Archive for July, 2009

July Out of Band Security Release

Microsoft released two out of band security bulletins today – one Internet Explorer bulletin and one Visual Studio bulletin.  The IE issue is rated Critical and the Visual Studio patch is rated Moderate.

Shavlik recommends installing the IE patch as soon as possible as it helps protect against a flaw being demonstrated at Blackhat tomorrow (Wednesday) that might allow an attacker to bypass the killbits that were set to protect a machine against unsafe ActiveX controls.  Failing to patch for this issue is like purposely uninstalling 8 prior IE patches – not something you want to do.  Patch this one right away.

Details:

Some years ago, a flaw was introduced in the development tools maintained by Microsoft.  This flaw was in a ‘template’ that helps developers create ActiveX controls.  Any control built using this flawed template might be exposed to the security vulnerabilities discussed in today’s bulletins.

To address these flaws, Microsoft has released two types of patches – one for IE and one for Visual Studio.  The Visual  Studio patch (MS09-035) corrects the flawed template (active template library or ATL) so that any controls built from this template going forward will be safe.  The Internet Explorer patch (MS09-034) monitors all calls to ActiveX controls and prevents controls from executing that are found to have been developed with the flawed template and that are attempting to execute vulnerabilities in that template.

One such example of a vulnerable control built from the flawed template was the Video control issue discussed earlier this month and addressed in MS09-032.  The Video control had been built from the flawed template library – it was this vulnerability that was being exploited in the wild that lead to the security advisory, MS09-032, and eventually the death of this control.

Killing a control typically means setting a ‘killbit’ on the control.  When the killbit is set, it means IE won’t launch the control – thus keeping your machine safe. To date, Microsoft has issued 175 killbits via their cumulative killbit patches. (for more information on these 175 killbits, see my analysis at http://ericsblog.shavlik.com/2009/07/27/activex-killbits/).  However, some security researchers found that they were able to bypass the killbit function and still execute certain controls.  A presentation on how this is done is slated for tomorrow afternoon (Wed, July 29th 2009) at the Blackhat Conference.  The researchers found that the same ATL flaws we were talking about earlier allowed them to bypass the killbit on controls that were built with the flawed templates.  IOW, if you installed MS09-032 to protect yourself from the Video control exploit, there is a chance that someone could still execute this attack against you because they bypassed the killbits set in the 09-032 patch.

The MS09-034 patch protects against the killbit bypass problem.  The 09-035 patch also addresses the killbit issue plus two other issues in the template library: one was an information disclosure issue and the other was a remote code execution flaw.

The MS09-034 patch also includes fixes for three other remote code execution vulnerabilities in Internet Explorer.  These fixes were already coded and were slated to be released in the August patch cycle – however, due to the expedited IE patch for the ATL-Killbit issue, these three fixes were included in the out of band release.

The IE patch includes severity ratings for the three remote code execution flaws – rated as Critical on some versions of IE and Moderate on others.  The 09-034 IE patch does NOT include severity ratings for the defense in depth changes that Microsoft implemented to protect against the vulnerable ActiveX controls.  Even though some systems may only be rated as Moderate wrt the IE patch, Microsoft encourages customers to install the IE patch as soon as possible as it does include the protections for the ATL and killbit bypass issues discussed above.

Advertisements

Comments (2) »

ActiveX Killbits

Beginning in May 2008, Microsoft has released cumulative patches to install ActiveX Killbits.  Below is an analysis of the killbits released via these patches to date.  The analysis was performed against patches for Windows XP, however, it is assumed that these killbits are applicable to all Operating Systems.

As of July 27, 2009:

Total Killbits applied by latest cumulative patch (MS09-032): 175

Monthly Count
May 2008: 4
June 2008: 3
August 2008: 96
October 2008: 12
February 2009: 10
June 2009: 5
July 2009: 45 

Vendor Count
Akamai: 1
Aurigma: 74
BackWeb: 1
Ebay: 2
HP: 23
HusDawg: 1
Microgaming: 2
Microsoft 67
PhotoStockPlus: 1
RIM: 1
Yahoo: 2

Details for each Killbit (including links to advisories)

(download PDF here)

May-08 {22FD7C0A-850C-4A53-9821-0B0915C96139} Yahoo Yahoo! MediaGrid
May-08 {314111B8-A502-11D2-BBCA-00C04F8EC294} Microsoft Microsoft Help 2.0 Contents
May-08 {314111C6-A502-11D2-BBCA-00C04F8EC294} Microsoft Microsoft Help 2.0 Index
May-08 {5F810AFC-BB5F-4416-BE63-E01DD117BD6C} Yahoo Yahoo! DataGrid
Jun-08 {3BEE4890-4FE9-4A37-8C1E-5E7E12791C1F} Microsoft SpSharedRecognizer
Jun-08 {40F23EB7-B397-4285-8F3C-AACE4FA40309} BackWeb BackWeb Lite Install Runner
Jun-08 {47206204-5ECA-11D2-960F-00C04F8EE628} Microsoft SpSharedRecoContext
Aug-08 {00D46195-B634-4C41-B53B-5093527FB791} Aurigma Aurigma Image Uploader
Aug-08 {0270E604-387F-48ED-BB6D-AA51F51D6FC3} Aurigma Aurigma Image Uploader
Aug-08 {038F6F55-C9F0-4601-8740-98EF1CA9DF9A} Aurigma Aurigma Image Uploader
Aug-08 {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} Aurigma Aurigma Image Uploader
Aug-08 {0B9C0C26-728C-4FDA-B8DD-59806E20E4D9} Aurigma Aurigma Image Uploader
Aug-08 {0C378864-D5C4-4D9C-854C-432E3BEC9CCB} HP HP eDiag
Aug-08 {101D2283-EED9-4BA2-8F3F-23DB860946EB} Aurigma Aurigma Image Uploader
Aug-08 {108092BF-B7DB-40D1-B7FB-F55922FCC9BE} Aurigma Aurigma Image Uploader
Aug-08 {14C1B87C-3342-445F-9B5E-365FF330A3AC} HP HP Instant Support
Aug-08 {17E67D4A-23A1-40D8-A049-EE34C0AF756A} HP HP eDiag
Aug-08 {1E0D3332-7441-44FF-A225-AF48E977D8B6} Aurigma Aurigma Image Uploader
Aug-08 {285CAE3C-F16A-4A84-9A80-FF23D6E56D68} Aurigma Aurigma Image Uploader
Aug-08 {2875E7A5-EE3C-4FE7-A23E-DE0529D12028} Aurigma Aurigma Image Uploader
Aug-08 {2C2DE2E6-2AD1-4301-A6A7-DF364858EF01} Aurigma Aurigma Image Uploader
Aug-08 {3604EC19-E009-4DCB-ABC5-BB95BF92FD8B} Aurigma Aurigma Image Uploader
Aug-08 {3D6A1A85-DE54-4768-9951-053B3B02B9B0} Aurigma Aurigma Image Uploader
Aug-08 {41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA} Aurigma Aurigma Image Uploader
Aug-08 {42C68651-1700-4750-A81F-A1F5110E0F66} HP HP eDiag
Aug-08 {44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9} Aurigma Aurigma Image Uploader
Aug-08 {4614C49A-0B7D-4E0D-A877-38CCCFE7D589} Aurigma Aurigma Image Uploader
Aug-08 {4774922A-8983-4ECC-94FD-7235F06F53A1} HP HP eDiag
Aug-08 {47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB} Aurigma Aurigma Image Uploader
Aug-08 {497EE41C-CE06-4DD4-8308-6C730713C646} Aurigma Aurigma Image Uploader
Aug-08 {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} Aurigma Aurigma Image Uploader
Aug-08 {60178279-6D62-43AF-A336-77925651A4C6} HP HP eDiag
Aug-08 {6470DE80-1635-4B5D-93A3-3701CE148A79} HP HP eDiag
Aug-08 {652623DC-2BB4-4C1C-ADFB-57A218F1A5EE} Aurigma Aurigma Image Uploader
Aug-08 {65FB3073-CA8E-42A1-9A9A-2F826D05A843} Aurigma Aurigma Image Uploader
Aug-08 {66E07EF9-4E89-4284-9632-6D6904B77732} Aurigma Aurigma Image Uploader
Aug-08 {68BBCA71-E1F6-47B2-87D3-369E1349D990} Aurigma Aurigma Image Uploader
Aug-08 {692898BE-C7CC-4CB3-A45C-66508B7E2C33} Aurigma Aurigma Image Uploader
Aug-08 {6981B978-70D9-40B9-B00E-903B6FC8CA8A} Aurigma Aurigma Image Uploader
Aug-08 {69C462E1-CD41-49E3-9EC2-D305155718C1} Aurigma Aurigma Image Uploader
Aug-08 {6C095616-6064-43CA-9180-CF1B6B6A0BE4} Aurigma Aurigma Image Uploader
Aug-08 {6CA73E8B-B584-4533-A405-3D6F9C012B56} Aurigma Aurigma Image Uploader
Aug-08 {6E5E167B-1566-4316-B27F-0DDAB3484CF7} Aurigma Aurigma Image Uploader
Aug-08 {73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A} Aurigma Aurigma Image Uploader
Aug-08 {76EE578D-314B-4755-8365-6E1722C001A2} Aurigma Aurigma Image Uploader
Aug-08 {784F2933-6BDD-4E5F-B1BA-A8D99B603649} HP HP eDiag
Aug-08 {7A12547F-B772-4F2D-BE36-CE5D0FA886A1} Aurigma Aurigma Image Uploader
Aug-08 {7EB2A2EC-1C3A-4946-9614-86D3A10EDBF3} Aurigma Aurigma Image Uploader
Aug-08 {833E62AD-1655-499F-908E-62DCA1EB2EC6} Aurigma Aurigma Image Uploader
Aug-08 {86C2B477-5382-4A09-8CA3-E63B1158A377} Aurigma Aurigma Image Uploader
Aug-08 {8C7A23D9-2A9B-4AEA-BA91-3003A316B44D} Aurigma Aurigma Image Uploader
Aug-08 {8CC18E3F-4E2B-4D27-840E-CB2F99A3A003} Aurigma Aurigma Image Uploader
Aug-08 {8DBC7A04-B478-41D5-BE05-5545D565B59C} Aurigma Aurigma Image Uploader
Aug-08 {905BF7D7-6BC1-445A-BE53-9478AC096BEB} Aurigma Aurigma Image Uploader
Aug-08 {910E7ADE-7F75-402D-A4A6-BB1A82362FCA} HP HP eDiag
Aug-08 {916063A5-0098-4FB7-8717-1B2C62DD4E45} Aurigma Aurigma Image Uploader
Aug-08 {926618A9-4035-4CD6-8240-64C58EB37B07} Aurigma Aurigma Image Uploader
Aug-08 {9275A865-754B-4EDF-B828-FED0F8D344FC} Aurigma Aurigma Image Uploader
Aug-08 {93441C07-E57E-4086-B912-F323D741A9D8} HP HP eDiag
Aug-08 {93C5524B-97AE-491E-8EB7-2A3AD964F926} Aurigma Aurigma Image Uploader
Aug-08 {947F2947-2296-42FE-92E6-E2E03519B895} Aurigma Aurigma Image Uploader
Aug-08 {974E1D88-BADF-4C80-8594-A59039C992EA} Aurigma Aurigma Image Uploader
Aug-08 {977315A5-C0DB-4EFD-89C2-10AA86CA39A5} Aurigma Aurigma Image Uploader
Aug-08 {9BAFC7B3-F318-4BD4-BABB-6E403272615A} Aurigma Aurigma Image Uploader
Aug-08 {A233E654-53FF-43AA-B1E2-60DA2E89A1EC} Aurigma Aurigma Image Uploader
Aug-08 {A3796166-A03C-418A-AF3A-060115D4E478} Aurigma Aurigma Image Uploader
Aug-08 {A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} Aurigma Aurigma Image Uploader
Aug-08 {A7866636-ED52-4722-82A9-6BAABEFDBF96} Aurigma Aurigma Image Uploader
Aug-08 {A95845D8-8463-4605-B5FB-4F8CFBAC5C47} HP HP eDiag
Aug-08 {AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B} Aurigma Aurigma Image Uploader
Aug-08 {AB049B11-607B-46C8-BBF7-F4D6AF301046} HP HP eDiag
Aug-08 {AB237044-8A3B-42BB-9EE1-9BFA6721D9ED} HP HP eDiag
Aug-08 {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} Aurigma Aurigma Image Uploader
Aug-08 {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} Aurigma Aurigma Image Uploader
Aug-08 {B0A08D67-9464-4E73-A549-2CC208AC60D3} Aurigma Aurigma Image Uploader
Aug-08 {B26E6120-DD35-4BEA-B1E3-E75F546EBF2A} Aurigma Aurigma Image Uploader
Aug-08 {B60770C2-0390-41A8-A8DE-61889888D840} Aurigma Aurigma Image Uploader
Aug-08 {B85537E9-2D9C-400A-BC92-B04F4D9FF17D} Aurigma Aurigma Image Uploader
Aug-08 {B95B52E9-B839-4412-96EB-4DABAB2E4E24} Aurigma Aurigma Image Uploader
Aug-08 {B9C13CD0-5A97-4C6B-8A50-7638020E2462} HP HP eDiag
Aug-08 {BA162249-F2C5-4851-8ADC-FC58CB424243} Aurigma Aurigma Image Uploader
Aug-08 {BF931895-AF82-467A-8819-917C6EE2D1F3} HP HP eDiag
Aug-08 {C70D0641-DDE1-4FD7-A4D4-DA187B80741D} HP HP eDiag
Aug-08 {C86EE68A-9C77-4441-BD35-14CC6CC4A189} Aurigma Aurigma Image Uploader
Aug-08 {C94188F6-0F9F-46B3-8B78-D71907BD8B77} HP HP eDiag
Aug-08 {CB05A177-1069-4A7A-AB0A-5E6E00DCDB76} Aurigma Aurigma Image Uploader
Aug-08 {CC7DA087-B7F4-4829-B038-DA01DFB5D879} Aurigma Aurigma Image Uploader
Aug-08 {CDAF9CEC-F3EC-4B22-ABA3-9726713560F8} HP HP eDiag
Aug-08 {CF08D263-B832-42DB-8950-F40C9E672E27} Aurigma Aurigma Image Uploader
Aug-08 {CF6866F9-B67C-4B24-9957-F91E91E788DC} HP HP eDiag
Aug-08 {D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6} Aurigma Aurigma Image Uploader
Aug-08 {DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772} HP HP eDiag
Aug-08 {DE233AFF-8BD5-457E-B7F0-702DBEA5A828} HP HP eDiag
Aug-08 {E12DA4F2-BDFB-4EAD-B12F-2725251FA6B0} HP HP eDiag
Aug-08 {E1A26BBF-26C0-401D-B82B-5C4CC67457E0} Aurigma Aurigma Image Uploader
Aug-08 {E4C97925-C194-4551-8831-EABBD0280885} Aurigma Aurigma Image Uploader
Aug-08 {E6127E3B-8D17-4BEA-A039-8BB9D0D105A2} Aurigma Aurigma Image Uploader
Aug-08 {F1F51698-7B63-4394-8743-1F4CF1853DE1} Aurigma Aurigma Image Uploader
Aug-08 {F399F5B6-3C63-4674-B0FF-E94328B1947D} Aurigma Aurigma Image Uploader
Aug-08 {F6A7FF1B-9951-4CBE-B197-EA554D6DF40D} Aurigma Aurigma Image Uploader
Aug-08 {F89EF74A-956B-4BD3-A066-4F23DF891982} Aurigma Aurigma Image Uploader
Aug-08 {FA8932FF-E064-4378-901C-69CB94E3A20A} Aurigma Aurigma Image Uploader
Aug-08 {FC28B75F-F9F6-4C92-AF91-14A3A51C49FB} Aurigma Aurigma Image Uploader
Oct-08 {0002E500-0000-0000-C000-000000000046} Microsoft OWC.Chart.9 
Oct-08 {0002E510-0000-0000-C000-000000000046} Microsoft OWC.Spreadsheet.9
Oct-08 {0002E511-0000-0000-C000-000000000046} Microsoft OWC9 Control
Oct-08 {0002E520-0000-0000-C000-000000000046} Microsoft OWC.PivotTable.9
Oct-08 {0002E530-0000-0000-C000-000000000046} Microsoft OWC.DataSourceControl.9
Oct-08 {AED98630-0251-4E83-917D-43A23D66D507} Microgaming Microgaming Download Helper
Oct-08 {F0E42D50-368C-11D0-AD81-00A0C90DC8D9} Microsoft Snapshot Viewer for Microsoft Access
Oct-08 {F0E42D60-368C-11D0-AD81-00A0C90DC8D9} Microsoft Snapshot Viewer for Microsoft Access
Oct-08 {F2175210-368C-11D0-AD81-00A0C90DC8D9} Microsoft Snapshot Viewer for Microsoft Access
Oct-08 {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} HusDawg Husdawg System Requirements Lab
Oct-08 {E48BB416-C578-4A62-84C9-5E3389ABE5FC} PhotoStockPlus PhotoStockPlus Uploader Tool
Oct-08 {FA91DF8D-53AB-455D-AB20-F2F023E498D3} Microsoft SQL Report Services Client Printing
Feb-09 {0ECD9B64-23AA-11D0-B351-00A0C9055D8E} Microsoft Hierarchical FlexGrid Control for VB6
Feb-09 {1E216240-1B7D-11CF-9D53-00AA003C9CB6} Microsoft Capicom
Feb-09 {248DD896-BB45-11CF-9ABC-0080C7E7B78D} Microsoft Capicom
Feb-09 {3A2B370C-BA0A-11D1-B137-0000F8753F5D} Microsoft Charts Control for VB6
Feb-09 {4788DE08-3552-49EA-AC8C-233DA52523B9} RIM Blackberry Application Web Loader
Feb-09 {6262D3A0-531B-11CF-91F6-C2863C385E30} Microsoft FlexGrid Control for VB6
Feb-09 {B09DE715-87C1-11D1-8BE3-0000F8754DA1} Microsoft Windows Common Control for VB6
Feb-09 {C932BA85-4374-101B-A56C-00AA003668DC} Microsoft Masked Edit Control for VB6
Feb-09 {CDE57A43-8B86-11D0-B3C6-00A0C90AEA82} Microsoft DataGrid  Control for VB6
Feb-09 {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} Akamai Akamai Download Manager
Jun-09 {00000032-9593-4264-8B29-930B3E4EDCCD} HP Virtual Rooms
Jun-09 {4C39376E-FA9D-4349-BACC-D305C1750EF3} Ebay Enhanced Picture Services
Jun-09 {648A5600-2C6E-101B-82B6-000000000014} Microsoft MSCOMM32.OCX ATL Loader in VB6
Jun-09 {C3EB1670-84E0-4EDA-B570-0B51AAE81679} Ebay Enhanced Picture Services
Jun-09 {D8089245-3211-40F6-819B-9E5E92CD61A2} Microgaming FlashXControl
Jul-09 {011B3619-FE63-4814-8A84-15A194CE9CE3} Microsoft msvidctl.dll
Jul-09 {0149EEDF-D08F-4142-8D73-D23903D21E90} Microsoft msvidctl.dll
Jul-09 {0369B4E5-45B6-11D3-B650-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {0369B4E6-45B6-11D3-B650-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {055CB2D7-2969-45CD-914B-76890722F112} Microsoft msvidctl.dll
Jul-09 {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF} Microsoft msvidctl.dll
Jul-09 {15D6504A-5494-499C-886C-973C9E53B9F1} Microsoft msvidctl.dll
Jul-09 {1BE49F30-0E1B-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {1C15D484-911D-11D2-B632-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {1DF7D126-4050-47F0-A7CF-4C4CA9241333} Microsoft msvidctl.dll
Jul-09 {2C63E4EB-4CEA-41B8-919C-E947EA19A77C} Microsoft msvidctl.dll
Jul-09 {334125C0-77E5-11D3-B653-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {37B0353C-A4C8-11D2-B634-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {37B03543-A4C8-11D2-B634-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {37B03544-A4C8-11D2-B634-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {418008F3-CF67-4668-9628-10DC52BE1D08} Microsoft msvidctl.dll
Jul-09 {4A5869CF-929D-4040-AE03-FCAFC5B9CD42} Microsoft msvidctl.dll
Jul-09 {577FAA18-4518-445E-8F70-1473F8CF4BA4} Microsoft msvidctl.dll
Jul-09 {59DC47A8-116C-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3} Microsoft msvidctl.dll
Jul-09 {823535A0-0318-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB} Microsoft msvidctl.dll
Jul-09 {8A674B4C-1F63-11D3-B64C-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {8A674B4D-1F63-11D3-B64C-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {9CD64701-BDF3-4D14-8E03-F12983D86664} Microsoft msvidctl.dll
Jul-09 {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C} Microsoft msvidctl.dll
Jul-09 {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {A2E3074E-6C3D-11D3-B653-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {A2E30750-6C3D-11D3-B653-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE} Microsoft msvidctl.dll
Jul-09 {AD8E510D-217F-409B-8076-29C5E73B98E8} Microsoft msvidctl.dll
Jul-09 {B0EDF163-910A-11D2-B632-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {B64016F3-C9A2-4066-96F0-BD9563314726} Microsoft msvidctl.dll
Jul-09 {BB530C63-D9DF-4B49-9439-63453962E598} Microsoft msvidctl.dll
Jul-09 {C531D9FD-9685-4028-8B68-6E1232079F1E} Microsoft msvidctl.dll
Jul-09 {C5702CCC-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CCD-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CCE-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CCF-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CD0-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7} Microsoft msvidctl.dll
Jul-09 {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91} Microsoft msvidctl.dll
Jul-09 {D02AAC50-027E-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E} Microsoft msvidctl.dll
Jul-09 {FA7C375B-66A7-4280-879D-FD459C84BB02} Microsoft msvidctl.dll

Leave a comment »

Reflections on July 2009 Patch Day

6 security bulletins released today – 3 Critical and 3 Important. Two of the issues are being actively exploited on the Internet and four of the issues are client-side vulnerabilities, which means the exploit can only occur if a user visits an evil website or opens a malformed document.

Today’s release is important because patches were released for two recent 0-day attacks – a QuickTime file parsing vulnerability and the recently announced Directshow vulnerability. Both vulnerabilities are reported as being actively exploited on the Internet.

While Microsoft has announced workarounds and/or provided Fixit tools for each of these issues, today’s patches will be welcomed by network administrators who have been tasked with remediating these issues. Shavlik recommends that network administrators download and install the patches for these two bulletins as soon as possible (MS09-032 and MS09-028)

Two of Microsoft’s other releases this month apply to products that you don’t see patched very often – ISA Server 2006 and Virtual PC. Although these two products are associated with security functions, neither flaw is as bad as it seems and Microsoft has rated the severity for each of these as Important.

Of the two remaining bulletins, one applies to Publisher (Important) and one applies to the Operating System (Critical). Neither of these issues were publicly known prior to release, though Shavlik recommends reviewing and installing each of these patches as appropriate on your networks. The Operating System patch (MS09-029) is particularly nasty and can execute when a user views an evil web page, email, or Office document.

Shavlik recommends installing MS09-028, 29, and 32 patches first (DirectShow, OS Font patch, and Video Control). These are the three Critical patches – which goes to show that Microsoft got the Severity ratings spot-on this month.

Details for MS09-032 and MS09-028:
MS09-032 is the bulletin for the QuickTime file parsing vulnerability. Clicking on an evil hyperlink or even hovering your mouse over a malformed QuickTime file could allow the attacker to execute code on your system. The attacker’s code would have the same level of permission to your computer as the person who is logged on to the computer. If you’re logged on as admin, the exploit could add or remove users and administrators from your machine, delete files, reformat your hard drive, or embed trojans or worms that could be used in future attacks.

It’s important to note for this issue that the presence or absence of Apple QuickTime is not relevant to whether or not your computer is vulnerable to this issue. The flaw resides in the Microsoft components that parse QuickTime files – so don’t believe that you’re safe just because you don’t have QuickTime installed. Also, the recent QuickTime patch from Apple (7.6.2) is not related to this issue.

MS09-032 is rated as Critical for all Operating Systems.

MS09-028 is the bulletin for the recently announced Microsoft DirectShow vulnerability. Viewing a malformed media file from a Windows XP or Windows Server 2003 system can enable the attacker to execute code on your system. Similar to MS09-032, the evil code will run in the context of the currently logged on user and can take any action on that system that the logged on user can take.

Microsoft released a FixIt tool that sets the browser killbits for this vulnerable section of code. The MS09-032 patch is a cumulative killbit patch that includes the killbits from the FixIt tool as well as all previously released ActiveX killbits. Users who installed the ActiveX cumulative patch from June 2009 and also ran the FixIt tool for the DirectShow have already implemented the complete set of killbits reprented by the MS09-028 patch. If you ran the FixIt tool or otherwise implemented the Microsoft suggested workaround you are safe – there’s no need to revert changes that you made.

While the public exploit only impacts XP and 2003 systems, Microsoft recommends installing this patch on all Operating Systems as it includes killbits for all previously known bad ActiveX controls.

Details for the remaining four:
MS09-029 applies to all Operating Systems and could be a particularly nasty issue if left unpatched. The flaw resides in the way that Microsoft parses embedded fonts on web pages, emails, and Office documents. (in this case, embedded opentype fonts. EOT fonts ensure that everyone viewing the text sees it formatted the same way.) Viewing an evil web page, email, or Office doc could allow the attacker to execute code on your system. Workarounds are available, but it requires two separate changes to be made – one to protect from web content and the other to protect from evil emails and documents.

MS09-030 is a vulnerability in Microsoft Publisher documents. Viewing a malformed document could allow the attacker to run code on your system. This seems like the hundredth vulnerability in Publisher this year, and the millionth ‘open an evil document and get hacked’ vulnerability in the past two years.

MS09-031 discusses an issue with ISA Server 2006. If the ISA Server is specifically configured to use Radius one-time-passwords AND to use Kerberos for authentication AND to fallback to basic http authentication when asked, the attacker may be able to access servers protected by the firewall if they know the username of those target systems. It sounds scary, but it’s probably a very small number of systems in the world that are configured exactly this way. An edge case at best. If you have an ISA Server 2006 and you’re concerned that you might meet all three criteria above, it’s best to patch your system.

MS09-033 relates to Guest Operating Systems that are hosted on Microsoft Virtual PC or Virtual Server. These virtualized systems are subject to a privilege escalation attack. (Non-virtualized systems are not vulnerable.) Users who can execute code on the virtual systems can run an exploit and become administrator on the virtual images. At no time can this flaw lead to compromise of the underlying Virtual PC or Virtual Server. IOW, it’s not the much-hyped but yet-to-be-seen exploit that crosses the virtualization barrier.

Leave a comment »