October 9, 2007
Microsoft Patch Disclosure - October 2007
This month Microsoft released six bulletins which repair a total of nine vulnerabilities. None of these vulnerabilities resolved the two current Microsoft denial-of-service zero-day vulnerabilities. Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus protected systems against these zero-day exploits prior to their discovery. Blink does not require updated signatures or updated rule sets to provide protection, unlike other host protection or anti-virus-only products.
Patch Precedence
Out of six patches this month, four patches patched vulnerabilities that were able to be exploited over the Internet to execute arbitrary code. The highest impact flaws with the highest potential for exploitation have been marked. Depending on the operating systems and applications in your network, identify which of your systems are vulnerable to attack for each patch and use standard patch precedence processes to build your patch rollout plan.
As always, eEye suggests that users roll out these patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please check tomorrow's Vulnerability Expert Forum.
This Month's Bulletins
Critical
- MS07-055 - Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution
- MS07-056 - Security Update for Outlook Express and Windows Mail
- MS07-057 - Cumulative Security Update for Internet Explorer
- MS07-060 - Vulnerability in Microsoft Word Could Allow Remote Code Execution
- MS07-058 - Vulnerability in RPC Could Allow Denial of Service
- MS07-059 - Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site
Bulletin Summary
MS07-055
Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)
http://www.microsoft.com/technet/security/bulletin/MS07-055.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within the Kodak Image Viewer. This vulnerability allows for the remote code execution as the logged in user.
- CVE-2007-2217 - Kodak Image Viewer Remote Code Execution Vulnerability
A remote code execution vulnerability exists in the way that the Kodak Image Viewer in Windows handles specially crafted image files.
Recommendations
Although exploit code for this vulnerability has not been released, eEye Research suggests that vulnerable hosts be patched for these vulnerabilities as soon as possible. Also, since the only affected systems are systems that were previously upgraded from Windows 2000, a minimal affected installation base exists.
MS07-056
Security Update for Outlook Express and Windows Mail (941202)
http://www.microsoft.com/technet/security/bulletin/MS07-056.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Windows built-in mail software. This vulnerability allows for remote code execution as the logged in user.
- CVE-2007-3897 - Network News Transfer Protocol Memory Corruption Vulnerability
A remote code execution vulnerability exists in Outlook Express and Windows Mail for Microsoft Vista, due to an incorrectly handled malformed NNTP response. An attacker could exploit the vulnerability by constructing a specially crafted Web page. If a user viewed the Web page, the vulnerability could allow remote code execution.
Recommendations
Patch Prioritization: Second Highest Client-Side Impact
Although exploit code for this vulnerability has not been released, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.
MS07-057
Cumulative Security Update for Internet Explorer (939653)
http://www.microsoft.com/technet/security/bulletin/MS07-057.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes four vulnerabilities within Internet Explorer. One of the vulnerabilities allows for remote code execution as the logged in user while the other three vulnerabilities could help foster phishing attacks by spoofing.
- CVE-2007-3892 - Address Bar Spoofing Vulnerability
A spoofing vulnerability exists in Internet Explorer that could allow an attacker to display spoofed content in a browser window. The address bar and other parts of the trust UI has been navigated away from the attacker’s Web site but the content of the window still contains the attacker’s Web page. - CVE-2007-3893 - Error Handling Memory Corruption Vulnerability
A remote code execution vulnerability exists in Internet Explorer due to an unhandled error in certain situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page. If a user viewed the Web page, the vulnerability could allow remote code execution. - CVE-2007-3826; CVE-2007-1091 - Address Bar Spoofing Vulnerability
Spoofing vulnerabilities exist in Internet Explorer that could allow an attacker to display spoofed content in a browser window. The address bar and other parts of the trust UI has been navigated away from the attacker’s Web site but the content of the window still contains the attacker’s Web page.
Recommendations
Exploit code has only been released for the spoofing vulnerabilities (CVE-2007-3826; CVE-2007-1091) and have been available since Feb 2007. However, none of the exploits have been seen in "in-the-wild" exploits making the threat impact less severe.
The remote code execution vulnerability has no public details or proof-of-concept exploits. However, users are urged (as always) to keep up with Internet Explorer updates and apply this patch as soon as possible.
MS07-058
Vulnerability in RPC Could Allow Denial of Service (933729)
http://www.microsoft.com/technet/security/bulletin/MS07-058.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Medium
Description
This patch fixes one vulnerability within Windows. This vulnerability allows for a system-wide denial-of-service condition forcing a system reboot.
- CVE-2007-2228 - RPC Authentication Vulnerability Could Allow Denial of Service
A denial of service vulnerability exists in the remote procedure call (RPC) facility due to a failure in communicating with the NTLM security provider when performing authentication of RPC requests. An anonymous attacker could exploit the vulnerability by sending a specially crafted RPC authentication request to a computer over the network. An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.
Recommendations
Although exploit code for this vulnerability has not been released, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible. The most important machines in need of this patch are business-critical machines such as mail servers or Domain Controllers.
MS07-059
Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site (942017)
http://www.microsoft.com/technet/security/bulletin/MS07-059.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Medium
Description
This patch fixes one vulnerability within Microsoft SharePoint. This vulnerability allows for an attacker to reveal the credentials of a higher-privileged user and potential hijack that users credentials, thus elevating the privileges for the SharePoint site.
- CVE-2007-2581 - SharePoint Scripting Vulnerability
This is a scripting vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. The vulnerability could allow an attacker to run arbitrary script that can result in elevation of privilege within the SharePoint site, as opposed to elevation of privilege within the workstation or server environment. The vulnerability could also allow an attacker to run arbitrary script to modify a user’s cache, resulting in information disclosure at the workstation.
Recommendations
Although exploit code for this vulnerability has been released, eEye Research suggests that vulnerable hosts be thoroughly tested prior to rolling out this patch. SharePoint administrators should ensure that SharePoint sites are fully backed up and potentially virtualized prior to testing this patch in case the patch causes any unexpected issues.
MS07-060
Vulnerability in Microsoft Word Could Allow Remote Code Execution (942695)
http://www.microsoft.com/technet/security/bulletin/MS07-060.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Word. This vulnerability allows for remote code execution as the logged in user.
- CVE-2007-3899 - Word Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way that Word handles specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file with a malformed string. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Recommendations
Patch Prioritization: Highest Client-Side Impact
Although exploit code for this vulnerability has not been released, there has been the suggestion that this vulnerability is currently being exploited in the wild. eEye Research suggests that vulnerable hosts be patched for these vulnerabilities as soon as possible.
The eEye Advantage
Retina® Network Security Scanner
eEye Digital Security's Retina® customers can update their scanner to detect systems vulnerable to these latest issues and verify this month's Microsoft patches are installed. Updated Retina audits are automatically available to eEye Retina customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/october2007.html#audits
Blink® Unified Client Security
eEye's line of Blink® with Anti-Virus software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity as Blink does not require the disabling of services or applications as a means of protection. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations.
Current Blink customers aren't required to do anything to realize the protection from these flaws. No updates or policy changes are required. Both Blink Professional and Blink Personal now include multiple integrated anti-virus engines. Blink Personal is available for free for one year for personal use and can be downloaded at: http://www.eeye.com/blinkpersonal/. Business users can download a trial version of Blink Professional at
http://www.eeye.com/blink/
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit http://www.eeye.com/html/events/web/VEF.html .
You have received this announcement to %%emailaddr%% as a valued member of eEye's Alert: eEye Security Bulletin list. If you wish to modify your subscription settings, please visit our website:
http://www.eeye.com/sub/%%userid_%%