eEye Digital Security Newsletter
August 14, 2007

Microsoft Patch Disclosure - August 2007

This month Microsoft released nine bulletins which repair a total of 14 vulnerabilities. None of these vulnerabilities resolved the three current Microsoft denial-of-service zero-day vulnerabilities. Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus protected systems against these zero-day exploits prior to their discovery. Blink does not require updated signatures or updated rule sets to provide protection, unlike other host protection or anti-virus-only products.

Patch Precedence
Out of nine patches this month, eight patches patched vulnerabilities that were able to be exploited over the Internet to execute arbitrary code. The highest impact flaws with the highest potential for exploitation have been marked. Depending on the operating systems and applications in your network, identify which of your systems are vulnerable to attack for each patch and use standard patch precedence processes to build your patch rollout plan.

As always, eEye suggests that users roll out these patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please check tomorrow's Vulnerability Expert Forum.


This Month's Bulletins

Critical
  • MS07-042 - Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
  • MS07-043 - Vulnerability in OLE Automation Could Allow Remote Code Execution
  • MS07-044 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  • MS07-045 - Cumulative Security Update for Internet Explorer
  • MS07-046 - Vulnerability in GDI Could Allow Remote Code Execution
  • MS07-050 - Vulnerability in Vector Markup Language Could Allow Remote Code Execution
Important
  • MS07-047 - Vulnerabilities in Windows Media Player Could Allow Remote Code Execution
  • MS07-048 - Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution
  • MS07-049 - Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege

Bulletin Summary

MS07-042
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)
http://www.microsoft.com/technet/security/bulletin/MS07-042.mspx

Microsoft Severity Rating: Critical
eEye Severity Rating: High

Description
This patch fixes one vulnerability within Microsoft XML Core Services. This vulnerability allows for remote code execution as the logged in user.
  • CVE-2007-2223 - Microsoft XML Core Services Vulnerability
    A remote code execution vulnerability exists in Microsoft XML Core Services that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user.

The exploitation of this vulnerability requires user interaction by visiting a website or following a hyperlink. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.

Recommendations
Although exploit code for this vulnerability has not been released, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.


MS07-043
Vulnerability in OLE Automation Could Allow Remote Code Execution (921503)
http://www.microsoft.com/technet/security/bulletin/MS07-043.mspx

Microsoft Severity Rating: Critical
eEye Severity Rating: High

Description
This patch fixes one vulnerability within Microsoft OLE Automation. This vulnerability allows for remote code execution as the logged in user.
  • CVE-2007-2224 - OLE Automation Memory Corruption Vulnerability
    A remote code execution vulnerability exists in Object linking and embedding (OLE) Automation that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user.

The exploitation of this vulnerability requires user interaction by visiting a website or following a hyperlink. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.

Recommendations
Although exploit code for this vulnerability has not been released, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.


MS07-044
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (940965)
http://www.microsoft.com/technet/security/bulletin/MS07-044.mspx

Microsoft Severity Rating: Critical
eEye Severity Rating: High

Description
This patch fixes one vulnerability within Excel. This vulnerability allows for remote code execution as the logged in user.
  • CVE-2007-3890 - Workspace Memory Corruption Vulnerability
    A remote code execution vulnerability exists in the way Excel handles malformed Excel files. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a malicious or compromised Web site.

The exploitation of this vulnerability requires user interaction by opening a malicious Excel file. This file could be delivered any number of ways including e-mail or a website. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.

Recommendations
Although exploit code for this vulnerability has not been released, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.


MS07-045
Cumulative Security Update for Internet Explorer (937143)
http://www.microsoft.com/technet/security/bulletin/MS07-045.mspx

Microsoft Severity Rating: Critical
eEye Severity Rating: High

Description
This patch fixes three vulnerabilities within Internet Explorer. All of the vulnerabilities allow for remote code execution as the logged in user.
  • CVE-2007-0943 - CSS Memory Corruption Vulnerability
    A remote code execution vulnerability exists in the way Internet Explorer parses certain strings in CSS. An attacker could exploit the vulnerability by constructing a specially crafted Web page.

  • CVE-2007-2216 - ActiveX Object Vulnerability
    A remote code execution vulnerability exists in the ActiveX control, tblinf32.dll. This control can also be found under the name of vstlbinf.dll. Both of these components were never intended to be supported in Internet Explorer.

  • CVE-2007-3041 - ActiveX Object Memory Corruption Vulnerability
    A remote code execution vulnerability exists in the ActiveX object, pdwizard.ocx. An attacker could exploit the vulnerability by constructing a specially crafted Web page.

The exploitation of this vulnerability requires user interaction by visiting a website or following a hyperlink. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.

Recommendations
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. However, this vulnerability does not have any public exploit and might prove difficult to exploit, although not impossible. For temporary mitigation, administrators can kill bit the following CLSIDs for these ActiveX controls to disallow any exploitation attempts against them:

(8B217746-717D-11CE-AB5B-D41203C10000)
(8B217752-717D-11CE-AB5B-D41203C10000)
(8B21775E-717D-11CE-AB5B-D41203C10000)
(0DDF3B5C-E692-11D1-AB06-00AA00BDD685)

However, since these ActiveX controls are used often in some custom applications, eEye Research suggests rolling the patch out as the primary solution for this vulnerability.


MS07-046
Vulnerability in GDI Could Allow Remote Code Execution (938829)
http://www.microsoft.com/technet/security/bulletin/MS07-046.mspx

Microsoft Severity Rating: Critical
eEye Severity Rating: High

Description
This patch fixes one vulnerability within Windows discovered by eEye Research. This vulnerability allows for remote code execution as the logged in user.
  • CVE-2007-3034 - Remote Code Execution Vulnerability in GDI
    A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles specially crafted images. An attacker could exploit the vulnerability by constructing a specially crafted image that could potentially allow remote code execution if a user opened a specially crafted attachment in e-mail.

The exploitation of this vulnerability requires user interaction by visiting a website, following a hyperlink, or viewing any embedded MetaFile. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.

Recommendations
Patch Prioritization: Highest Impact
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. However, for temporary mitigation, users can utilize new protection introduced in MS07-017 to disable Windows MetaFile processing by setting the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles(DWORD) = 1

Resources
eEye Research Advisory


MS07-047
Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)
http://www.microsoft.com/technet/security/bulletin/MS07-047.mspx

Microsoft Severity Rating: Important
eEye Severity Rating: Medium

Description
This patch fixes two vulnerabilities within Windows Media Player. Both of the vulnerabilities allow for remote code execution as the logged in user.
  • CVE-2007-3037 - Windows Media Player Code Execution Vulnerability Parsing Skins
    A code execution vulnerability exists in Windows Media Player skin parsing.

  • CVE-2007-3035 - Windows Media Player Code Execution Vulnerability Decompressing Skins
    A remote code execution vulnerability exists in Windows Media Player an attacker who successfully exploited this vulnerability could take complete control of an affected system.

The exploitation of these vulnerabilities requires user interaction by opening a malicious Windows Media Player Skin file (.WMD, .WMZ). This file could be delivered any number of ways including e-mail or a website. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.

Recommendations
Although exploit code for these vulnerabilities has not been released, eEye Research suggests that vulnerable hosts be patched for these vulnerabilities as soon as possible. The suggested mitigation of disabling file extensions and un-registering wmp.dll would take just as much time and effort as applying the patch directly. Patch application should only be delayed in cases where the new wmp.dll may break internal applications.


MS07-048
Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123)
http://www.microsoft.com/technet/security/bulletin/MS07-048.mspx

Microsoft Severity Rating: Important
eEye Severity Rating: Medium

Description
This patch fixes three vulnerabilities within Windows Vista Gadgets. All of the vulnerabilities allow for remote code execution as the logged in user.
  • CVE-2007-3033 - Windows Vista Feed Headlines Gadget Could Allow Remote Code Execution
    A remote code execution vulnerability exists in Windows Vista Feed Headlines Gadgets that could allow a remote anonymous attacker to run code with the privileges of the logged on user.

  • CVE-2007-3032 - Windows Vista Contacts Gadget Could Allow Code Execution
    A code execution vulnerability exists in Windows Vista Contacts Gadget that could allow an attacker to run code with the privileges of the logged on user.

  • CVE-2007-3891 - Windows Vista Weather Gadget Could Allow Remote Code Execution
    A remote code execution vulnerability exists in Windows Vista Weather Gadgets that could allow an attacker to run code with the privileges of the logged on user.

The exploitation of these vulnerabilities requires no user interaction but does require that these Vista Gadgets be enabled, which is not standard on Vista installations. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.

Recommendations
Patch Prioritization: Lowest Impact
Although exploit code for these vulnerabilities has not been released, eEye Research suggests that vulnerable hosts be patched for these vulnerabilities as soon as possible. Furthermore, the use of tools such as "widgets" should first be approved as necessary for the corporate environment prior to being enabled on systems. The Sidebar can be disabled in Group Policy via the outlined information in the Microsoft Bulletin.


MS07-049
Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986)
http://www.microsoft.com/technet/security/bulletin/MS07-049.mspx

Microsoft Severity Rating: Important
eEye Severity Rating: High

Description
This patch fixes one within Microsoft Virtual PC / Server. This vulnerability allows for an attacker to "break-out" of a guest operating system in order to run code on the system hosting the virtual machine.
  • CVE-2007-0948 - Virtual PC and Virtual Server Heap Overflow Vulnerability
    An elevation of privilege vulnerability exists in Microsoft Virtual PC and Microsoft Virtual Server that could allow a user with administrator permissions to the guest operating system to run code on the host operating system or other guest operating systems. An attacker with administrator permissions to the guest operating system, could exploit the vulnerability by running specially crafted code on the guest operating system. This could result in a heap overflow on the host or other guest operating systems. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

The exploitation of these vulnerabilities requires administrator privileges on the guest operating system in order to launch the attack. Following the attack though, the attacker could then fully compromise the hosting server, thereby taking over all hosted virtual machines or perform any other form of malicious attack against the host.

Recommendations
Although exploit code for this vulnerability has not been released, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.


MS07-050
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127)
http://www.microsoft.com/technet/security/bulletin/MS07-050.mspx

Microsoft Severity Rating: Critical
eEye Severity Rating: High

Description
This patch fixes one vulnerability within Internet Explorer discovered by eEye Research. This vulnerability allows for remote code execution as the logged in user.
  • CVE-2007-1749 - VML Buffer Overrun Vulnerability
    A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail. When a user views the Web page or the message, the vulnerability could allow remote code execution.

The exploitation of this vulnerability requires user interaction by visiting a website or following a hyperlink. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.

Recommendations
Patch Prioritization: Highest Impact
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.

Resources
eEye Research Advisory



The eEye Advantage

Retina® Network Security Scanner
eEye Digital Security's Retina® customers can update their scanner to detect systems vulnerable to these latest issues and verify this month's Microsoft patches are installed. Updated Retina audits are automatically available to eEye Retina customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/august2007.html#audits

Blink® Unified Client Security
eEye's line of Blink® with Anti-Virus software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity as Blink does not require the disabling of services or applications as a means of protection. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations.

Current Blink customers aren't required to do anything to realize the protection from these flaws. No updates or policy changes are required. Both Blink Professional and Blink Personal now include multiple integrated anti-virus engines. Blink Personal is available for free for one year for personal use and can be downloaded at: http://www.eeye.com/blinkpersonal/. Business users can download a trial version of Blink Professional at
http://www.eeye.com/blink/

Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit http://www.eeye.com/html/events/web/VEF.html .