COLUMN

Inside MSRC: Microsoft Server flaw should be given high priority

By Christopher Budd 10 Jul 2007 | SearchSecurity.com Digg This!     StumbleUpon     Del.icio.us

Administrators should be aware of the expiration of support for Software Update Services (SUS) 1.0 this month. In addition, administrators should evaluate, test and deploy security updates associated with six new security bulletins affecting Microsoft Windows, Microsoft Office and the Microsoft .NET Framework. Administrators should pay particular attention to MS07-039, which addresses a vulnerability in servers running Active Directory.

As I do each month, I'll cover this important information in more detail to help with your risk assessment, planning and deployment.

SUS 1.0 expiration

First, I have to correct an error in last month's Inside the MSRC column regarding the expiration of support for SUS 1.0. The July release, not the June release, marks the last release that we will be providing updates through SUS 1.0. That means if you are still running SUS 1.0, you will receive this month's security updates. However, you will not receive any further security updates through SUS 1.0.

About Inside MSRC: As part of a special partnership with SearchSecurity.com, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates. Also see: Inside MSRC: Microsoft offers details on MOICE advisory, Outlook flaws Inside MSRC: Microsoft issues further guidance on Exchange update Inside MSRC: Windows Vista security update explained

It is critical that you upgrade immediately from SUS 1.0 to a supported version of Windows Server Update Services (WSUS): either WSUS 2.0 or the new WSUS 3.0. More information ins available about WSUS 2.0 and WSUS 3.0.

Servers running Active Directory: MS07-039

MS07-039 addresses a vulnerability in Windows 2000 server and Window Server 2003 servers running Active Directory. This is a remote code execution vulnerability in processing Lightweight Directory Access Protocol (LDAP) requests. Because the vulnerability is in processing LDAP requests, an attacker could attempt to exploit the vulnerability by sending a malformed LDAP packet to an Active Directory server over port 389. The most likely impact of an attack would be a denial of service, however it is possible to run code in the security context of the operating system. On Windows 2000 server, the LDAP interface on Active Directory servers allows anonymous, unauthenticated access. On Windows Server 2003, this interface requires authentication, meaning an attempt to exploit the vulnerability would require valid logon credentials.

Because Active Directory is a critical piece of the networking infrastructure, administrators should make testing and deploying the updates for this issue a high priority. In addition, Windows 2000 server customers in particular may want to consider implementing workarounds such as Internet protocol security (IPSec) until they have completed the testing and deployment of the updates.

Windows XP Professionl SP2 running Internet Information Services: MS07-041

Windows 2000 servers running IIS 5.0 and Windows Server 2003 servers running IIS 6.0 are not affected by this vulnerability. If you are running IIS on either of these platforms, you do not need to take any action because your systems are not vulnerable.

MS07-041 applies only to IIS 5.1, which is only available for Windows XP Professional. The specific component that has the vulnerability was only included with IIS 5.1 on Windows XP Professional. Windows Vista does not contain the vulnerability.

Finally, note that IIS 5.1 is not installed by default on Windows XP SP2. If you're not running IIS 5.1, then you do not need to apply this update. However, if you are running IIS 5.1, you should make this update a priority.

Binary data files: MS07-036 and MS07-037

Now I'll share details around the two bulletins for Microsoft Office this month: MS07-036 and MS07-037. The MS07-036 bulletin addresses three code execution vulnerabilities in currently supported versions of Excel. It is rated critical for Excel 2000 and important for all other versions of Excel. The MS07-037 bulletin, rated as important, addresses a code execution vulnerability in Microsoft Publisher 2007.

The vulnerabilities in question are related to how Excel and Publisher handle malformed data elements in binary data files. If a user were to open a specially malformed binary data file either from a Web site or as an e-mail attachment, an attacker's code could take any actions on the system that the user could take.

With MS07-036, only one of the three vulnerabilities affects Excel 2007. More importantly, the vulnerability is specific to Excel spreadsheets in the binary file format; the new default Open XML Excel 2007 file format is not affected. This means that Excel 2007 and Excel 2003 customers can take extra steps to protect themselves by using the Microsoft Office Isolated Conversion Environment (MOICE) and restricting the opening or saving of types of files (sometimes called "file blocking"). I discussed these options in last month's column in relation to Microsoft Security Advisory (937696). If you are using Office 2003 or Office 2007, you can use these two tools to provide extra protection until you deploy the security update. Together, these tools will help prevent Office 2003 or Office 2007 users from opening Excel binary data files directly, which protects against malicious malformed Excel binary data files.

You can find more detail on these workarounds in the security bulletin, MS07-037.

The MS07-037 bulletin affects Publisher 2007 only. However, unlike Excel 2007, Publisher 2007 continues to use a binary data file format rather than an XML-based data file format. So the workarounds that can provide protection for Excel 2007 by leveraging the new Office Open XML file formats cannot protect against malformed Publisher binary data files.

Information disclosure via Teredo: MS07-038>

The MS07-038 bulletin addresses an information disclosure vulnerability in Windows Vista. Specifically, it is possible for an attacker to utilize the Teredo interface to bypass firewall rules and obtain information about the user's system. There is no possibility of code execution from this vulnerability.

The Teredo interface provides transition support for TCP/IP version 6 networking when these systems are behind TCP/IP version 4 Network Address Translators (NATs). In the case of this vulnerability, when the Teredo interface is running, it can respond to anonymous requests to return the system's Teredo address or information about what services are running. For an attacker to exploit the vulnerability, the Teredo interface must be active. By default, the Teredo interface is not active when the network profile is set to "public". However, a user could activate the Teredo interface without realizing it by clicking on a specially formed link. In addition, some networking services such as Remote Assistance or Meeting Space will activate the Teredo interface by default.

While this is an information disclosure issue only, we encourage customers to apply this security update to their affected systems.

Conclusion

The August 2007 monthly bulletin release is schedule for Tuesday Aug. 14. I'll be back then with information you can use for your assessment and deployment of that month's security updates.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary