Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

June, 2011

  • WebGL Considered Harmful

    The Khronos Group’s WebGL technology is a cross-platform, low-level 3D graphics API for the web. Recently, Context Information Security published two reports critical of the WebGL technology, WebGL – A New Dimension for Browser Exploitation and WebGL – More WebGL Security Flaws.

    One of the functions of MSRC Engineering is to analyze various technologies in order to understand how they can potentially affect Microsoft products and customers. As part of this charter, we recently took a look at WebGL. Our analysis has led us to conclude that Microsoft products supporting WebGL would have difficulty passing Microsoft’s Security Development Lifecycle requirements. Some key concerns include:

    • Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive

      The security of WebGL as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need to worry about before. Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by WebGL remains a concern. We expect to see bugs that exist only on certain platforms or with certain video cards, potentially facilitating targeted attacks.

    • Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience

      As WebGL vulnerabilities are uncovered, they will not always manifest in the WebGL API itself. The problems may exist in the various OEM and system components delivered by IHV’s. While it has been suggested that WebGL implementations may block the use of affected hardware configurations, this strategy does not seem to have been successfully put into use to address existing vulnerabilities.

      It is our belief that as configurations are blocked, increasing levels of customer disruption may occur. Without an efficient security servicing model for video card drivers (eg: Windows Update), users may either choose to override the protection in order to use WebGL on their hardware, or remain insecure if a vulnerable configuration is not properly disabled. Users are not accustomed to ensuring they are up-to-date on the latest graphics card drivers, as would be required for them to have a secure web experience. In some cases where OEM graphics products are included with PCs, retail drivers are blocked from installing. OEMs often only update their drivers once per year, a reality that is just not compatible with the needs of a security update process.

    • Problematic system DoS scenarios

      Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. Although mitigations such as ARB_robustness and the forthcoming ARB_robustness_2 may help, they have not proven themselves capable of comprehensively addressing the DoS threat. While traditionally client-side DoS is not a high severity threat, if this problem is not addressed holistically it will be possible for any web site to freeze or reboot systems at will. This is an issue for some important usage scenarios such as in critical infrastructure.

    We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.

    We recognize the need to provide solutions in this space however it is our goal that all such solutions are secure by design, secure by default, and secure in deployment.

    - MSRC Engineering

  • Assessing the risk of the June security updates

    Today we released 16 security bulletins. Nine have a maximum severity rating of Critical and seven have a maximum severity rating of Important. This release addresses several publicly disclosed vulnerabilities. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

    Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability rating Likely first 30 days impact Platform mitigations and key notes
    MS11-050
    (IE)
    Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploit developed in next 30 days. IE9 not affected by several of these issues due to attack surface reduction and advances in fuzzing during IE9 development.  More detail [here].
    MS11-052
    (Vector Markup Language)
    Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploit developed in next 30 days. IE9 not affected. Outlook preview pane not affected due to scripting requirement.
    MS11-043
    (SMB Client)
    Victim makes an outbound connection to a malicious SMB server which responds with a malicious SMB packet, potentially executing code on the client in ring0. Critical 1 Likely to see reliable exploit developed in next 30 days. Many enterprise perimeter firewalls and consumer ISP's block outbound SMB ports (139, 445), preventing internet-based attacks.
    MS11-042
    (DFS Client)
    Victim makes an outbound connection to a malicious DFS server which responds with a malicious DFS packet, potentially executing code on the client in ring0. Critical 1 Likely to see reliable exploit developed in next 30 days. Many enterprise perimeter firewalls and consumer ISP's block outbound SMB ports (139, 445), preventing internet-based attacks.
    MS11-038
    (OLE Automation)
    Victim browses to a malicious webpage that uses VBScript to load a WMF file from a SMB or WebDAV path. Critical 1 Likely to see reliable exploit developed in next 30 days.  
    MS11-040
    (Forefront TMG firewall client)
    Victim running TMG client browses to a malicious webpage that initiates DNS hostname lookup to malicious DNS server. Malicious response is parsed by application that initiated request and could potentially allow code execution in that context. Critical 1 Likely to see reliable exploit developed in next 30 days. Clients for ISA Server 2004 and ISA Server 2006 are not affected. Client for TMG, Medium Business Edition is not affected.
    MS11-039
    (.NET/Silverlight)
    Victim browses to a malicious webpage that offers an XBAP application. Could also be used by a malicious ASP.Net application to bypass CAS restrictions. Critical 1 Vulnerability itself is exploitable (hence the “1” rating). However, we do not typically see XBAP exploits in the wild. Remains to be seen if attackers will attempt to exploit this. Latest version of Silverlight not affected.
    MS11-044
    (.NET Framework)
    Attack vector is application-dependent and limited to .NET applications relying on a certain kind of check to make security decisions. Read more [here] about potential attack vectors. Critical 2 Likely to be difficult to build a reliable exploit, once a vulnerable application is found.  
    MS11-041
    (Opentype Font driver)
    Victim using explorer.exe browses to a folder containing a malicious OTF file. Critical 2 Difficult to build a reliable exploit. Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector.
    MS11-046
    (AFD.sys driver)
    Attacker running code on a machine already elevates from low-privileged account to SYSTEM. Important 1 Exploits known to exist already.  
    MS11-045
    (Excel)
    Victim opens a malicious Excel spreadsheet (XLS). Important 1 Likely to see reliable exploit developed in next 30 days. Excel 2010 affected by only one of the eight vulnerabilities.
    MS11-051
    (Active Directory Certificate Server)
    Victim clicks on a malicious link directing them to Active Directory Certificate Server which initiates attacker actions on the certificate server in the context of the user clicking the link. (XSS) Important 1 Likely to see reliable exploit developed in next 30 days.  
    MS11-037
    (MHTML)
    Victim browses to a malicious webpage that attempts to steal cookies belonging to a different website. (Cross-Domain Information Disclosure) Important 3 No chance for direct code execution – Information Disclosure only. However, proof-of-concept code is publicly available.  
    MS11-048
    (SMB Server)
    Attacker sends malicious SMB request which causes denial-of-service on victim workstation. Important 3 No chance for direct code execution – Denial of Service only.  
    MS11-047
    (Hyper-V)
    Attacker who is local administrator on a guest OS VM can cause a resource exhaustion denial-of-service on host OS. Important 3 No chance for direct code execution – Denial of Service only.  
    MS11-049
    (Visual Studio XML Editor)
    Victim opens a malicious .disco files inside Visual Studio, leaking file content on the workstation to remote attacker. Important 3 No chance for direct code execution – Information Disclosure only.  

    Please let us know (switech at microsoft dot com) if you have any questions about these updates. 

    Jonathan Ness, MSRC Engineering

  • MS11-044: JIT compiler issue in .NET Framework

    Today we have released MS11-044 to address CVE-2011-1271, a remote code execution vulnerability in the .NET framework. Here we would like to provide more technical information about this vulnerability and why we believe this issue to be unlikely to be exploited.

    This root cause of CVE-2011-1271 is that there was a bug in the JIT compiler which would cause it to mistakenly determine that a given object is always null (or non-null) and would omit certain checks.

    For example:

                                         if ((value == null || value == new string[0]) == false)
    00000027  test        esi,esi               ; value == null?
    00000029  je          00000075 
    0000002b  xor         edx,edx               ; new string[0]
    0000002d  mov         ecx,6D913BD2h 
    00000032  call        FFD20BC8 
    00000037  cmp         eax,esi               ; value == new string[0]?
    00000039  je          00000075 
                    {
                        Console.WriteLine("Post-check Value is: " + value);
    0000003b  mov         ecx,dword ptr ds:[03532090h]  ; "Post-check value is: "
    00000041  xor         edx,edx               ; Wrong here.
    00000043  call        6D70B7E8              ; String.Concat()
    00000048  mov         esi,eax               ; 
    0000004a  call        6D72BE08              ; get Console.Out
    0000004f  mov         ecx,eax 
    00000051  mov         edx,esi 
    00000053  mov         eax,dword ptr [ecx] 
    00000055  call        dword ptr [eax+000000D8h]     ; Console.WriteLine()
    

    At offset 0x41, the optimizer has incorrectly concluded that value will always be null so it directly passes a null to String.Concat().

    For CVE-2011-1271, the JIT compiler can introduce a logic flaw when running C# or IL code sequences very similar to those describe above. Depending on the .NET application’s business logic, if the NULL check (or non-NULL check) is used to make a security decision, for example the check of certain credentials, and if the attacker controlled data may leverage directly or indirectly this missing logic and gain advantages based on this, then there is a possibility of remote code execution.  However, we do not believe this to be a common case for the majority of deployed .NET applications.

    Special thanks to Reid Borsuk in .NET team.

    Fermin Serna and Chengyun Chu, MSRC Engineering

  • MS11-050: IE9 is better

    Today, we released MS11-050, a cumulative security update for Internet Explorer to address several vulnerabilities in IE9.

    The following table lists the CVEs included in MS11-050, and whether each affects IE8 or IE9.

    CVE Rating IE8 IE9
    CVE-2011-1246 Moderate Yes No
    CVE-2011-1258 Moderate Yes No
    CVE-2011-1252 Important Yes No
    CVE-2011-1256 Important Yes No
    CVE-2011-1255 Critical Yes No
    CVE-2011-1254 Critical Yes No
    CVE-2011-1251 Critical Yes No
    CVE-2011-1250 Critical Yes Yes
    CVE-2011-1260 Critical Yes Yes
    CVE-2011-1261 Critical Yes Yes
    CVE-2011-1262 Critical Yes Yes

    As shown above, only a minor fraction of vulnerabilities affecting IE8 (and earlier versions of the browser) would still affect IE9. This is due to various factors related to security work that happened in IE8, ranging from deprecating obsolete features, to improving fuzzing tests in IE9 and so on. For example, CVE-2011-1255 is related to HTML+TIME, which was deprecated in IE9 development.

    There are many beautiful things in IE9. Besides all these wonderful new features, we would also recommend you to update to IE9 if you can for security. :)

    Chengyun Chu, MSRC Engineering