Archive for February, 2009

Excel zero day flaw announced

Microsoft released a security advisory today about a new Excel vulnerability.

This vulnerability impacts all versions of Microsoft Excel from 2000 to 2007.

In order to exploit a system, the attacker needs to entice the user to open a malformed Excel document. If this happens, the attacker can then take any action on the target system under the context of the logged on user. If the logged on user is an administrator, then the attacker can do anything they wish on the system (delete files, reformat the hard drive, steal information from the system, etc.). If the logged on user is a ‘user’ on the system (and not admin), then the attacker has fewer options on the box (read data accessible to the end user, delete data written by the end user, etc.).

Microsoft is researching the issue and will probably create a patch to fix the issue.

This is not unlike any other Microsoft Office vulnerability, except in this instance, knowledge of the vulnerability has been made public before a patch is available. Shavlik encourages users not to open Excel documents from unknown senders or locations.


Leave a comment »

Zero Day vulnerability in Adobe Reader and Adobe Acrobat

A security vulnerability was recently identified in two Adobe products that could allow attackers to take complete control of your system. Opening a malformed PDF document could allow unintended code to execute without the knowledge of the local user. The evil code could do anything on the system, up to the level of access given to the currently logged on user. Security researchers are seeing limited, targeted attacks in the wild. In most instances, the evil PDF file will crash the Adobe application, and in some instances may try and entice users to install a malicious anti-spyware application.

Adobe intends to patch their PDF products starting on March 11, 2009. Until the patch is released, users may protect themselves by disabling JavaScript in their Adobe applications. However, recent research indicates that even this workaround (disabling JavaScript) does not prevent exploitation of this vulnerability.

More info here:

The official Adobe response here:

Leave a comment »

Reflections on February 2009 Patch Day

A seemingly light batch of patches this month, trailing an even lighter, single patch release in January. Two Critical items released – including patches for Internet Explorer 7 and Microsoft Exchange Server. Additionally, two Important items released – for Microsoft SQL Server and Visio.

MS09-002 is a typical IE patch – purported to protect a user if surfing to an evil website. What’s unusual this month is that the vulnerability is only present in Internet Explorer 7. This leads to the question “what did Microsoft put in IE7 that they didn’t put in earlier versions that leads to this exploit, and why didn’t their new security testing program catch this vulnerability?” Microsoft says that it’s easy for hackers to create an evil webpage to exploit this issue.

MS09-003 is a Critical patch for Exchange Server (versions 2000, 2003, 2007) that could lead to code execution and/or Denial of Service. The attacker can send a malformed winmail.dat file to an Exchange Server in hopes of having that server execute code of their choosing. (winmail.dat files are configuration files that instruct the email client how to render and display Rich Text Formatted documents.) Alternatively, the attacker can send a series of packets to the Exchange Server in an attempt to take down the mail services – creating a denial of service attack. Microsoft says that inconsistent exploit code is likely to be released.

MS09-004 is probably the most interesting patch this month. This patch addresses the zero-day SQL Server flaw reported by Sec-Consult on December 9th, 2008. This flaw enables attackers to execute code of their choice on the affected SQL Server. The bar for exploitation is raised slightly in that the attacker must already have authenticated access to the SQL Server in order to pull of this exploit. However, unauthenticated attackers (since when you do authenticate your attacker anyway?) can still leverage this flaw if they can plant their code using SQL Server injection techniques via poorly coded websites. Proof of concept code has been published on the Internet, however, Microsoft says they have not seen proof of exploitation (maybe they aren’t looking hard enough?). I’d probably rate this patch as Critical – given the end result capable. I’m guessing Microsoft has downgraded this severity because of the “authentication” requirement. (Although they give this a ‘1’ in the exploitability index – saying that consistent exploit code is likely.)

MS09-005 is an Important patch for Visio. Open a malformed Visio document and the evildoer can run code on your system in the context of your currently logged on account. Microsoft says this was privately reported and they’ve seen no reports of exploitation. They recommend not opening Visio documents from untrusted sources.

I recommend a two pronged approach to patching this month. Two patches are for Server issues (09-003 and 09-004 – Exchange and SQL) and two are for client side applications (09-002 and 09-005 – IE7 and Visio). Give the two server patches to the Server maintenance team and ask that they install these two as soon as possible – given what I believe is the severity of these issues. Give the two client side patches to the desktop team and have them install these patches in the next update cycle or as they see fit – but no need to burn the weekend candle for these.

Leave a comment »