Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

February, 2013

  • Introducing ModSecurity IIS 2.7.2 Stable Release

    We are pleased to announce the release of a stable version of the open source web application firewall module ModSecurity IIS 2.7.2. Since the announcement of availability of the beta version in July 2012, we have been working very hard to bring the quality of the module to meet the enterprise class product requirements. In addition to numerous reliability improvements, we have introduced following changes since the first beta version was released:

    • optimized performance of request and response body handling
    • added “Include” directive, relative path and wildcard options to the configuration files
    • re-written installer code to avoid .NET Framework dependency and added installation error messages to system event log
    • integrated OWASP Core Rule Set in the MSI installer with IIS-specific configuration
    • fixed about 10 functional bugs reported by ModSecurity IIS users.

    Microsoft also released recently a TechNet article entitled "Security Best Practices to Protect Internet Facing Web Servers", which explains in details benefits of deploying a WAF module on a web server.

    Integrated OWASP Core Rule Set

    In version 2.7.2 of ModSecurity IIS we have included OWASP Core Rules Set pre-configured to serve most common scenarios encountered on IIS server. The rule set gets installed into c:\inetpub\wwwroot\owasp_crs directory, from which it can be included in any web.config file by adding:

    <ModSecurity enabled="true" configFile="owasp_crs\modsecurity_iis.conf" />

    The default setting enables request body access, disables response body access, does not use audit log, and sets temporary files and data folder to c:\inetpub\temp. User can
    enable or modify these and other features by uncommenting appropriate ModSecurity directives in modsecurity.conf or modsecurity_crs_10_setup.conf files.

    2012 Toolsmith Tool of the Year Award: ModSecurity for IIS

    Russ McRee over at HolisticInfosec held open voting in January for the 2012 Toolsmith Tool of the Year Award and ModSecurity for IIS won!

    We are glad that the Toolsmith readers found value in the IIS version of ModSecurity and we hope that it will help them to quickly mitigate emerging threats to their Microsoft IIS/ASP/.Net environments.

    Acknowledgements

    I would like to thank Nazim Lala and Ashish Kurmi from Microsoft for their help in module testing, Breno Silva and Ryan Barnett from Trustwave for continuous support of the IIS version, and Simon Kosinski for his valuable insights and suggestions.

    Greg Wroblewski, MSRC

     

  • EMET 3.0 support is now available for enterprise customers

    We are pleased to announce that as of today customers with access to Microsoft Services Premier and Professional Support can receive EMET related technical assistance. This is an important step for us to better support professional and enterprise customers and answer questions related to EMET deployment, configuration, and troubleshooting. The support will be fee based. Also, while there is support for EMET, servicing is done via version releases and there will be no hotfix support.

    The EMET 3.0 is currently the only version offered support through Microsoft Services Support channels.

    As we have since its inception, we will continue to provide support through Technet forums (http://social.technet.microsoft.com/Forums/en/emet/threads) for version 2.1 of EMET, as well as for consumers and all those who do not have a Premier or Professional contracts.

    Remember to also visit our TechNet page where you can find the latest articles, downloads and news related to EMET at the page www.microsoft.com/emet.

    - Gerardo Di Giacomo, MSRC

  • MS13-018: Hard to let go

    MS13-018 addresses a potential denial-of-service condition in the Windows TCP/IP stack. This vulnerability could be leveraged by an attacker in certain circumstances to exhaust a server’s non paged pool, preventing it from making new TCP connections. The vulnerability is as follows:

    • A Windows victim machine has a TCP/IP connection in an ESTABLISHED state to a remote attacker machine, and the Windows victim machine (not the attacker machine) sends a FIN packet to the remote attacker machine to initiate the connection teardown sequence, as outlined in RFC 793.
    • The remote machine receives the FIN packet, and replies with an ACK packet, but sets the window size=0. The connection on the Windows victim machine stays “stuck” in the TCP FIN_WAIT_2 state.

    In this scenario, the Windows machine doesn’t release the non-paged pool data structures associated with this TCP connection. If steps 1 and 2 above occur repeatedly, it could potentially exhaust the Windows machine’s non-paged pool, leading to the inability to open new TCP connections. The below diagram shows the FIN_WAIT_2 state in which this connection gets stuck:

     

    To trigger this resource exhaustion vulnerability, the attacker would need to find a way to repeatedly establish TCP connections with the Windows victim machine and have the victim machine each time initiate the connection teardown sequence by sending a TCP FIN packet to the attacker machine.

    An internet-based attacker would, of course, be blocked by any existing firewalls. The internet-based attacker may also have a difficult time finding a way to cause a targeted application on a Windows-based victim machine to initiate the connection teardown sequence (by sending the FIN packet to the attacker machine). Further, we have determined that HTTP.sys, the stack upon which IIS resides, is not vulnerable to this issue. This issue is more likely to be exposed to attackers within the perimeter firewall.

    Below is a graph of the kernel’s non-paged pool usage when a custom script that executes the above steps repeatedly is run overnight:

     

    As shown above, the simulated attack consumes the victim’s non-paged pool up until the point that memory management mechanisms limit the usage and memory consumption plateaus. At this point, the resource exhaustion prevents any new TCP connections from being created, disrupting the server’s intended purpose.

    Thanks to Swamy Shivaganga Nagaraju for his investigative work on this case.

    - Neil Sikka, MSRC Engineering

  • Assessing risk for the February 2013 security updates

    Today we released twelve security bulletins addressing 57 CVE’s. Five of the bulletins have a maximum severity rating of Critical, and seven have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

    Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability rating Likely first 30 days impact Platform mitigations and key notes
    MS13-010

    (VML)

    Victim browses to a malicious webpage. Critical 1 Has been leveraged as an address leak vulnerability in targeted attacks. Likely to see additional usage in next 30 days either as an info leak or potentially as a code execution vulnerability. VGX.dll only recently included in Internet Explorer cumulative updates. DLL originally shipped as an Office component. Depending on platform, MS13-009 may also include the fix. To be sure fix is available for all platforms, WU detection logic targets MS13-010 for all platforms, even those where MS13-009 is already installed.
    MS13-009

    (Internet Explorer)

    Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days.  
    MS13-020

    (OLEAUT32)

    Victim opens a malicious RTF file with an embedded ActiveX control in either Word or Wordpad, resulting in potential code execution in the context of the logged-on user. Critical 1 Likely to see reliable exploits developed within next 30 days. Document-style attacks typically rated ‘Important’. However, this vulnerability in OLEAUT32.dll’s core memory management functions likely to be used by third party ActiveX controls. While we have not identified any Microsoft browser-based attack vector, third party ActiveX controls likely to expose this vulnerability within the browser.
    MS13-011

    (Windows Media)

    Victim with a third party codec installed browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. Less likely to see wide-spread attacks due to third party codec requirement. Vulnerability cannot be triggered without third party codec installed.
    MS13-012

    (Oracle Outside In for Exchange)

    Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page. Critical 2 Difficult to build reliable exploit code for these vulnerabilities. Oracle Outside In process runs at a lower privilege level, LocalService. For more background information, please see this SRD blog post.
    MS13-015

    (.NET Framework)

    Victim browses to a malicious intranet webpage that offers an XBAP or ClickOnce application. Important 1 Vulnerability itself is exploitable (hence the “1” rating). However, XBAP is disabled on IE9 and also in the Internet Zone on earlier versions of Internet Explorer. Therefore, less likely to see wide-spread exploitation.  
    MS13-016

    (Windows drivers [win32k.sys])

    Attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM. Important 2 Difficult to build reliable exploit code for these vulnerabilities. Same vulnerability present in 30 different win32k.sys functions, leading to high (30) CVE count.
    MS13-017

    (Windows kernel)

    Attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM. Important 1 Likely to see reliable exploit code developed within next 30 days.  
    MS13-019

    (CSRSS)

    Attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM. Important 1 Difficult to build reliable exploit code for this vulnerability.  
    MS13-013

    (FAST Search Server for Sharepoint)

    Attacker having permission to upload malicious content to a Sharepoint server does so, which is indexed by FAST Search Server, resulting in potential code execution in context of the restricted token used by the indexing service. Important 1 Likely to see reliable exploits developed within next 30 days. The SharePoint Advanced Filter Pack that leverages Oracle Outside In technology for indexing is not enabled by default. The process that SharePoint uses for indexing when it is enabled runs with a restricted token similar to the Office 2010 Protected View sandbox. For more information, please see this SRD blog post.
    MS13-018

    (TCP/IP)

    Attacker creates millions of TCP/IP connections to victim server in such a way that victim initiates connection teardown for each by sending FIN to attacker. Over time, victim’s non-paged pool is exhausted and victim is unable to create new network connections. Important n/a Denial of Service only. Denial of service only – no chance for code execution. For more background on this issue, please see this SRD blog post.
    MS13-014

    (NFS server role)

    Attacker triggers denial of service condition on Windows server on which NFS server role has been activated. Important n/a Denial of Service only. Does not affect servers without NFS server role.

    - Jonathan Ness, MSRC Engineering