Microsoft Security Bulletins for June 2009

Contrary to speculations in the security community, last month's single security bulletin appears to have been an aberration rather than a sign that the patch burden for Microsoft products is diminishing. The 10 bulletins released in June are more in line with the historical number of monthly vulnerabilities. Six of them describe vulnerabilities affecting core Windows components, one affecting Internet Explorer and three affecting Microsoft Office.

It is notable that four of the ten security bulletins address publicly disclosed vulnerabilities: one in Internet Explorer, one in RPC, two in the Windows kernel and one in IIS. Microsoft's response time for last month's zero-day IIS vulnerability was faster than expected, but the DirectShow QuickTime parser vulnerability that became public on May 28 remains unpatched.

Tas Giakouminakis from Rapid7 said that "We've seen the patch window for Microsoft vulnerabilities shrink to the point where vulnerabilities are being exploited on the day the patches are released or even prior to that."

The active directory vulnerability (MS09-018) had the potential to be devastating for enterprise environments because it affects domain controllers, but fortunately it is ranked critical only for Windows 2000 systems. On Windows Server 2003 the vulnerability leads only to a denial of service.

Of more concern are the print spooler vulnerabilities in MS09-022. One of these is a critical remote code execution on Windows 2000, while the other two allow authenticated users to elevate their privileges on all versions of Windows.

Tas Giakouminakis from Rapid7 said that "The large number of vulnerabilities to be patched in June shows that attackers are not slowing down and the opportunities for them to infiltrate customer networks are increasing. The never-ending stream of Microsoft security bulletins highlights the need for proper patch cycle management and intrusion detection policies in all enterprises."

Microsoft PowerPoint Vulnerabilities

This week's Patch Tuesday is focused on PowerPoint vulnerabilities. Since PowerPoint files are frequently exchanged across organizational boundaries and are not blocked by most email gateways, this vector has been used extensively for targeted attacks in the past. At this point all customers should we well aware that attackers have been able to apply highly effective targeted fuzzing to the PowerPoint and other Microsoft Office file formats. Rapid7 expects that we’ll see more vulnerabilities in those products in the future.

Microsoft Office vulnerabilities present a unique threat to organizations because they provide a way for attackers to easily breech the perimeter firewall to gain access to internal systems through email and to spread throughout the enterprise using network shares, internal email or collaboration systems like Microsoft SharePoint and Lotus Notes. A single email with a malicious PowerPoint attachment could be enough to compromise the desktops of enough critical personnel to cripple even a large enterprise.

We believe that a defense in depth approach is crucial to protecting enterprises from these attacks. The Microsoft Office Isolated Conversion Environment (MOICE), combined with system protections such as Data Execution Prevention (DEP) reduce the risk of successful exploitation. Outbound firewalls, limited user accounts and network segmentation are also highly recommended best practices.

The MS09-017 security bulletin released today includes a fix for 14 new vulnerabilities. It is interesting that most of them were reported to Microsoft by researchers working through the iDefense and TippingPoint vulnerability acquisition programs, rather than researchers working directly with the vendor. We believe that this is another example of the increased value of vulnerabilities and the amount of effort required to find them. The large number of vulnerabilities in PowerPoint is not that surprising, considering the immense attack surface and poor code quality of the legacy file format parsers in Microsoft Office. Unfortunately for most organizations there are few alternatives to exchanging Microsoft Office with untrusted parties over email. Even PDF, which for years has been considered more secure than the Office file formats, has proven to be riddled with vulnerabilities that attackers are actively exploiting.

The only good news is that so far we have seen very few vulnerabilities in the new XML based file formats introduced in Office 2007, which means that the measures Microsoft has taken in recent years to increase code quality and security are bearing fruit. Organizations that can afford to make a complete break with the legacy products and file formats will have a better security posture than those still supporting them.

At least one of the vulnerabilities fixed in this bulletin was a public zero day vulnerability described in the 969136 security advisory from Microsoft (dated April 2, 2009). This vulnerability was discovered in the wild and has been used in limited targeted attacks, but widespread exploitation is not currently being observed. It is however likely that this vulnerability would become known to a larger number of attackers in the days after the Microsoft patch is released. Customers who are at risk of targeted attacks are advised to apply this patch promptly, but in most organizations the update can be applied within the regular patch lifecycle.

These new vulnerabilities fit a common pattern many organizations fail to recognize. For example, Adobe has been the hot target lately due to well-publicized Reader vulnerabilities that hackers have exploited, both in limited targeted attacks and in mass exploitation for building botnets. As administrators continue to be on the lookout for new issues and rush to patch Adobe flaws, hackers will now revert back to "old" attacks vectors that are not receiving as much attention, like PowerPoint and other Office vulnerabilities. The false sense of security around "old" threats is put to use all the time by hackers, and this see saw approach keeps them one step ahead of organizations.

Downadup Internet Worm

Rapid7 warned of a sophisticated new Internet worm that threatens to steal personal and financial information from infected PCs. Within the previous two weeks the worm, Downadup (also known as "Conflicker" and "Kido") struck an estimated nine million machines worldwide. Fortunately, mitigation is easy.

Downadup takes advantage of a flaw in a Remote Procedure Call (RPC) within Windows Server. Using a rare out-of-cycle patch, Microsoft addressed this flaw in October 2008 by issuing Microsoft Security Bulletin MS08-067 and warned then that a similar RPC flaw back in 2003 had been used to produce the Blaster worm.

According to a SANS Internet Storm Center Diary entry on January 15, 2009, Downadup uses multiple vectors to infect PCs. Windows PCs not patched in October are especially vulnerable. However, new Downadup variants include the ability to crack administrator passwords and directly infect corporate PCs via network shares. Finally, Downadup can also infect removable drives, such as USB or external hard drives.

Once a Windows system is infected, Downadup attempts to download malicious software. What makes Downadup different is that it randomly generates up to 250 random URLs each day, with only one of those URLs being active. The active or "control" server is then used to download the malicious programming although for what purpose remains unclear.

The best protection is to install the MS08-067 patch if you haven't already done so, and to also change your administrator passwords immediately.

If your computer is already infected, most antivirus products and even Microsoft's free Malicious Software Removal Tool should be able to remove Downadup.

Microsoft rates MS09-001 as critical

Although there is only one Security Bulletin on this first Patch Tuesday of the New Year, it should not be dismissed. The patch issued today, MS09-001, resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol, a protocol used for sharing files, printers, serial ports, and other communications.

Microsoft rates MS09-001 as critical, its highest rating, for users running Windows 2000, XP, and Server 2003, and moderate, its second highest rating, for users running Windows Vista and Server 2008. Installation of the patch will require a system restart.

There are three specific vulnerabilities addressed in today's bulletin. Microsoft says these flaws are unlikely to produce exploitable code because the first two (CVE-2008-4834 and CVE-2008-4835) only allow for one fixed value (zero) to be written and controlling what data is overwritten will also be difficult. The third vulnerability (CVE-2008-4114) affects all Windows systems and allows for a Denial of Service attack. It is because of the DoS threat that Microsoft recommends high priority updating of all SMB servers and Domain Controllers. Non-critical systems and those systems where SMB is blocked via a firewall could be considered less of a priority.

MS09-001 replaces the SMB patch MS08-063 issued last October

Higher risk of SSL attacks for those relying on MD5 signed certificates

Summary

January 9, 2009 - Recently, a group of international security researchers demonstrated successful attacks against the Public Key Infrastructure (PKI) used to issue security certificates to Web sites when the signatures are generated with the MD5 hash function.

As a service to our customers, is providing a summary of the vulnerability as well as steps for remediation.

Happily, the vulnerability is simple to identify and easy to remediate.

What is this attack?

HTTPS Web sites send their security certificates to inbound browsers to allow them to validate the identity of the sites to which they are connected. A security certificate contains the Web site’s host name and its public key, and is cryptographically signed by a Certification Authority (CA). Browsers are also configured to trust a list of predefined authorities, each of which is represented by a self-signed certificate. A browser uses these trusted authorities to verify the digital signature of a Web site’s certificate, and can thus avoid phishing attacks.

In this particular attack, the researchers successfully created a valid intermediate CA certificate signed by a trusted authority. They then used it to generate arbitrary valid Web site certificates, allowing them to impersonate HTTPS Web sites, monitor or tamper with data sent to such Web sites, etc. This attack can affect any application using X.509 certificates signed using the popular MD5 mechanism. The hack was to prepare, using techniques to find MD5 collisions, one fake intermediate certificate that would be recognized as having been issued by the real CA (Verisign in this case).

The attack works as follows:

• The attacker creates a rogue CA using vulnerabilities in MD5.
• The attacker creates a valid HTTPS certificate for the target Web site.
• The attacker uses this secure certificate to gain trusted status in mainstream browsers.
• The attacker executes any number of browser-based attacks to gain sensitive data from end-users.
  

In practical terms, this means that someone in possession of such a rogue CA can launch what is known as a man-in-the-middle attack and gain access to your bank account by having you log on through their attack tool and recording your user ID and password! Other attacks could include directly tampering with data sent to secure Web sites and executing practically undetectable phishing attacks.

Summary remediation steps

In this situation, the best solution is to eliminate all MD5-based certificates. The summary steps to do so are outlined below.

Protect Web applications:

• Identify any certificate or certificate chain using MD5. In particular, check for TLS/SSL server or client certificates. Rapid7 NeXpose scans for this vulnerability.
• Migrate affected certificates from MD5 to SHA-1 or SHA-2.