COLUMN

Inside MSRC: Debunking Excel exploits

By Christopher Budd 11 Jul 2006 | SearchSecurity.com Digg This!     StumbleUpon     Del.icio.us

With seven bulletins, the July 2006 Microsoft monthly security bulletin release is smaller than last month's. In addition to being a smaller release, it is generally a simpler release from the standpoint of testing: This month's updates do not contain any non-security changes, like the Microsoft Exchange bulletin, MS06-029, or the Microsoft Internet Explorer bulletin, MS06-021, issued last month.

Overall, for this month you can best think of the updates as falling into three broad categories:

1. Three updates for Microsoft Office system applications
2. Two updates for networking components in Microsoft Windows
3. Two updates for systems running Internet Information Services (IIS)

About Inside MSRC As part of a special partnership with SearchSecurity.com, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates. Also see: Inside MSRC: ActiveX change goes permanent Inside MSRC: Wisdom on Exchange security Inside MSRC: Microsoft details Internet Explorer ActiveX update

Because it is a smaller release, for this month's column I want to focus on providing additional clarification and information about the updates. Specifically, I will clarify what issues our updates for Office address. I will also provide some additional information about the possible vectors for attempts to exploit the vulnerabilities addressed in the two updates for networking components in Windows. Finally, I'll briefly touch on information that will help you understand the scope of the more serious of the two updates for systems running IIS.

Change to a June update
However, before talking about the July release, I wanted to provide some follow-up information regarding an update released in June, MS06-025. After its initial release, some issues were identified by our product support service teams working with customers.

We found that some users who required the use of legacy dial-up connections that use a terminal window, dial-up scripting, or used scripts to change device configuration parameters were experiencing some issues. We updated the Microsoft Knowledge Base article associated with MS06-025, 911280, to let customers know about this issue and the circumstances in which they might encounter this issue. On June 27, we released an updated version of MS06-025 that addressed the issues that had been identified.

One question we have received from customers is whether they need to apply the updated version of MS06-025. First, it's important to note that the re-released update contains no new security changes. Customers who have applied MS06-025 and not experienced any of the outlined issues do not need to apply this updated version. Only customers who either applied MS06-025 and encountered the known issues or have not yet applied MS06-025 need to apply the updated version. In fact, if you are using Windows Server Update Services (WSUS) or the Microsoft Baseline Security Analyzer (MBSA), these will not offer the new version of MS06-025 to systems that already have MS06-025 installed.

Updates for Office
With that said, let's discuss this month's updates. MS06-037 is the one we encourage people to look at first. This update addresses an issue we discussed in Microsoft Security Advisory 912365, titled "Vulnerability in Excel Could Allow Remote Code Execution," which we released on June 21, 2006. Because the vulnerability addressed by MS06-037 was subject to limited attacks at the time of the release of the bulletin, we encourage customers to prioritize this security update aggressively.

MS06-038 addresses two vulnerabilities, one of which was also publicly disclosed and exploited on an even more limited basis.

Finally, unlike MS06-037 and MS06-038, none of the vulnerabilities addressed by MS06-039 were publicly disclosed or exploited at the time of bulletin release.

It's important to note that these three Office updates are rated as critical for Office 2000 family products, they are rated as important for Office XP and Office 2003 family products. This is because Office XP and Office 2003 family products raise a security dialog box that an end-user must acknowledge before the Office file is opened, making any attempts to exploit this with malformed Office files more difficult.

Clarity on additional issues
Beyond reviewing the latest bulletins we are releasing for Office, I wanted to clarify a couple recent items of interest that might cause some confusion this month.

First, on June 20, 2006, there was a public posting of a proof-of-concept PERL script that claimed to demonstrate a vulnerability in Excel's processing of long links. We started an investigation as soon as we learned of this and posted information on our weblog about the issue. We learned it's not an issue in Excel, but rather with a Windows component called hlink.dll. That issue is still under investigation at this time and none of this month's bulletins apply to that issue.

Also, a public posting by a security researcher about how Microsoft Excel handles embedded vulnerable ActiveX controls may have caused some confusion. The posting discussed how it's possible to embed a vulnerable ActiveX control in an Excel spreadsheet and use that as a method to exploit the vulnerability in the ActiveX control.

The important thing to understand is that there is no vulnerability in Excel in this instance: The posting actually details a way to exploit vulnerabilities in certain ActiveX controls, not in Excel. Excel honors the so-called "killbit" function that prevents ActiveX controls from loading. Any time we ship a security update for an ActiveX Control, we set that "killbit" to prevent the old, vulnerable control from being usable. You can read more about killbits in Microsoft Knowledge Base article 240797.

Windows networking, IIS updates
Next, to help with your risk assessment process, let's discuss some details about the scope of the vulnerability addressed by MS06-036. This update is rated critical and addresses a vulnerability in the DHCP client. The vulnerability is exposed when the DHCP client has sent out a DHCP request and is waiting for a response from a DHCP server. This means that attempting to exploit the vulnerability requires very precise timing and the ability to generate DHCP server packets. Also, since most networks do not forward DHCP packets across subnets, attempts to exploit the vulnerability would be contained within the local subnet.

Speaking of networking, you'll want to note that the two vulnerabilities addressed in MS06-035 are related to how the server service handles Server Message Block (SMB) packets. This means that blocking Port 445 and Port 139 at your network perimeter will block attempts to exploit these vulnerabilities. This is a best practice we strongly recommend; if you don't currently block these ports, you should consider implementing that practice in addition to deploying these security updates.

MS06-034 is rated important and is the more serious of the two bulletins that apply to systems running IIS. One thing to note with this update is that it is a vulnerability that occurs when Active Server Pages (ASP) are processed. This means that any attempt to exploit the vulnerability would require placing a specially formed ASP page on the system to be processed. Any restrictions on the ability to place ASP pages on your IIS system work against attempts to exploit this vulnerability, so you can factor them into your risk assessment for this issue.

Legacy OS support ends
In closing, I would like to note that with the July Microsoft monthly security bulletin release our public support for security updates for Windows 98, Windows 98 Second Edition and Windows Millennium Edition stops. We provided additional support for critical security updates for these versions through Windows Update to allow customers additional time to migrate off them. With this expiration, we will no longer offer security updates for these versions of Windows. We encourage anyone who is still using these versions to upgrade to a version of Windows that we are still publicly supporting for security updates. Microsoft offers more information on its product support policies at the Microsoft Support Lifecycle Web site.

Also, on Wednesday, July 12, 2006, at 2:00 p.m. EDT, we'll host our live webcast, where we will talk about this month's release and answer your questions. We hope you'll join us.

Finally, mark your calendar for Tuesday, Aug. 8, 2006, for our August Microsoft monthly security bulletin release.

Tags: Security Patch Management,  Securing Productivity Applications,  Web Server Threats and Countermeasures,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe Web Server Threats and Countermeasures VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary