February 13, 2007
Microsoft Patch Disclosure - February 2007
This month Microsoft released twelve bulletins which repair a total of twenty separate vulnerabilities. Six of these vulnerabilities were high-impact zero-day vulnerabilities that were being used in targeted attacks or had public exploit code released.
Five of the zero-day vulnerabilities affected Microsoft Office applications, while the other affected a common ActiveX control. This leaves six active zero-day vulnerabilities in circulation at the moment with only two of them being Office applications. Both Professional and Personal versions of eEye’s Blink client security software with anti-virus protected systems against these zero-day exploits prior to their discovery. Blink does not require updated signatures or updated rule sets to provide protection, unlike other host protection or anti-virus-only products.
Patch Precedence
Out of this month's patches, none of them were purely remote. However, one vulnerability (MS07-010) does have the potential to be executed without user interaction since it is used on Exchange and SMTP servers. Therefore, even though this is not technically a remote vulnerability, an intelligent attacker will use a remote vector to attack forward facing IP addresses used for mail exchange.
The most critical client-side patch this month is the MS07-014: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (929434). This bulletin patches six separate code execution vulnerabilities, four of which were publicly disclosed as zero-day vulnerabilities prior to this patch.
The least important patch this month is MS07-007. This is a local privilege escalation vulnerability with no published exploit code that interacts with a service that is normally disabled in most enterprise environments. However, this vulnerability should still be taken quite seriously for environments utilizing the Image Acquisition service.
As always, eEye suggests that users roll out these patches as fast as possible, preferably after testing the impact on internal applications and network continuity.
This Month's Bulletins
Critical
- MS07-008 - Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution
- MS07-009 - Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution
- MS07-010 - Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution
- MS07-014 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
- MS07-015 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
- MS07-016 - Cumulative Security Update for Internet Explorer
- MS07-005 - Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution
- MS07-006 - Vulnerability in Windows Shell Could Allow Elevation of Privilege
- MS07-007 - Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege
- MS07-011 - Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution
- MS07-012 - Vulnerability in Microsoft MFC Could Allow Remote Code Execution
- MS07-013 - Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution
Bulletin Summary
MS07-005
Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723)
http://www.microsoft.com/technet/security/bulletin/MS07-005.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Step-by-Step Interactive Training which may allow for a remote attacker to execute arbitrary code.
- CVE-2006-3448 - Interactive Training Vulnerability
A remote code execution vulnerability exists in Step-by-Step Interactive Training because of the way that Step-by-Step Interactive Training handles bookmark link files. The vulnerability is caused by an unchecked buffer in the process that is used by Step-by-Step Interactive Training to validate bookmark link files.
Recommendations
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. This patch also severs the file-associate between .CBO files and Step-By-Step Interactive Training, which will help reduce the surface area for further vulnerabilities within the same component.
MS07-006
Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255)
http://www.microsoft.com/technet/security/bulletin/MS07-006.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Medium
Description
This patch fixes one vulnerability within Windows Shell which may allow for a logged in attacker to elevate his or her privileges to SYSTEM regardless of the original credentials used to log into the system.
- CVE-2007-0211 - Windows Shell Hardware Detection Vulnerability
A privilege elevation vulnerability exists in Windows Shell in the way that the operating system performs detection and registration of new hardware.
Recommendations
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. Patch prioritization would dictate that hosts with Terminal Services enabled or other hosts which may allow for public logins should be the first hosts to receive this patch.
MS07-007
Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege (927802)
http://www.microsoft.com/technet/security/bulletin/MS07-007.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Medium
Description
This patch fixes one vulnerability within Windows Image Acquisition Service which may allow for a logged in attacker to elevate his or her privileges to SYSTEM regardless of the original credentials used to log into the system.
- CVE-2007-0210 - Windows Image Acquisition Vulnerability
A privilege elevation vulnerability exists in Windows XP Service Pack 2 due to an unchecked buffer in the way that the Window Image Acquisition Service starts applications. This vulnerability could allow a logged on user to take complete control of the system.
Recommendations
Patch Prioritization: Lowest Impact
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. For enterprise networks, the Image Acquisition service will seldom be used and should most likely be disabled by default which would mitigate this vulnerability.
MS07-008
Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843)
http://www.microsoft.com/technet/security/bulletin/MS07-008.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within the HTML Help ActiveX which may allow for a remote attacker to execute arbitrary code under the context of the logged in user.
- CVE-2007-0214 - HTML Help ActiveX Control Vulnerability
A remote code execution vulnerability exists in the HTML Help ActiveX control.
Recommendations
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. However, this vulnerability does not have any public exploit and might prove difficult to exploit, although not impossible. For temporary mitigation, administrators can kill bit the CLSID (52a2aaae-085d-4187-97ea-8c30db990436) for this ActiveX to disallow any exploitation attempts against this ActiveX. However, since this ActiveX is used often in Microsoft applications, eEye Research suggests rolling the patch out as the primary solution for this vulnerability.
MS07-009
Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (927779)
http://www.microsoft.com/technet/security/bulletin/MS07-009.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within the Microsoft Data Access Components ActiveX which may allow for a remote attacker to execute arbitrary code under the context of the logged in user.
- CVE-2006-5559 - Microsoft Windows MDAC ActiveX Vulnerability (Zero-Day)
A remote code execution vulnerability exists in the ADODB.Connection ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
This vulnerability was originally released as a zero-day denial of service, but was later proved to be exploitable by eEye Research. Details can be found here: eEye ZDT - ADODB.Connection ActiveX.
Recommendations
For temporary mitigation, administrators can kill bit the CLSID (00000514-0000-0010-8000-00AA006D2EA4) for this ActiveX to disallow any exploitation attempts against this component.
However, since the zero-day proof-of-concept for this vulnerability has been in the wild for quite some time, we suggest rolling out the patch as soon as possible to avoid exploitation. Users that disabled the CLSID once the zero-day was released should re-enable the ActiveX following the application of the patch.
MS07-010
Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)
http://www.microsoft.com/technet/security/bulletin/MS07-010.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within the Microsoft Malware Protection which may allow for a remote attacker to execute arbitrary code. This component is used by eight separate Microsoft security products.
- CVE-2006-5270 - Microsoft Malware Protection Engine Vulnerability
A remote code execution vulnerability exists in the Microsoft Malware Protection Engine because of the way that it parses Portable Document Format (PDF) files. An attacker could exploit the vulnerability by constructing a specially crafted PDF File that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.
Recommendations
Patch Prioritization: Highest Potential Remote Impact
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. Patch prioritization would dictate that remotely accessible hosts (Exchange, SMTP, etc) should be patched first as they require no user interaction for exploitation.
MS07-011
Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436)
http://www.microsoft.com/technet/security/bulletin/MS07-011.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Microsoft OLE parsing which may allow for a remote attacker to execute arbitrary code under the context of the logged in user.
- CVE-2007-0026 - OLE Dialog Memory Corruption Vulnerability
A remote code execution vulnerability exists in the OLE Dialog component provided with Microsoft Windows. An attacker could attempt to exploit this vulnerability when a user interacts with a malformed embedded OLE object within a Rich Text Format (RTF) file.
Recommendations
Since this vulnerability has multiple attack vectors depending on the application that is tied to .RTF files, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.
MS07-012
Vulnerability in Microsoft MFC Could Allow Remote Code Execution (924667)
http://www.microsoft.com/technet/security/bulletin/MS07-012.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Microsoft MFC which may allow for a remote attacker to execute arbitrary code under the context of the logged in user.
- CVE-2007-0025 - MFC Memory Corruption Vulnerability
A remote code execution vulnerability exists in the MFC component provided with Microsoft Windows and Visual Studio. An attacker could exploit this vulnerability when a user interacts with a malformed embedded OLE object within a Rich Text Format (RTF) file.
Recommendations
Since this vulnerability has multiple attack vectors depending on the application that is tied to .RTF files, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.
MS07-013
Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution (918118)
http://www.microsoft.com/technet/security/bulletin/MS07-013.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Microsoft RichEdit which may allow for a remote attacker to execute arbitrary code under the context of the logged in user.
- CVE-2006-1311 - Microsoft RichEdit Vulnerability
A remote code execution vulnerability exists in the RichEdit components provided with Microsoft Windows and Microsoft Office. An attacker could exploit this vulnerability when a user interacts with a malformed embedded OLE object within a Rich Text Format (RTF) file.
Recommendations
Since this vulnerability has multiple attack vectors depending on the application that is tied to .RTF files, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.
MS07-014
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (929434)
http://www.microsoft.com/technet/security/bulletin/MS07-014.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes six vulnerabilities within Microsoft Word which may allow for a remote attacker to execute arbitrary code.
- CVE-2006-5994 - Word Malformed String Vulnerability (Zero-Day)
A remote code execution vulnerability exists in the way Microsoft Word handles Word files with a specially crafted string.
This vulnerability was originally released as a public zero-day and was tracked by the eEye Zero-Day Tracker. Details can be found here: eEye ZDT - Word Unspecified Exploit. - CVE-2006-6456 - Word Malformed Data Structures Vulnerability (Zero-Day)
A remote code execution vulnerability exists in the way Microsoft Word handles Word files with a specially crafted data structure.
This vulnerability was originally released as a public zero-day and was tracked by the eEye Zero-Day Tracker. Details can be found here: eEye ZDT - Word Unspecified Exploit(2). - CVE-2007-0515 - Word Malformed Function Vulnerability (Zero-Day)
A remote code execution vulnerability exists in Microsoft Word.
This vulnerability was originally released as a public zero-day and was tracked by the eEye Zero-Day Tracker. Details can be found here: eEye ZDT - Word Unspecified Exploit(3). - CVE-2006-6561 - Word Count Vulnerability (Zero-Day)
A remote code execution vulnerability exists in Microsoft Word. An attacker could exploit this vulnerability when Word parses a file and processes an unchecked count.
This vulnerability was originally released as a public zero-day and was tracked by the eEye Zero-Day Tracker. Details can be found here: eEye ZDT - Word 12122006-djtest.doc. - CVE-2007-0208 - Word Macro Vulnerability
A remote code execution vulnerability exists in Microsoft Word. - CVE-2007-0209 - Word Malformed Drawing Object Vulnerability
A remote code execution vulnerability exists in Microsoft Word.
Recommendations
Patch Prioritization: Highest Client Side Impact
Since there are multiple exploits that have been publicly disclosed for quite some time, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.
MS07-015
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (932554)
http://www.microsoft.com/technet/security/bulletin/MS07-015.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes two vulnerabilities within Microsoft Office which may allow for a remote attacker to execute arbitrary code under the context of the logged in user.
- CVE-2006-3877 - PowerPoint Malformed Record Memory Corruption Vulnerability
A remote code execution vulnerability exists in PowerPoint and could be exploited when PowerPoint opened a specially crafted file. - CVE-2007-0671 - Excel Malformed Record Vulnerability
A remote code execution vulnerability exists in Excel and could be exploited when Excel opened a specially crafted file.
This vulnerability was originally released as a public zero-day and was tracked by the eEye Zero-Day Tracker. Details can be found here: eEye ZDT - Office Unspecified Exploit.
Recommendations
Since one of these vulnerabilities was being publicly exploited in the wild, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.
MS07-016
Cumulative Security Update for Internet Explorer (928090)
http://www.microsoft.com/technet/security/bulletin/MS07-016.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes three vulnerabilities within Internet Explorer which may allow for a remote attacker to execute arbitrary code.
- CVE-2006-4697 - COM Object Instantiation Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. - CVE-2007-0219 - COM Object Instantiation Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. - CVE-2007-0217 - FTP Server Response Parsing Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Internet Explorer interprets certain responses from FTP servers.
Recommendations
Although exploit code for this vulnerability has not been released, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.
The eEye Advantage
Retina® Network Security Scanner
eEye Digital Security's Retina® customers can update their scanner to detect systems vulnerable to these issues and verify if this month's Microsoft patches are installed. Retina audits are available to customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/february2007.html#audits
Blink® Endpoint Vulnerability Prevention
eEye's line of Blink® with Anti-Virus unified client security software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and connectivity. Additionally, Blink does not require the disabling of services or applications as a means of protection. The result is complete protection, with zero downtime or impact to critical business or personal system operations.
Current Blink customers aren't required to do anything to realize the protection from these flaws. No updates or policy changes are required. If you are interested in protecting your systems with Blink, an evaluation version is available for download here:
http://www.eeye.com/html/products/blink/download/index.html
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.