WebDAV share and launches an application by double-clicking a content file hosted on the attacker-controlled WebDAV share. Important 1 Exploiting DLL preloading cases is straightforward. Therefore, exploit code is likely to appear.  
    MS11-024
    (Fax cover sheet)
    Victim opens a malicious fax cover sheet (COV, CPE). Important 3 Less likely to see real-world effective exploits for this filetype due to mitigating factors. No version of Windows will open a .cov file by default via a registered file extension (double-clicking the file). The affected component is not installed by default or is not registered.

    In addition to the bulletins, two interesting advisories are being released today. Security advisory 2501584 describes a great protection mechanism available for Office 2003 and Office 2007 customers to download and install. The Office team’s blog post about the tool is available at http://blogs.technet.com/b/office_sustained_engineering/archive/2011/04/11/office-file-validation-general-availability-announcement.aspx.

    The second advisory, KB 2506014, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. It is an update available on WU and WSUS, pushed out automatically to customers who have opt-in to Automatic Updates.

    If you have any questions about these updates, please email us at switech [at] microsoft [dot] com. You can also tune into the MSRC webcast tomorrow where I’ll be answering questions on-the-air. The MSRC blog post has all the information for that.

    Update April 13: Corrected the MS11-028 bulletin severity and affected products. Also moved this bulletin up higher in priority due to this correction.

    *Update April 15:  Corrected the MS11-032 bulletin exploitability due to a rating error.  Also moved MS11-032 higher in priority order.

    - Jonathan Ness, MSRC Engineering

  • MS11-019 and MS11-020: April SMB Updates

    This month we released updates for the SMB client and server components (MS11-019 and MS11-020 respectively). These bulletins address three externally-reported issues, but also include fixes for several issues that Microsoft identified internally. This blog post provides background on these issues and the work done internally at Microsoft to improve SMB security.

    Finding and issuing fixes to additional security vulnerabilities is part of our standard security update process, and is covered in detail in a previous blog post via the following link: http://blogs.technet.com/b/srd/archive/2011/02/14/additional-fixes-in-microsoft-security-bulletins.aspx

    Working to enhance the security landscape, a team of people across the Windows, Windows Sustained Engineering and TWC Security groups at Microsoft spent the last year identifying new methods to improve SMB updates. Typically, SMB updates have focused on finding variants of externally-reported issues (“hacking for variations”) to help ensure a comprehensive security bulletin that would not put customers at risk once the update is reverse-engineered by attackers. In order to increase the effectiveness of this month’s SMB update, Microsoft used an even wider scope for identifying variants and increased the time and resources devoted to the update.

    What led to the wider scope?

    Over the past two years SMB has been a target for security researchers, and Microsoft released several security updates as new issues were reported. As part of each of the preceding updates, we followed our standard “hacking for variations” approach, but with a tighter timeline mandated by the need to address reported issues as quickly as possible.

    It was clear that even without additional issues being reported, there were things we could focus on and improve in terms of our internal security testing, code auditing and design reviews. As a result, we kicked off a longer-term project to identify additional security issues in the SMB code, with an eye on releasing fixes in a future security bulletin. This “SMB Security Scrub” led to the fixes included in the April bulletin release.

    What was done?

    The following initiatives were part of the SMB Security Scrub:

    • Improving our fuzzing tools, test scenarios and test tools. We performed months of fuzzing across all supported versions of Windows;
    • Reviewing code and protocol coverage to identify areas that were being missed;
    • Reviewing security code for new issues or variations of issues found through fuzzing;
    • Targeting fuzzing and fuzzing tool changes based on previous security issues and new issues identified during the code review; and
    • Performing static code analysis.

    The end result is more than 1000 lines of source code changed per version of Windows.

    Given Microsoft’s commitment to improving the security landscape for its customers, this new method will continue, and the improved tools and processes identified from this ongoing research will be applied to future SMB security updates and new versions of Windows.

    Do the additional issues affect bulletin severity or deployment priority?

    The bulletin severity for both the SMB server and client bulletins is already Critical based on the externally-reported issues. As a result, the internally-found issues do not cause an increase in bulletin severity. The severity, impact and attack scenarios are covered by the externally-reported issues described in the bulletin, and therefore these issues do not affect deployment priority.

    Finally, I would like to thank everyone at Microsoft that worked on these SMB updates for their hard work!

    - Mark Wodrich, MSRC Engineering

  • MS11-018 addresses the IE8 pwn2own vulnerability

    Today Microsoft released MS11-018 addressing one of the three vulnerabilities that were used to win the Pwn2Own contest last month at CanSecWest 2011. It took three vulnerabilities to successfully compromise IE8 and meet all the requirements of the organizers.

    The vulnerability we are fixing today, a use-after-free which does not affect IE9, was the primary vulnerability used to gain code execution. A second vulnerability was used to make the exploit more reliable and a third was used to escape IE’s protected mode.

    Why IE9 was not affected?

    During the development of IE9 several security features were built in to catch as many security issues as possible early in the process. This one was found by fuzzing and was fixed by the IE team about 10 months ago. Also, another vulnerability that was used as an information leak during the contest was also found and fixed during IE9 development.

    Why did it take so few weeks to fix this vulnerability?

    Normally, all security fixes go through an extensive phase of regression testing. This particular fix did too but since the issue had been previously tested on IE9, we were able to move forward faster with the fix.

    When is Microsoft fixing the other two vulnerabilities?

    First, it’s important to explain the other two issues:

    • The first one is a “heap address leak”. Using this leak, it was not needed to heap spray large chunks of memory. Please note there is no leak of the contents of the heap such as vtable pointers, just an address of the heap.
    • The second one is an IE protected mode bypass.

    Both are currently being evaluated and will be fixed in an upcoming release cycle but, without MS11-018 (the vulnerability we are fixing this month) the other two vulnerabilities do not pose a direct threat to customers.

    Fermin J. Serna, MSRC Engineering