********************************************************************

Microsoft Security Bulletin Advance Notification for February 2010

Issued: February 4, 2010

********************************************************************

This is an advance notification of security bulletins that Microsoft is intending to release on February 9, 2010.

The full version of the Microsoft Security Bulletin Advance Notification for February 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx.

This bulletin advance notification will be replaced with the February bulletin summary on February 9, 2010. For more information about the bulletin advance notification service, see http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications on http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on these bulletins on February 10, 2010, at 11:00 AM Pacific Time (US & Canada). Register for the Security Bulletin Webcast at http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

This advance notification provides a number as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier. The security bulletins for this month are as follows, in order of severity:

Critical Security Bulletins

===========================

Bulletin 1

- Affected Software:

- Microsoft Windows 2000 Service Pack 4

- Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 2

- Affected Software:

- Microsoft Windows 2000 Service Pack 4

- Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 3

- Affected Software:

- Microsoft Windows 2000 Service Pack 4

- Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation not affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 4

- Affected Software:

- Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 6

- Affected Software:

- Microsoft Windows 2000 Service Pack 4

- Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation not affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Important Security Bulletins

===========================

Bulletin 7

- Affected Software:

- Microsoft Office XP Service Pack 3

- Microsoft Office 2004 for Mac

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 8

- Microsoft Office PowerPoint 2002 Service Pack 3

- Microsoft Office PowerPoint 2003 Service Pack 3

- Microsoft Office 2004 for Mac

- Affected Software:

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 9

- Affected Software:

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation affected)

- Impact: Denial of Service

- Version Number: 1.0

Bulletin 10

- Affected Software:

- Microsoft Windows 2000 Service Pack 4

- Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Impact: Elevation of Privilege

- Version Number: 1.0

Bulletin 5

- Affected Software:

- Microsoft Windows 2000 Service Pack 4

- Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 11

- Affected Software:

- Microsoft Windows 2000 Server Service Pack 4

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Impact: Denial of Service

- Version Number: 1.0

Bulletin 12

- Affected Software:

- Microsoft Windows 2000 Service Pack 4

- Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Impact: Elevation of Privilege

- Version Number: 1.0

Moderate Security Bulletins

===========================

Bulletin 13

- Affected Software:

- Microsoft Windows 2000 Service Pack 4

- Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Other Information

=================

Microsoft Windows Malicious Software Removal Tool:

==================================================

Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS:

========================================================

For information about non-security releases on Windows Update and Microsoft update, please see:

* http://support.microsoft.com/kb/894199: Microsoft Knowledge Base

Article 894199, Description of Software Update Services and

Windows Server Update Services changes in content.

Includes all Windows content.

* http://technet.microsoft.com/en-us/wsus/bb456965.aspx: Updates

from Past Months for Windows Server Update Services. Displays all

new, revised, and rereleased updates for Microsoft products other

than Microsoft Windows.

Microsoft Active Protections Program (MAPP) ===========================================

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed at http://www.microsoft.com/security/msrc/mapp/partners.mspx.

Recognize and avoid fraudulent e-mail to Microsoft customers:

=============================================================

If you receive an e-mail message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious Web sites. Microsoft does not distribute security updates via e-mail.

The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at https://www.microsoft.com/technet/security/bulletin/pgp.mspx.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications on http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack

Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
-------------------------------------------------------------------------

CVE-2010-0232

In order to support BIOS service routines in legacy 16bit applications, the
Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode
monitor code. These are implemented in two stages, the kernel transitions to
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the
faulting cs:eip matches specific magic values.

Transitioning to the second stage involves restoring execution context and
call stack (which had been previously saved) from the faulting trap frame once
authenticity has been verified.

This verification relies on the following incorrect assumptions:

  - Setting up a VDM context requires SeTcbPrivilege.
  - ring3 code cannot install arbitrary code segment selectors.
  - ring3 code cannot forge a trap frame.

This is believed to affect every release of the Windows NT kernel, from
Windows NT 3.1 (1993) up to and including Windows 7 (2009).

Working out the details of the attack is left as an exercise for the reader.

Just kidding, that was an homage to Derek Soeder  

- Assumption 0: Setting up a VDM context requires SeTcbPrivilege.

Creating a VDM context requires EPROCESS->Flags.VdmAllowed to be set in order
to access the authenticated system service, NtVdmControl(). VdmAllowed can
only be set using NtSetInformationProcess(), which verifies the caller has
SeTcbPrivilege. If this is true, the caller is very privileged and can
certainly be trusted.

This restriction can be subverted by requesting the NTVDM subsystem, and then
using CreateRemoteThread() to execute in the context of the subsystem process,
which will already have this flag set.

- Assumption 1: ring3 code cannot install arbitrary code segment selectors.

Cpl is usually equal to the two least significant bits of cs and ss, and is
a simple way to calculate the privilege of a task. However, there is an
exception, Virtual-8086 mode.

Real mode uses a segmented addressing scheme in order to allow 16-bit
addresses to access the 20-bit address space. This is achieved by forming
physical addresses from a calculation like (cs << 4) + (eip & 0xffff). The
same calculation is used to map the segmented real address space onto the
protected linear address space in Virtual-8086 mode. Therefore, I must be
permitted to set cs to any value, and checks for disallowed or privileged
selectors can be bypassed (PsSetLdtEnties will reject any selector where any
of the three lower bits are unset, as is the case with the required cs pair).

- Assumption 2: ring3 code cannot forge a trap frame.

Returning to usermode with iret is a complicated operation, the pseudocode for
the iret instruction alone spans several pages of Intel's Software Developers
Manual. The operation occurs in two stages, a pre-commit stage and a
post-commit stage. Using the VdmContext installed using NtVdmControl(), an
invalid context can be created that causes iret to fail pre-commit, thus
forging a trap frame.

The final requirement involves predicting the address of the second-stage BIOS
call handler. The address is static in Windows 2003, XP and earlier operating
systems, however, Microsoft introduced kernel base randomisation in Windows
Vista. Unfortunately, this potentially useful exploit mitigation is trivial
to defeat locally as unprivileged users can simply query the loaded module list
via NtQuerySystemInformation().

--------------------
Affected Software
------------------------

All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to
be affected, including but not limited to the following actively supported
versions:

    - Windows 2000
    - Windows XP
    - Windows Server 2003
    - Windows Vista
    - Windows Server 2008
    - Windows 7

--------------------
Consequences
-----------------------

Upon successful exploitation, the kernel stack is switched to an attacker
specified address.

An attacker would trigger the vulnerability by setting up a specially
formed VDM_TIB in their TEB, using a code sequence like this:

/* ... */
    // Magic CS required for exploitation
    Tib.VdmContext.SegCs = 0x0B;
    // Pointer to fake kernel stack
    Tib.VdmContext.Esi = &KernelStack;
    // Magic IP required for exploitation
    Tib.VdmContext.Eip = Ki386BiosCallReturnAddress;

    NtCurrentTeb()->Reserved4[0] = &Tib;
/* ... */

Followed by

/* ... */
    NtVdmControl(VdmStartExecution, NULL);
/* ... */

Which will reach the following code sequence via the #GP trap handler,
nt!KiTrap0D. Please note how the stack pointer is restored from the saved
(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition
described above.

/* ... */
.text:0043C3CE Ki386BiosCallReturnAddress proc near
.text:0043C3CE     mov     eax, large fs:KPCR.SelfPcr
.text:0043C3D4     mov     edi, [ebp+KTRAP_FRAME.Esi]
.text:0043C3D7     mov     edi, [edi]
.text:0043C3D9     mov     esi, [eax+KPCR.NtTib.StackBase]
.text:0043C3DC     mov     ecx, 84h
.text:0043C3E1     mov     [eax+KPCR.NtTib.StackBase], edi
.text:0043C3E4     rep movsd
.text:0043C3E6     mov     esp, [ebp+KTRAP_FRAME.Esi]
.text:0043C3E9     add     esp, 4
.text:0043C3EC     mov     ecx, [eax+KPCR.PrcbData.CurrentThread]
.text:0043C3F2     mov     [ecx+KTHREAD.InitialStack], edi
.text:0043C3F5     mov     eax, [eax+KPCR.TSS]
.text:0043C3F8     sub     edi, 220h
.text:0043C3FE     mov     [eax+KTSS.Esp0], edi
.text:0043C401     pop     edx
.text:0043C402     mov     [ecx+KTHREAD.Teb], edx
.text:0043C405     pop     edx
.text:0043C406     mov     large fs:KPCR.NtTib.Self, edx
.text:0043C40D     mov     ebx, large fs:KPCR.GDT
.text:0043C414     mov     [ebx+3Ah], dx
.text:0043C418     shr     edx, 10h
.text:0043C41B     mov     byte ptr [ebx+3Ch], dl
.text:0043C41E     mov     [ebx+3Fh], dh
.text:0043C421     sti
.text:0043C422     pop     edi
.text:0043C423     pop     esi
.text:0043C424     pop     ebx
.text:0043C425     pop     ebp
.text:0043C426     retn    4
/* ... */

Possibly naive example code for triggering this condition is availble from the
link below.

http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip

The code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista
and Windows 7. Support for other affected operating systems is left as an
exercise for the interested reader.

-------------------
Mitigation
-----------------------

If you believe you may be affected, you should consider applying the workaround
described below.

Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack
from functioning, as without a process with VdmAllowed, it is not possible to
access NtVdmControl() (without SeTcbPrivilege, of course).

The policy template "Windows Components\Application Compatibility\Prevent
access to 16-bit applications" may be used within the group policy editor to
prevent unprivileged users from executing 16-bit applications. I'm informed
this is an officially supported machine configuration.

Administrators unfamiliar with group policy may find the videos below
instructive. Further information is available from the Windows Server
Group Policy Home

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.

To watch a demonstration of this policy being applied to a Windows Server 2003
domain controller, see the link below.

http://www.youtube.com/watch?v=XRVI4iQ2Nug

To watch a demonstration of this policy being applied to a Windows Server 2008
domain controller, see the link below.

http://www.youtube.com/watch?v=u8pfXW7crEQ

To watch a demonstration of this policy being applied to a shared but
unjoined Windows XP Professional machine, see the link below.

http://www.youtube.com/watch?v=u7Y6d-BVwxk

On Windows NT4, the following knowledgebase article explains how to disable the
NTVDM and WOWEXEC subsystems.

http://support.microsoft.com/kb/220159

Applying these configuration changes will temporarily prevent users from
accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users
require this functionality.

If you do not require this feature and depend on NT security, consider
permanently disabling it in order to reduce kernel attack surface.

-------------------
Solution
-----------------------

Microsoft was informed about this vulnerability on 12-Jun-2009, and they
confirmed receipt of my report on 22-Jun-2009.

Regrettably, no official patch is currently available. As an effective and easy
to deploy workaround is available, I have concluded that it is in the best
interest of users to go ahead with the publication of this document without an
official patch. It should be noted that very few users rely on NT security, the
primary audience of this advisory is expected to be domain administrators and
security professionals.

-------------------
Credit
-----------------------

This bug was discovered by Tavis Ormandy.

-------------------
Greetz
-----------------------

Greetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK,
ScaryBeasts, spender and all my other elite colleagues.

Check out some photography while at ring0 @ http://flickr.com/meder.

-------------------
References
-----------------------

Derek Soeder has previously reported some legendary NT bugs, including multiple
vdm bugs that, while unrelated to this issue, make fascinating reading.

- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege Escalation
- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege Escalation
- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition Privilege Escalation

-------------------
Appendix
-----------------------

SHA-1 checksum of KiTrap0D.zip follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

99a047427e9085d52aaddfc9214fd1a621534072  KiTrap0D.zip

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBS1W6+RvyfE4zaHEXAQK//QgAvo/VhPdeASGe7SSfC3jLwNzsfVfM+FMo
x7JZMMfVUh6b/+FxvokIpsCUf7QQkv+YcyCiatutVjUok5aw5BirFtPLHORIIKPX
B5gN2a4G8RIXh5yKE6FffKGQsPJNW1Ua5Jss8rf59TEj3EDky1vco+WVmmz7TsHn
TQdUreVcL8wFmCAgq5X0AKrdepYDBmYLF0AUFOdG3mKJ43dnP59p9R7+ckv0pfLW
XtvOgzZDNMew4z2Z53YQpE7dO+Y3H3rnhLN7jF7i9We9iiG4ATDke8byFAIDZQZx
ucq5EOcRsfAAWW3O8EbzQa0NiHHScJrKDjvg0gX1Y69MBBwCLNP6yg==
=LHU0
-----END PGP SIGNATURE-----

Microsoft on Thursday issued a cumulative critical patch for Internet Explorer that fixes eight vulnerabilities, including a hole targeted in the China-based attacks on Google and other U.S. companies.

The security update is rated critical for all supported releases of IE 5, 6, 7, and 8, according to the advisory. The more severe vulnerabilities could allow remote code execution if a user views a malicious Web page using IE, it said.

This IE security update was already planned for release on the next scheduled Patch Tuesday (February 9), Jerry Bryant, senior security program manager at Microsoft, said in a blog post.

Microsoft has known about the hole for at least four months, after it was privately disclosed it to the company, Bryant said.

“When the attack discussed in Security Advisory 979352 was first brought to our attention on January 11, we quickly released an advisory for customers two days later,” he wrote. “As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September.”

Installing the IE update addresses the vulnerability across all applications, even those using the same dynamic link library and which allow active scripting–which were discovered to be possible attack vectors, he said.

Microsoft also scheduled a Webcast to discuss the bulletin for 1 p.m. PST.

Microsoft acknowledged the hole a week ago, two days after Google disclosed the attacks launched against it and what is now believed to be more than 30 other companies. In the attacks, only IE 6 was targeted, Microsoft said.

Exploit code for the hole was published to the Internet the day after Microsoft went public with the IE warning.

“Microsoft continues to see limited and targeted attacks against Internet Explorer 6 only,” Bryant said in a statement. “However, Microsoft recommends customers deploy the security update as soon as possible to protect themselves against the known attacks.”

For an attack to be accomplished, an attacker would have to lure an IE user to a Web site hosting malware that was written to exploit the hole in the browser. This could be done by using social engineering and including a link to the malicious site in an e-mail that looks like it is coming from someone familiar or contains important information. Once a computer is infected, an attacker could take complete control of it.

Internet surfers should have already updated from IE 6, which is nearly 10 years old, said Oliver Lavery, manager of the vulnerability and exposure research team at nCircle.

“IE 6 is fundamentally much less secure than IE 8, regardless of patching. Yet IE 6 still had the largest market share of any version of IE as of December 2009–at 20.99 percent,” he said. “This has created a situation of systemic vulnerability in many enterprises as the software many of their employees use every day is fundamentally not very secure.”

Meanwhile, Trend Micro and Symantec said on Thursday that they had identified new malware samples that exploit the IE vulnerability used in the Google attacks. One new exploit that is being hosted on hundreds of Web sites is detected by Symantec as Trojan.Malscript, Symantec said in a statement. TrendLabs researchers said in a blog post that they discovered that the new scripts targeting the IE hole are versions of JS_DLoader.

Websense reported on its blog that targeted attacks like those that hit Google and using the IE hole appear to have started during the week of December 20 and are ongoing to government, defense, energy and sectors, and other organizations in the U.S. and the United Kingdom. Victims are receiving targeted e-mails with malware that appears to be a data-stealing Trojan, according to Websense.

Also on Thursday, Microsoft warned of a hole in the 32-bit versions of Windows and offered information on a workaround until a patch was released.

Malicious hackers are using fake alerts around H1N1 (Swine Flu) vaccines to trick end users into installing malware on Windows computers, according to warnings issued by computer security firms.

The latest malware campaign begins with e-mail messages offering information regarding the H1N1 vaccination. The e-mail messages contain a link to a bogus Centers for Disease Control and Prevention site with prompts to create a user profile.  During this process, a malware file gets planted on the user’s machine.

This US-CERT advisory contains some of the e-mail subject lines being used in the spam run. Some examples:

• “Governmental registration program on the H1N1 vaccination”
• “Your personal vaccination profile.”

According to researchers at AppRiver,  the scam tricks computer users into believe they are part of a “State Wide H1N1 Vaccination Program” and are required to create a vaccination profile on the CDC website.

“The link provided in the email takes you to a very convincing looking imitation of a CDC web page where you are given a temporary ID and a link to your ‘vaccination profile’. The link is in fact…an executable file that contains a copy of a Trojan most commonly identified as xpack or Kryptik…once installed on your PC, this Trojan will create a security-free gateway on your system and will proceed to download and install additional malware without your authorization. It also enables a remote hacker to take complete control of your computer.”

AppRiver says the messages are being received at a rate of 18,000 per minute, more than one million per hour.

Here’s a look at the fake spoofed CDC Web site being used in this attack:

Microsoft Security Advisory (977544)
- Title: Vulnerabilities in SMB Could Allow Denial of Service
- http://www.microsoft.com/technet/security/advisory/977544.mspx
- Revision Note: V1.0 (November 13, 2009): Advisory published.

Workaround:

Windows Firewall:
Block ports 139 & 445 Outbound & Inbound of TCP

Need help doing the above work around Call or email me.

Shawn

Microsoft to fix holes in Windows, Office Products

Microsoft said on Thursday it will issue six patches next week for 15 vulnerabilities, including three critical bulletins affecting Windows and two important Office-related bulletins.

Affected software includes Windows 2000, XP, Server 2003, Vista, Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, Office 2004 for Mac, and Office 2008 for Mac, the company said in an advisory.

November’s Patch Tuesday is a contrast to the record number of fixes issued last month–13 bulletins for 34 vulnerabilities.

Microsoft released a record number of 13 bulletins for 34 vulnerabilities on Patch Tuesday–and the first critical update for Windows 7–as well as fixes for zero-day flaws involving Server Message Block (SMB) and Internet Information Services (IIS).

The most severe of the three SMB flaws, which were first reported last month, could allow an attacker to take control of a computer remotely by sending a specially crafted SMB packet to a computer running the Server service. Exploit code for one of the SMB holes has been posted to the Web, Microsoft said.

Windows 7 is affected by two critical patches intended to mend vulnerabilities that could allow remote code execution if a malicious Web page were viewed, one part of a cumulative security update for Internet Explorer and the other in .Net Framework and Silverlight.

The official release date for Windows 7 is October 22, but the new operating system has been available to some large businesses with volume licenses since the summer. The code was finalized in July.

Other critical patches in the security bulletin for October fix a vulnerability in Windows Media Runtime that could be exploited if a user opened a malicious media file or received malicious streaming content from a Web site or application, and if a specially crafted ASF (Advanced Systems Format) file is played using Windows Media Player 6.4.

Among the critical updates: a cumulative security update of ActiveX Kill Bits that is being exploited and that affects ActiveX controls compiled using Active Template Library (ATL); and another patch resolving several vulnerabilities in ATL ActiveX Controls that could allow remote code execution if a user loaded a malicious component or control. ActiveX and ATLs were the subject of an emergency patch Microsoft released in July.

The final critical bulletin fixes a hole in Windows GDI+ (Graphics Device Interface) that could allow an attacker to take control of a computer if the user viewed a malicious image file using affected software or browsed a malicious Web page.

“Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows, and vulnerabilities in the component have been exploited broadly in the past. We can expect that security researchers will be looking to reverse-engineer today’s patches, which may very well lead to exploits being created,” said Dave Marcus, director of security research and communications at McAfee Labs.

Related “For the Record” podcast, with Symantec’s Ben Greenbaum
Listen now: Download today’s podcast

Nine of the vulnerabilities were previously disclosed, which meant that attackers had time to come up with so-called “zero-day” exploits before the patches were available, Marcus noted.

The most alarming vulnerability in the mix is the SMB flaw, which was introduced by the patch for a different vulnerability, according to Josh Phillips, virus researcher at Kaspersky Lab.

Andrew Storms, director of security operations at nCircle, said the bug that is likely to have the biggest impact will be the critical one that affects Windows Media Runtime and involves a speech codec bug that has limited exploits in the wild. “This is a typical file-parsing issue and similar to vulnerabilities that have allowed attackers to create drive-by attacks that infect unsuspecting video viewers,” he said.

Meanwhile, the critical SMB vulnerability is relatively difficult to exploit given default firewall conditions, but the IIS bugs are easy to exploit, Storms added.

“The sheer volume of the bulletins and patches is extreme,” said Jason Miller, senior data team leader for Shavlik Technologies. “This is really going to affect administrators. It’s going to be very challenging because of the time and research that’s going to be needed” to patch systems.

Also released were five bulletins rated “important” to fix vulnerabilities in IIS, for which exploit code has been publicly released and for which there have been limited attacks, along with Windows CryptoAPI, Windows Indexing Service, Windows Kernel, and Local Security Authority Subsystem Service.

The update for Windows CryptoAPI relates to flaws in the way domain names are verified on the Internet, which could allow attackers to impersonate a site and steal information from unsuspecting Web surfers. The holes were revealed by researchers Dan Kaminsky and Moxie Marlinspike at Defcon in August.

Affected software includes Windows 7; Windows 2000; Windows XP; Windows Vista; Server 2003 and 2008; Office XP, 2003, and 2007; Microsoft Office System; SQL Server 2000 and 2005; Silverlight; Visual Studio .Net 2003; Visual Studio 2005 and 2008; Visual FoxPro 8.0 and 9.0; Microsoft Report Viewer 2005 and 2008; Forefront Client Security 1.0; and Office software including Visio, Project, Word Viewer, and Works.

The installation also removes the Win/FakeScanti Trojan, which displays fake malware warnings and then asks computer users to pay for fake antivirus software.

Microsoft on Tuesday issued five critical Windows-related updates as part of its monthly Patch Tuesday release.

While the issues affect different versions of Windows differently, Microsoft said none of the issues apply to the final version of Windows 7, which Microsoft wrapped up in July.

The five bulletins address eight vulnerabilities. According to Symantec Security Response research manager Ben Greenbaum, the two vulnerabilities most likely to be used by attackers involve the way Windows handles ASF and MP3 media files. “We’ve seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected.”

McAfee Avert Labs director Dave Marcus said that two of the flaws, in particular, relate to serious security vulnerabilities in the networking components of Window Vista, Windows Server 2008 and Windows Server 2003 that could allow for malicious software to spread from one PC to another.

“These vulnerabilities are the most likely to be exploited by malicious code and are two of the best worm candidates that we’ve seen since Conficker,” Marcus said in a statement. “That said, all of today’s security bulletins address vulnerabilities that could allow an attacker to take complete control of a vulnerable PC.”

In addition, Microsoft said it is re-releasing a bulletin from last month to address an additional control found to be vulnerable to an issue with the Microsoft Active Template Library.

Greenbaum noted that Microsoft has yet to issue a patch for a zero-day flaw in Internet Information Services that was made public last week. “Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately,” Greenbaum said. “We also recommend using a firewall and restricting access to creating directories. Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5.”

There are already some attacks being seen based on that flaw.

“While the company will not release an update this month, it will do so once it has reached an appropriate level of quality for broad distribution,” Microsoft said.

Meanwhile, Microsoft said Tuesday that it is investigating another zero-day issue, this one a reported flaw in Windows Vista and Windows 7.

As for the patches Microsoft did release on Tuesday, Qualys CTO Wolfgang Kandek noted that some of the bulletins are interesting in that they either affect only newer operating systems or are more critical on later versions–the reverse of what is normally the case. Overall, he said, five Windows patches should keep IT workers busy.

“Due to the criticality of the patches and wide coverage of the operating system, this will be a busy day for IT administrators,” Qualys CTO Wolfgang Kandek said in an e-mail.

Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.

The company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click “fix it” feature to enable the mitigations.

From the advisory:

Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.

An entry on the MSRC blog provides more details:

The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.

Interestingly, the vulnerable component was removed from Windows Vista and later operating systems but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.

Vulnerable Windows users should immediately consider disabling QuickTime parsing to thwart attackers.  This KB article provides fix-it button that automatically enables the workaround.

It also provides detailed instructions on using a managed script deployment for Windows shops.

Apple today released QuickTime 7.6.2 with fixes for a variety of security vulnerabilities, some of which could lead to arbitrary code execution attacks.

The update, available for Mac OS X, Windows XP and Windows Vista, covers a total of 10 documented vulnerabilities that could be exploited via booby-trapped movie, video, image and audio files.

Here are the details

• CVE-2009-0188: A memory corruption issue exists in QuickTime’s handling of Sorenson 3 video files. This may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-0951: A heap buffer overflow exists in the handling of FLC compression files. Opening a maliciously crafted FLC compression file may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-0952: A buffer overflow may occur while processing a compressed PSD image. Opening a maliciously crafted compressed PSD file may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-0010: An integer underflow in QuickTime’s handling of PICT may result in a heap buffer overflow. Opening a maliciously crafted PICT file may lead to an unexpected application termination
  or arbitrary code execution.
• CVE-2009-0953: A heap buffer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT file may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-0954: A heap buffer overflow exists in QuickTime’s handling of Clipping Region (CRGN) atom types in a movie file. Opening a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-0185: A heap buffer overflow exists in the handling of MS ADPCM encoded audio data. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-0955: A sign extension issue exists in QuickTime’s handling of image description atoms. Opening a maliciously crafted Apple video file may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-0956: An uninitialized memory access issue exists in QuickTime’s handling of movie files. Viewing a movie file with a zero user data atom size may lead to an unexpected application termination or arbitrary code execution.
• CVE-2009-0957: A heap buffer overflow exists in QuickTime’s handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution.

The update is available via the Software Update utility (Mac OS X) and Apple’s Windows Automatic Software Update tool (Windows). Alternatively, QuickTime 7.6.2 may be obtained from the QuickTime Downloads site. Itunes can be obtained from Itunes Downloads.