COLUMN

Inside MSRC: Microsoft explains Word, Publisher flaws

By Bill Sisk 13 May 2008 | SearchSecurity.com Digg This!     StumbleUpon     Del.icio.us

The bulletin count for the May release is relatively small but no less important than larger months. There are three bulletins that are rated as Critical, and a fourth rated as Moderate.

If you are an avid racquetball player, like I am, you will understand that it's critical to assess your opponent and choose your strategy within the first few serves to get and maintain control of the game – especially in light of the fact that racquetball is a very fast paced game. The information that I will provide you today will help you make quick risk assessments for devising your deployment strategy and timelines.

To begin with, I will review two bulletins, MS08-026 and MS08-028, that are related to Microsoft Security Advisory (950627), which warned about a vulnerability in the Microsoft Jet Database Engine 4.0. Secondly, I will review the other two bulletins, MS08-027 and MS08-029. Lastly, I will talk about the newly released version of the Microsoft Baseline Security Analyzer.

About Inside MSRC: As part of a special partnership with SearchSecurity.com, Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates. Also see: Inside MSRC: Microsoft gives guidance on security updates Inside MSRC: Microsoft outlines Internet Explorer flaws Inside MSRC: Critical Windows flaw affects XP, Vista Inside MSRC: Message Block and queuing patches explored

MS08-026
MS08-026 addresses two remote code execution vulnerabilities, as well as a defense-in-depth fix. All versions of Microsoft Office are affected. The aggregate rating of the bulletin is Critical. However, this rating only applies to Office 2000. Higher versions are only rated as Important. They are rated as important because Microsoft Word 2002 and newer versions have a built-in feature that prompts a user to "Open", "Save", or "Cancel" before accessing a document. This safety measure is also available for Office 2000 as an add-on and is called the Office Document Open Confirmation Tool for Office 2000.

The defense-in-depth fix that I mentioned earlier is related to Microsoft Security Advisory (950627), which warned of a vulnerability in the Microsoft Jet Database Engine version 4.0. The defense-in-depth fix, in this security update, MS08-026, blocks a known attack vector using Microsoft Word. A Jet Database file can be opened from a Microsoft Word document, email, or by visiting a malicious website. With the defense-in-depth fix, Microsoft Word will now prompt a user for confirmation before running SQL commands or queries when opening Microsoft Word documents. In short, with this security update installed, it will block the currently known attack vector for the Microsoft Jet Database Engine version 4.0 vulnerability, as well as address the two remote code execution vulnerabilities in Microsoft Word.

It is important to note that installing the Microsoft Jet Database Engine version 4.0 security update is still necessary given that this is where the vulnerability resides and there could possibly be new attack vectors in the future. I will now turn your attention to the bulletin that addresses the vulnerability in Microsoft Jet Database Engine version 4.0.

MS08-028
The Microsoft Jet Database Engine version 4.0 provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and third party applications. A remote code execution vulnerability exists in the Microsoft Jet Database Engine version 4.0. An attack could be levied against the vulnerability by creating a specially crafted database query and sending it through an application that is using the Microsoft Jet Database Engine version 4.0 on an affected system. We have addressed this vulnerability by modifying the way that the Microsoft Jet Database Engine version 4.0 parses data within a database. There are a few key tidbits that I want to point out that will help you with your prioritization and deployment strategy.

First, Microsoft Jet Database Engine version 4.0.9505.0 or higher is not vulnerable. This version was shipped with Windows XP Service Pack 3, Windows Server 2003 Service Pack 2, Windows Vista, and Windows Server 2008. These versions of the operating system are not affected by this vulnerability.

Secondly, there are viable workarounds to protect you from possible attacks until you are able to deploy the security update. One way is by blocking .mdb files from being processed through your mail infrastructure. Instructions on how to implement this and other workarounds can be found in the bulletin.

Finally, with MS08-026, Microsoft is providing a comprehensive update to protect customers from the Jet Database Engine 4.0 vulnerability. Customers who apply MS08-026 and MS08-028 will be protected against the vulnerability and the attack vector itself.

MS08-027
MS08-027 addresses a remote code execution vulnerability in Microsoft Publisher. It is rated Critical for Microsoft Publisher 2000. If you have installed the Office Document Open Confirmation Tool for Office 2000, you will be prompted with "Open", "Save", or "Cancel" before accessing a document. In addition, if you are running Microsoft Publisher 2002 or later you will find that this feature is already built-in. This is why these versions are rated as important.

MS08-029
MS08-029 addresses a vulnerability in Microsoft Malware Protection Engine. This bulletin is rated as Moderate. The impact of the vulnerabilities is two-fold: 1) a denial of service, where a malformed file is being scanned and the affected product stops responding and restarts; or 2) the targeted system scans a malformed file and large temporary files are created – thereby causing disk-space exhaustion. However, after the Microsoft Malware Protection Engine has restarted, the temporary files that were created are deleted. In a fair number of scenarios, update services for an affected product automatically update the Microsoft Malware Protection Engine. So, there is no action that an administrator needs to take. Please see the bulletin to identify these scenarios and the scenarios where a manual action needs to be performed.

Microsoft Baseline Security Analyzer 2.1 (MBSA 2.1)
The new and latest version of MBSA has been released to the web. As in the past, MBSA is free for download. Among other new features, MBSA fully supports Windows Vista, as well as Windows 2008, Windows XP Embedded platform, and Windows Server Update Services 2.0 and 3.0. The new version of MBSA still covers the full breath of Microsoft products such as Microsoft SQL Server, Internet Explorer and Microsoft Office to name a few. In fact, it can be used for your detection and deployment strategy for all of this month's bulletins.

Conclusion

I want to encourage you to take a moment and register for the Microsoft regular monthly security bulletin webcast, which will be held on Wednesday, May 14, at 11:00 a.m., Pacific Standard Time.

Adrian Stone, lead security program manager, and Tim Rains, security response communications lead, will review information about each bulletin to help you with your planning and deployment. After our review session, they will answer your questions – with information from our assembled panel of experts. If you can't make the live webcast, you can also access it on-demand.

Please take a moment and mark your calendars for the June 2008 monthly bulletin. The release is scheduled for Tuesday, June 11, 2008, and the advance notification is scheduled for Thursday, June 5, 2008. Look for the June edition of this column on release day with information to help you with your planning and deployment of the most recent security bulletins.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary