Hello, and welcome to this month’s blog on the Microsoft patchreleases. September is a light month, with only 4 releases, eachresolving one issue.
Which is the most critical of these vulnerabilities? Well, itdepends on who you ask. Microsoft lists the issue in the Agent ActiveXcontrol as the only ‘Critical’ update this month, however ourcalculations have resulted in a higher urgency rating for the MSN /Live Messenger issue. Both vulnerabilities grant a remote attacker theability to run arbitrary code on the target machine if the target userperforms a specific action (clicks on a link or accepts an incomingmessage). Microsoft may have rated the ActiveX issue higher because anon-vulnerable upgrade to Messenger has been available for some time.However, we rate the issue in MSN Messenger/Live Messenger higher, dueto the availability of public proof-of-concept code known to work on atleast one platform. From the perspective of an affected user, theknowledge that they could have upgraded some time ago may not be muchsolace.
We have seen an upswing in the number of browser plug-invulnerabilities in the last six months, and ActiveX is certainly noexception – in fact, vulnerabilities in ActiveX components are at theforefront of this continuing trend, with an increasing rate ofdiscovery that surpasses all other plug-in technologies combined.Expect to see more patches of this nature throughout the remainder ofthe year.
Microsoft’s summary of the September release can be found here: http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx
1. Vulnerability in MSN Messenger and Live Messenger Could Allow Remote Code Execution (KB924099)
CVE-2007-2931 (BID 25461)
Microsoft MSN Messenger Video Conversation Buffer Overflow Vulnerability
(MS Rating: Important / Symantec Urgency Rating: 8.6/10)
This is a remote buffer overflow vulnerability affecting MSNMessenger and Windows Live Messenger. This issue occurs during a videoconversation because the application doesn’t properly check the‘chunk_index’ of an incoming packet, resulting in a heap-basedoverflow. A public exploit for the Chinese version of Windows 2000 isavailable.
Affects: MSN Messenger 6.2, 7.0, and 7.5, as well as Windows LiveMessenger 8.0. Windows Live Messenger 8.1, available for Vista and XPsince late January 2007, is not affected by this.
2. Vulnerability in Agent Could Allow Remote Code Execution (938827)
CVE-2007-3040 (BID 25566)
Microsoft Agent Malformed URL Remote Code Execution Vulnerability
(MS Rating: Critical / Symantec Urgency Rating 7.1/10)
This is a remote code execution vulnerability in the Microsoft AgentActiveX control. An attacker would need to trick a victim into visitinga malicious web page. A successful attack will result in the executionof attacker supplied code in the context of the currently logged inuser.
Affects: Microsoft Windows 2000
3. Vulnerability in Windows UNIX Services Could Allow Elevation of Privilege (939778)
CVE-2007-3036 (BID 25620)
Microsoft Windows Services for Unix Local Privilege Escalation Vulnerability
(MS Rating: Important / Symantec Urgency Rating 6.6/10)
This is a privilege escalation vulnerability affecting Windows UNIXServices. This is a local issue and occurs due to improper handling ofsetuid files. A local attacker could exploit this issue to elevateprivileges on the vulnerable computer. The privilege level is notspecified, but is assumed to be at the administrative level.
Affects: Services for UNIX 3.0, and 3.5, and Subsystem for UNIXbased applications running on Windows 2000, Windows Server 2003, andWindows Vista.
Note: These applications are not installed by default on any of the operating systems.
4. Vulnerability in Crystal Reports Could Allow Remote Code Execution (941522)
CVE-2006-6133 (BID 21261)
Business Objects Crystal Reports XI Professional File Handling Buffer Overflow Vulnerability
(MS Rating: Important / Symantec Urgency Rating 6.7/10)
This is a remote buffer-overflow vulnerability affecting CrystalReports. Specifically, the application doesn’t properly handlemalformed .rpt files. A remote attacker could exploit this issue toexecute arbitrary code in the context of the victim running theaffected application.
Crystal Reports is a third-party application from Business Objects.Microsoft redistributes a version of Crystal Reports in Visual Studio.
This vulnerability was originally disclosed in Crystal Reports inNovember 2006, and exploit code was released publicly in January 2007.
Affects: Visual Studio .NET 2002, .NET 2003, and 2005
More information on these and other vulnerabilities are available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.