May 8, 2007
Microsoft Patch Disclosure - May 2007
This month Microsoft released seven bulletins which repair a total of 19 vulnerabilities. Two of these vulnerabilities were high-impact zero-day vulnerabilities that were being used in targeted attacks or had public exploit code released.
One of the zero-day vulnerabilities affecting Microsoft's DNS Server (CVE-2007-1748) was being used in targeted attacks and had a toolkit-based exploit released. The other zero-day vulnerability affecting Microsoft Word (CVE-2007-0870) never had proof-of-concept exploit code released but had been seen in targeted attacks. This leaves 3 active zero-day vulnerabilities in circulation at the moment, all of which affect Microsoft applications. Both Professional and Personal versions of eEye’s Blink client security software with anti-virus protected systems against these zero-day exploits prior to their discovery. Blink does not require updated signatures or updated rule sets to provide protection, unlike other host protection or anti-virus-only products.
Patch Precedence
Out of this month's bulletins, two of them were network-based. These two bulletins have been identified as the most critical vulnerabilities patched this month. Of the five client-side vulnerabilities, the most critical client-side attack have been identified.
As always, eEye suggests that users roll out these patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please check out tomorrow's Vulnerability Expert Forum.
This Month's Bulletins
Critical
- MS07-023 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
- MS07-024 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
- MS07-025 - Vulnerability in Microsoft Office Could Allow Remote Code Execution
- MS07-026 - Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution
- MS07-027 - Cumulative Security Update for Internet Explorer
- MS07-028 - Vulnerability in CAPICOM Could Allow Remote Code Execution
- MS07-029 - Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution
Bulletin Summary
MS07-023
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)
http://www.microsoft.com/technet/security/bulletin/MS07-023.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes three vulnerabilities within Excel which may allow for a remote attacker to execute arbitrary code as the logged in user.
- CVE-2007-0215 - Excel BIFF Record Vulnerability
A remote code execution vulnerability exists in the way Excel handles files with malformed BIFF records. - CVE-2007-1203 - Excel Set Font Vulnerability
A remote code execution vulnerability exists in the way Excel handles Excel files with specially crafted set font values. - CVE-2007-1214 - Excel Filter Record Vulnerability
A remote code execution vulnerability exists in the way Excel handles Excel files with specially crafted filter records.
Recommendations
Although exploit code for these vulnerabilities has not been released, eEye Research suggests that vulnerable hosts be patched for these vulnerabilities as soon as possible.
MS07-024
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)
http://www.microsoft.com/technet/security/bulletin/MS07-024.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes three vulnerabilities within Word which may allow for a remote attacker to execute arbitrary code as the logged in user. One of the vulnerabilities was a zero-day vulnerability being exploited across the Internet.
- CVE-2007-0035 - Word Array Overflow Vulnerability
A remote code execution vulnerability exists in the way Microsoft Word handles data within an array. - CVE-2007-0870 - Word Document Stream Vulnerability (Zero-Day)
A remote code execution vulnerability exists in the way Microsoft Word handles a specially crafted Word Document stream.
This vulnerability was originally known as a zero-day and was tracked by the eEye Zero-Day Tracker. Details can be found here: eEye ZDT - Word Unspecified Exploit(4) - CVE-2007-1202 - Word RTF Parsing Vulnerability
A remote code execution vulnerability exists in the way Microsoft Word parses certain rich text properties within a file.
Recommendations
Patch Prioritization: Second Highest Client-Side Impact
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. Patch prioritization would dictate that hosts running Microsoft Word that consistently open Word documents from unknown senders (i.e. HR departments) be patched for this vulnerability as soon as possible since they represent the highest-impact targets.
MS07-025
Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)
http://www.microsoft.com/technet/security/bulletin/MS07-025.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Office which may allow for a remote attacker to execute arbitrary code as the logged in user.
- CVE-2007-1747 - Drawing Object Vulnerability
A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object. An attacker could exploit this vulnerability when Office parses a file and processes a malformed drawing object.
Recommendations
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. Patch prioritization would dictate that hosts running Microsoft Office that consistently open Office documents from unknown senders (i.e. HR departments opening resume documents) be patched for this vulnerability as soon as possible since they represent the highest-impact targets.
MS07-026
Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)
http://www.microsoft.com/technet/security/bulletin/MS07-026.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes four vulnerabilities within Exchange: one of which may allow for a remote attacker to execute arbitrary code as SYSTEM, one of which may allow for information disclosure through a script injection, while the other two cause a denial of service condition for Exchange. Since Exchange servers are nearly always mission-critical servers, a denial of service vulnerability has a very high impact.
- CVE-2007-0220 - Outlook Web Access Script Injection Vulnerability
An information disclosure vulnerability exists in Microsoft Exchange in the way that Outlook Web Access (OWA) handles script-based attachments. An attached script could spoof content, disclose information, or take any action that the user could take within the context of the OWA session. - CVE-2007-0039 - Malformed iCal Vulnerability
A denial of service vulnerability exists in Microsoft Exchange Server because of the way that it handles calendar content requests. An attacker could exploit the vulnerability by sending an e-mail message with specially crafted iCal file to a Microsoft Exchange Server user account. An attacker successfully exploiting this vulnerability could cause the mail service to stop responding. - CVE-2007-0213 - MIME Decoding Vulnerability
A remote code execution vulnerability exists in Microsoft Exchange Server because of the way that it decodes specially crafted e-mail messages. An attacker could exploit the vulnerability by sending a specially crafted e-mail to a Microsoft Exchange Server user account. An attacker who successfully exploited this vulnerability could take complete control of an affected system. - CVE-2007-0221 - IMAP Literal Processing Vulnerability
A denial of service vulnerability exists in Microsoft Exchange Server because of the way that it handles invalid IMAP requests. An attacker could exploit the vulnerability by sending a specially crafted IMAP command to a Microsoft Exchange Server configured as an IMAP server. An attacker successfully exploiting this vulnerability could cause the mail service to stop responding.
Recommendations
Patch Prioritization: Highest Remote Impact
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. Patch prioritization would dictate that Internet-facing Exchange servers be patched for this vulnerability as soon as possible since they represent the highest-impact targets.
MS07-027
Cumulative Security Update for Internet Explorer (931768)
http://www.microsoft.com/technet/security/bulletin/MS07-027.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes six vulnerabilities within Internet Explorer which may allow for a remote attacker to execute arbitrary code as the logged in user.
- CVE-2007-0942 - COM Object Instantiation Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. - CVE-2007-0944 - Uninitialized Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Internet Explorer accessing an object when it is not initiated or already deleted. - CVE-2007-0945 - Property Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Internet Explorer handles a property method. - CVE-2007-0946, CVE-2007-0947 - HTML Objects Memory Corruption Vulnerabilities
Several remote code execution vulnerabilities exist in Internet Explorer due to attempts to access uninitialized memory in certain situations. - CVE-2007-2221 - Arbitrary File Rewrite Vulnerability
A remote code execution vulnerability exists in a media service component that was never supported in Internet Explorer. - Four ActiveX Killbits
{D9998BD0-7957-11D2-8FED-00606730D3AA} - Acer LaunchApp
{1D95A7C7-3282-4DB7-9A48-7C39CE152A19} - RIM TeamOn
{BE4191FB-59EF-4825-AEFC-109727951E42} - Microsoft chtskdic.dll
{D4FE6227-1288-11D0-9097-00AA004254A0} - Microsoft msauth.dll
Recommendations
Patch Prioritization: Highest Client-Side Impact
Although exploit code for these vulnerabilities has not been released, eEye Research suggests that vulnerable hosts be patched for these vulnerabilities as soon as possible. This patch should be thoroughly tested in all environments, especially with the extensive kill-bit changes (4 CLSIDs now have forced kill-bits from this update).
MS07-028
Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)
http://www.microsoft.com/technet/security/bulletin/MS07-028.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within the CAPICOM ActiveX control which may allow for a remote attacker to execute arbitrary code as the logged in user.
- CVE-2007-0940 - CAPICOM.Certificates Vulnerability
A remote code execution vulnerability exists in Cryptographic API Component Object Model (CAPICOM) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
Recommendations
For temporary mitigation, administrators can kill bit the CLSIDs (17E3A1C3-EA8A-4970-AF29-7F54610B1D4C, FBAB033B-CDD0-4C5E-81AB-AEA575CD1338) for this ActiveX to disallow any exploitation attempts against this component.
Although exploit code for this vulnerability has not been released, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.
MS07-029
Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)
http://www.microsoft.com/technet/security/bulletin/MS07-029.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Windows DNS which may allow for a remote attacker to execute arbitrary code as SYSTEM. This vulnerability was a zero-day vulnerability being exploited across the Internet and had a toolkit-based exploit published.
- CVE-2007-1748 - DNS RPC Management Vulnerability (Zero-Day)
A remote code execution vulnerability exists in the Domain Name System (DNS) Server Service in all supported server versions of Windows that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
This vulnerability was originally released as a public zero-day and was tracked by the eEye Zero-Day Tracker. Details can be found here: eEye ZDT - Microsoft DNS RPC Buffer Overflow
Recommendations
Patch Prioritization: Second Highest Remote Impact
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. For hosts that have disabled the remote RPC interface for DNS management, the mitigation must be rolled back manually by removing or renaming the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\RpcProtocol (DWORD).
The eEye Advantage
Retina® Network Security Scanner
eEye Digital Security's Retina® customers can update their scanner to detect systems vulnerable to these latest issues and to verify if this month's Microsoft patches are installed. Updated Retina audits are automatically available to eEye Retina customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/may2007.html#audits
Blink® Unified Client Security
eEye's line of Blink® with Anti-Virus unified client security software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity as Blink does not require the disabling of services or applications as a means of protection. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations.
Current Blink customers aren't required to do anything to realize the protection from these flaws; no updates or policy changes are required. Both Blink Professional and Blink Personal now include multiple integrated anti-virus engines. Blink Personal is available for free for one year for personal use and can be downloaded at: http://www.eeye.com/blinkfree. Business users can download a trial version of Blink Professional at
http://www.eeye.com/html/products/blink/download/
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit http://www.eeye.com/html/events/web/VEF.html .
You have received this announcement to %%emailaddr%% as a valued member of eEye's Alert: eEye Security Bulletin list. If you wish to modify your subscription settings, please visit our website:
http://www.eeye.com/sub/%%userid_%%