Microsoft Patch Day - July 2007
This month's Microsoft patch releaseincludes six bulletins, addressing 12 vulnerabilities in common clientand server software, including four in a popular developmentenvironment. Topping the heap in terms of urgency is a remotelyexploitable, server side code execution vulnerability in IIS, andthat's where we'll start:
MS07-041;KB939373Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution
This bulletin addresses a previously known issue in IIS 5.1 onWindows XP that was reported in late 2005 as a denial-of-serviceproblem. It is now known to be exploitable to run attacker code. IIS isnot running or installed by default on Windows XP.
BID 15921 CVE: CVE-2005-4360
(Symantec Urgency Rating: 9.6; MS Rating:Important)
Microsoft IIS is prone to a remote code-execution vulnerability due toan unchecked buffer in the Internet Information Services URL parser.
The condition occurs when several requests are received for a DLLwithin a virtual directory. Failed exploit attempts cause the'inetinfo.exe' process to crash, resulting in a denial-of-servicecondition until the service is restarted. The directory must haveExecute permissions set for "Scripts and Executables". The paths"_vti_bin" and "_sharepoint" can be used by an attacker to trigger theissue. Other attack vectors may also be present, but this has not beenconfirmed.
Exploitation of this issue is trivial, and can be performed manually with common software.
MS07-036;KB936542Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
This month's Excel patch resolves four or more vulnerabilitiesand applies to Excel 2000, 2002, 2003, and 2007, as well as theMicrosoft Office Compatibility Pack. This bulletin replaces MS07-023,released in May of this year. Microsoft rates these issues as'Important' for all but Excel 2000, for which this bulletin is rated'Critical'. Workarounds include blocking the affected file types atnetwork borders and in the registry (probably not a good option in thiscase) and using the Microsoft MOICE tool to open remotely-providedOffice files. See the advisory for more information.
BID 22555 CVE: CVE-2007-3029
(Symantec Urgency Rating: 8.5; MS Rating: Important)
This vulnerability was originally published on Feb 14, 2007. It wasthought to only be exploitable to achieve a crash, and publiclyavailable exploits to do this are known to exist. The core issue isthat affected versions of Excel fail to validate the number of activeworksheets in a file. Further investigation has revealed that the issueis exploitable in a fashion that allows the execution ofattacker-supplied code. Excel 2002 and 2003 are affected.
BID 24801 CVE: CVE-2007-1756
(Symantec Urgency Rating: 7.1; MS Rating:Critical/Important)
This issue affects all versions of Excel from 2000 to 2003 inclusive,and is due to a failure to properly handle malformed versioninformation in the header of an Excel document. This failure couldallow attackers to run arbitrary code. Exploits for this issue are notknown to be publicly available at this time.
BID 24803 CVE: CVE-2007-3030
(Symantec Urgency Rating: 7.1; MS Rating:Critical/Important)
This vulnerability is due to a validation error of certain file attributes data associated with workspace information.
Excel 2000 to 2003 inclusive are affected, as is the Office Compatibility Pack
. Again, malicious Excel files can lead to hostile code execution.
BID 24843 CVE: N/A
(Symantec Urgency Rating: 5.8; MS Rating:N/A)
The bulletin also mentions 'other issues' that were fixed in thisrelease, but technical details were not provided. From the MS07-036Executive Summary: "This critical update resolves [...] other security issues identified during the course of the investigation."
MS07-039 ;KB926122Vulnerability in Windows Active Directory Could Allow Remote Code ExecutionThis bulletin address two issues in LDAP implementations; a codeexecution vulnerability in Windows 2000 and 2003, and a simple denialof service present in Windows 2000.
BID 24800 CVE: CVE-2007-0040
(Symantec Urgency Rating: 8.2; MS Rating:Critical/Important)
The LDAP service in Windows 2000 and 2003 fails to check the number of convertible attributes included in a LDAP request.
An attacker can exploit this issue by sending a specially craftedLDAP request to the affected computer, and thereby execute arbitrarycode with SYSTEM-level privileges. Failed exploit attempts will resultin a denial-of-service condition. This issue is rated differently forthe various versions: Any anonymous user with access to the affectednetwork can exploit this issue on Windows 2000. To exploit this issueon Windows 2003, the attacker must have valid authenticationcredentials. No publicly available exploit for this issue is known toexist.
BID 24796 CVE: CVE-2007-3028
(Symantec Urgency Rating: 5.7; MS Rating:Important)
Microsoft Active Directory on Windows 2000 Server can be made to stopservicing requests by an attacker who makes a request with an invalidnumber of convertible attributes.
MS07-040;KB931212Vulnerabilities in .NET Framework Could Allow Remote Code Execution
MS07-040 addresses 4 vulnerabilities in the .NET frameworkversions 1.0, 1.1, and 2.0 on any platform. Framework 3.0 on anyplatform is unaffected.. Three of these were privately reported toMicrosoft, and one was publicly known in 2006. For versions 1.0 and1.1, this bulletin also replaces MS05-004.
BID 20753 CVE: CVE-2006-7192
(Symantec Urgency Rating: 7.5; MS Rating:N/A)
The Microsoft .NET framework is prone to a vulnerability that maypermit the bypassing of content filtering. In particular, this issue isdue to a failure in .NET request filtering and may be exploited inapplications that use this feature to sanitize user-supplied input.
This issue occurs only when a Web application depends on .NET request filtering before sending data back to the Web browser.
An attacker can exploit this issue to perform multipleinput-validation attacks such as cross-site scripting, SQL-injection,and HTML-injection; other attacks are also possible.
This vulnerability is not explicitly called out as resolved in thematrices in the Microsoft advisory, but the FAQ states that mitigationsagainst this issue are included in the patch. The update is said tomake it easier for developers creating .NET applications to securethose applications against these kinds of attacks.
BID 24778 CVE: CVE-2007-0041
(Symantec Urgency Rating: 7.1; MS Rating:Critical/Moderate)
The .NET PE Loader service can be exploited to execute arbitrarycode. This is a client-side vulnerability, and therefore any privilegesgained by the attacker would be at the level of the victim user. Thisissue affects framework 1.0, 1.1, and 2.0 on 2000, 2003, and XP. It israted Critical for 2000 and XP, but only Moderate for 2003 due to theavailability of Enhanced Security Configuration. There are severalpotential workarounds for this issue, including reducing the scriptingthat is allowed in various browser security zones, disabling .NETbrowser support, and so on. See the advisory for full details.
BID 24811 CVE: CVE-2007-0043
(Symantec Urgency Rating: 7.1; MS Rating:Critical/Moderate)
The Just In Time Compiler service included in the .NET framework can beexploited to execute arbitrary code in the context of a user runningthe vulnerable application. This issue only affects the 2.0 framework,and is rated lower for Windows 2003 due to the availability of ESC.
BID 24791 CVE: CVE-2007-0042
(Symantec Urgency Rating: 7.1; MS Rating: Important)
Microsoft .NET Framework fails to filter out '%00' NULL-byte characters from attacker-supplied URI requests.
An attacker can exploit this issue to access sensitive informationcontained in Web page generation scripts. This information may aid infurther attacks; other attacks are also possible.
MS07-037;KB936548
Vulnerability in Microsoft Office Publisher 2007 Could Allow Remote Code Execution
BID 22702 CVE: CVE-2007-1754
(Symantec Urgency Rating: 7.1; MS Rating:Important)
Limited information on this vulnerability was initially released inFebruary by eEye. It allows attackers to run arbitrary code viaexploitation of a memory reference error in the Publisher 2007application. No public exploit is currently known to exist.
And last, but by no means least:
MS07-038;KB935807
Vulnerability in Windows Vista Firewall Could Allow Information Disclosure
BID 24779 CVE: CVE-2007-3038
(Symantec Urgency Rating: 7.1; MS Rating:Moderate)
Teredo is an IPv4 to IPv6 transition mechanism for IPv6-capable hosts that are located behind an IPv4 NAT.
Windows Firewall for Windows Vista is prone to a vulnerability thatmay permit a bypass of existing firewall rules. The problem occursbecause the firewall does not properly enforce rules when acceptingtraffic through the Teredo interface. Specifically, traffic routedthrough the Teredo interface is improperly treated as coming from thelocal network.
An attacker may trigger this vulnerability by sending malicious networkdata through the Teredo network transport system in order to obtainsensitive information; other attacks are also possible.
It should be noted that Windows Vista systems configured with a"Public" network profile are not vulnerable to this issue. A systemconfigured with a "Private" network profile will expose the TCP port5357 through the Teredo interface.
This issue was discovered by Symantec as part of an overall study of Vista security. The Symantec advisory can be read here and a blog article discussing the topic can be found here.This attack and the details that make it possible are quiteinteresting; if you are a networking buff at all I reccomend having adeeper look.