Posts tagged 0-day

Reflections on July 2009 Patch Day

6 security bulletins released today – 3 Critical and 3 Important. Two of the issues are being actively exploited on the Internet and four of the issues are client-side vulnerabilities, which means the exploit can only occur if a user visits an evil website or opens a malformed document.

Today’s release is important because patches were released for two recent 0-day attacks – a QuickTime file parsing vulnerability and the recently announced Directshow vulnerability. Both vulnerabilities are reported as being actively exploited on the Internet.

While Microsoft has announced workarounds and/or provided Fixit tools for each of these issues, today’s patches will be welcomed by network administrators who have been tasked with remediating these issues. Shavlik recommends that network administrators download and install the patches for these two bulletins as soon as possible (MS09-032 and MS09-028)

Two of Microsoft’s other releases this month apply to products that you don’t see patched very often – ISA Server 2006 and Virtual PC. Although these two products are associated with security functions, neither flaw is as bad as it seems and Microsoft has rated the severity for each of these as Important.

Of the two remaining bulletins, one applies to Publisher (Important) and one applies to the Operating System (Critical). Neither of these issues were publicly known prior to release, though Shavlik recommends reviewing and installing each of these patches as appropriate on your networks. The Operating System patch (MS09-029) is particularly nasty and can execute when a user views an evil web page, email, or Office document.

Shavlik recommends installing MS09-028, 29, and 32 patches first (DirectShow, OS Font patch, and Video Control). These are the three Critical patches – which goes to show that Microsoft got the Severity ratings spot-on this month.

Details for MS09-032 and MS09-028:
MS09-032 is the bulletin for the QuickTime file parsing vulnerability. Clicking on an evil hyperlink or even hovering your mouse over a malformed QuickTime file could allow the attacker to execute code on your system. The attacker’s code would have the same level of permission to your computer as the person who is logged on to the computer. If you’re logged on as admin, the exploit could add or remove users and administrators from your machine, delete files, reformat your hard drive, or embed trojans or worms that could be used in future attacks.

It’s important to note for this issue that the presence or absence of Apple QuickTime is not relevant to whether or not your computer is vulnerable to this issue. The flaw resides in the Microsoft components that parse QuickTime files – so don’t believe that you’re safe just because you don’t have QuickTime installed. Also, the recent QuickTime patch from Apple (7.6.2) is not related to this issue.

MS09-032 is rated as Critical for all Operating Systems.

MS09-028 is the bulletin for the recently announced Microsoft DirectShow vulnerability. Viewing a malformed media file from a Windows XP or Windows Server 2003 system can enable the attacker to execute code on your system. Similar to MS09-032, the evil code will run in the context of the currently logged on user and can take any action on that system that the logged on user can take.

Microsoft released a FixIt tool that sets the browser killbits for this vulnerable section of code. The MS09-032 patch is a cumulative killbit patch that includes the killbits from the FixIt tool as well as all previously released ActiveX killbits. Users who installed the ActiveX cumulative patch from June 2009 and also ran the FixIt tool for the DirectShow have already implemented the complete set of killbits reprented by the MS09-028 patch. If you ran the FixIt tool or otherwise implemented the Microsoft suggested workaround you are safe – there’s no need to revert changes that you made.

While the public exploit only impacts XP and 2003 systems, Microsoft recommends installing this patch on all Operating Systems as it includes killbits for all previously known bad ActiveX controls.

Details for the remaining four:
MS09-029 applies to all Operating Systems and could be a particularly nasty issue if left unpatched. The flaw resides in the way that Microsoft parses embedded fonts on web pages, emails, and Office documents. (in this case, embedded opentype fonts. EOT fonts ensure that everyone viewing the text sees it formatted the same way.) Viewing an evil web page, email, or Office doc could allow the attacker to execute code on your system. Workarounds are available, but it requires two separate changes to be made – one to protect from web content and the other to protect from evil emails and documents.

MS09-030 is a vulnerability in Microsoft Publisher documents. Viewing a malformed document could allow the attacker to run code on your system. This seems like the hundredth vulnerability in Publisher this year, and the millionth ‘open an evil document and get hacked’ vulnerability in the past two years.

MS09-031 discusses an issue with ISA Server 2006. If the ISA Server is specifically configured to use Radius one-time-passwords AND to use Kerberos for authentication AND to fallback to basic http authentication when asked, the attacker may be able to access servers protected by the firewall if they know the username of those target systems. It sounds scary, but it’s probably a very small number of systems in the world that are configured exactly this way. An edge case at best. If you have an ISA Server 2006 and you’re concerned that you might meet all three criteria above, it’s best to patch your system.

MS09-033 relates to Guest Operating Systems that are hosted on Microsoft Virtual PC or Virtual Server. These virtualized systems are subject to a privilege escalation attack. (Non-virtualized systems are not vulnerable.) Users who can execute code on the virtual systems can run an exploit and become administrator on the virtual images. At no time can this flaw lead to compromise of the underlying Virtual PC or Virtual Server. IOW, it’s not the much-hyped but yet-to-be-seen exploit that crosses the virtualization barrier.

Leave a comment »

Microsoft releases patch for Powerpoint 0-day flaw

Microsoft patched all Windows versions of Powerpoint today – addressing both a 0-day flaw and 13 other privately reported security vulnerabilities. The 0-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website. The attacker would be able to execute code on the user’s machine with the same level of permissions afforded to the logged on user. (If the user was logged on as an administrator, the evil code could execute as admin. If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions).

Microsoft has NOT released a patch at this time for Powerpoint on Mac. They said they weren’t seeing this flaw being executed against Macs and therefore didn’t want to hold up release of this patch for Windows machines while they finished the Mac patch. The patch for Powerpoint on Mac will be released at a later date.

The patches released today include versions of Powerpoint that weren’t flagged as vulnerable to the zero-day as Microsoft also included fixes for 13 additional vulnerabilities that were privately reported. Some of these vulnerabilities impact the newer versions of Powerpoint that were not vulnerable to the 0-day. Included in today’s release are patches for the Powerpoint viewer as well as the full version of Powerpoint.

Security patches for items like Powerpoint are considered ‘client-side’ patches because they can only attack a machine once a user has taken an action on their computer. Typical client-side actions might include opening malicious documents, reading an evil email, or viewing an evil web page. These types of attacks are usually constrained to systems where a user is interactively working on the desktop. Systems which don’t have a lot of user interaction at the desktop, like servers, are usually less susceptible to client-side attacks, though they are just as vulnerable if a user performs one of these actions at the desktop. In most cases, client side exploits only obtain the same level of access on the system as that of the currently logged on user.

Server-side attacks, on the other hand, don’t require user interaction to exploit vulnerabilities. Both workstations and servers are susceptible to server-side attacks. Server-side vulnerabilities leverage flaws in ‘services’ that are running on machines such as web services, file and print services, and networking services (such as TCP/IP or NetBIOS). Because these services are constantly running and are exposed externally on the system, no user interaction is required to interact with these services. This means the exploit can propagate from machine to machine very quickly. SQL Slammer, Nimda, Code Red, and Conficker are all examples of server-side exploitation. In many instances, server-side exploitation leads to administrative or ‘system’ level access on the target computer.

Viruses are a great example of a client-side vulnerability. Because it’s client-side, viruses usually require user interaction in order to spread and are therefoew slower to spread than a Worm. Worms, on the other hand, are representative of server-side exploitation. Since a worm doesn’t require user intervention to spread, it can propagate to other systems very rapidly.

Based on these definitions, today’s Powerpoint release addresses a client-side vulnerability. Its attack vector is dependant upon a user performing an action. As a result, we won’t see rapid propagation of infected systems through this vector (though once a machine is infected, it could launch other attacks using worm-like server side attack mechanisms such as Conficker). Best to patch your client-side systems (where users interact with the desktop) for this issue first, then patch any servers where Powerpoint products may be installed.

Leave a comment »

Excel zero day flaw announced

Microsoft released a security advisory today about a new Excel vulnerability.

This vulnerability impacts all versions of Microsoft Excel from 2000 to 2007.

In order to exploit a system, the attacker needs to entice the user to open a malformed Excel document. If this happens, the attacker can then take any action on the target system under the context of the logged on user. If the logged on user is an administrator, then the attacker can do anything they wish on the system (delete files, reformat the hard drive, steal information from the system, etc.). If the logged on user is a ‘user’ on the system (and not admin), then the attacker has fewer options on the box (read data accessible to the end user, delete data written by the end user, etc.).

Microsoft is researching the issue and will probably create a patch to fix the issue.

This is not unlike any other Microsoft Office vulnerability, except in this instance, knowledge of the vulnerability has been made public before a patch is available. Shavlik encourages users not to open Excel documents from unknown senders or locations.

Leave a comment »

Zero Day vulnerability in Adobe Reader and Adobe Acrobat

A security vulnerability was recently identified in two Adobe products that could allow attackers to take complete control of your system. Opening a malformed PDF document could allow unintended code to execute without the knowledge of the local user. The evil code could do anything on the system, up to the level of access given to the currently logged on user. Security researchers are seeing limited, targeted attacks in the wild. In most instances, the evil PDF file will crash the Adobe application, and in some instances may try and entice users to install a malicious anti-spyware application.

Adobe intends to patch their PDF products starting on March 11, 2009. Until the patch is released, users may protect themselves by disabling JavaScript in their Adobe applications. However, recent research indicates that even this workaround (disabling JavaScript) does not prevent exploitation of this vulnerability.

More info here:

The official Adobe response here:

Leave a comment »

Internet Explorer Zero Day Mass Hysteria

An article was posted online today at a tech publication that mentions the Internet Explorer zero-day vulnerability and includes suggestions from un-named security experts to ‘switch to an alternative internet browser, such as Firefox or Google Chrome.’

This is all overblown.

Yes, an unpatched security vulnerability exists in Internet Explorer. Yes, it’s being actively exploited on the Internet, and Yes, even visiting legitimate websites can lead to compromise*.

No, this isn’t very different than previously announced zero day exploits (except we’re seeing a wider distribution of the exploit and more machines being hacked.) No, the world isn’t coming to an end, and No, you don’t need to change your browser.

ZDNet security bloggers are claming that Microsoft is on target to release an out-of-band security patch for this IE issue as early as tomorrow (December 17th). When it is released, install the patch. Until then, read the workarounds posted by Microsoft to help protect yourself from this issue.

While you’re at it, install all the other security patches that may be missing on your system. One unpatched issue on your system is equal to a zero-day flaw that may be exploited on the Internet. Unless you’re fully patched, you’re not patched at all.

* Hackers are planting the exploit on non-nefarious websites via SQL injection techniques. This means that visiting supposedly safe websites can lead to compromise via this IE flaw. These ‘legit’ websites have even bigger issues, as this means attackers were able to exploit poor SQL coding practices on these sites that enables hackers to inject evil code on the websites.

Leave a comment »

Protection against Safari

Microsoft has issued a Security Advisory to alert folks to a security risk if they are running Apple’s Safari web browser on a Microsoft system. (

What is the issue? The Safari web browser doesn’t prompt users before downloading and saving files to their system. In contrast, both Internet Explorer and Mozilla Firefox prompt users before saving downloaded files to the system.

This ‘oversight’ on Apple’s part can put users at risk. Specifically, visiting a malicious website with Safari can cause an unintended download of software to the machine. This software can also be automatically executed on the machine – all without the user’s consent. In short – a very bad thing.

While Apple considers adding a ‘feature’ to prompt users before downloading files, and while Microsoft ponders if it can do anything via a security patch, the best advice is not to use Safari.

(Shavlik customers running NetChk Protect can perform a NonBizWare spyware scan to help identify Safari installations and automatically remove them as desired.)

Leave a comment »