Microsoft Patch Tuesday: April 2007
April was unique for Microsoft because it consisted of two MicrosoftTuesdays. Last week, we saw the release of patches for the .ANIzero-day vulnerability. This patch was consistent with Microsoft’spolicy of releasing out-of-band security patches (in other words,patches on days other than patch Tuesday) for vulnerabilities that areexperiencing widespread exploitation in the wild. From my experience,if the issue is significant enough to merit third-party patches fromDetermina, ZERT, etc., then in all likelihood Microsoft will do anout-of-band security patch release for the vulnerability.
Today Microsoft released an additional five security bulletins. Fourof the bulletins affect Microsoft Windows and the one affects MicrosoftContent Management Server.
• MS07-018 Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (KB925939)
This bulletin addresses two vulnerabilities in Microsoft Content Management Server 2001 and 2002.
The first issue is the CMS Memory Corruption Vulnerability (CVE-2007-0938/BID 22861),which is a remote code execution vulnerability that is related to howthe Content Management Server handles unexpected characters in anincoming HTTP request to the service. If exploited, the vulnerabilitywould let a remote attacker run arbitrary code in the context of theIIS Web server. Microsoft considers the threat to be lessened forcomputers hosting Content Management Server with IIS 6.0 because theIIS service runs with the limited privileges of the Network Serviceaccount. Microsoft rates this vulnerability as critical.
The second is the Cross-site Scripting and Spoofing Vulnerability in CMS Vulnerability (CVE-2007-0939/BID 22860).This vulnerability is what we would describe more as a contentinjection or HTML injection vulnerability because it could potentiallylet a remote attacker persistently embed hostile content into a sitehosted through Microsoft Content Management Server. Microsoft has alsonoted that it may be possible to exploit this vulnerability to injecthostile or spoofed content into Web browser and proxy server caches.This could effectively allow an attacker to execute malicious scriptcode in the browser of a victim user or to spoof content that ispresented to users, which may be useful in phishing attacks. Microsoftrates this vulnerability as important.
Consumers and desktop users should not be exposed to thesevulnerabilities since Microsoft Content Management Server is acommercial product that is not installed by default on MicrosoftWindows platforms. As such, the threats posed by these vulnerabilitiesare mainly a concern to those organizations which have deployed theMicrosoft Content Management Server on publicly-facing sites.
• MS07-019 Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (KB931261)
This vulnerability addresses one issue – the UPnP Memory Corruption Vulnerability (CVE-2007-1204/BID 23371),which is a remote code execution vulnerability affecting MicrosoftWindows XP. This is a memory corruption vulnerability that is relatedto how HTTP requests to UPnP services are handled. Microsoft statesthat attacks would have to originate from the same subnet as avulnerable computer. As a precaution, they recommend blocking UDP port1900 and TCP port 2869. It is also advisable to ensure that these portsare not externally accessible. Microsoft rates this vulnerability ascritical.
Due to the subnet limitation, this vulnerability is not believed topose a widespread risk. However, consumers who connect their computersdirectly to the internet without an intervening firewall or NATarrangement could be exposed. This vulnerability is also a concern oninsecure or publicly accessible wireless networks where access may beshared with untrusted or malicious users.
• MS07-020 Vulnerability in Microsoft Agent Could Allow Remote Code Execution (KB932168)
This bulletin consists of one issue – the Microsoft Agent URL Parsing Vulnerability (CVE-2007-1205/BID 23337).This is a client-side code execution vulnerability affecting theMicrosoft Agent ActiveX component on Microsoft Windows 2000, XP, andServer 2003. A malicious Web site that instantiates the affectedActiveX control and passes a malformed URL argument to one of itsmethods may trigger this vulnerability. If successfully exploited, thisvulnerability will let an attacker run arbitrary code as the currentlylogged in user. If the user is logged in as administrator, the resultcould be complete system compromise. Therefore, Symantec recommendsthat tasks such as surfing the Web be performed as a non-administrativeuser.
Internet Explorer 7 includes security measures that may preventexploitation attempts on affected Microsoft Windows platforms. Werecommend that you secure Internet Explorer ActiveX settings, includingdisabling support for ActiveX in the Internet Zone and adding trustedsites that depend on ActiveX functionality to the Trusted Sites Zone.Taking this precaution can help limit exposure to this and otherActiveX-related vulnerabilities.
Microsoft has rated this vulnerability as critical on MicrosoftWindows 2000 and XP. It is rated moderate on Microsoft Windows Server2003 platforms due to mitigating security measures such as the EnhancedSecurity Configuration.
• MS07-021 Vulnerabilities in CSRSS Could Allow Remote Code Execution (KB930178)
This security bulletin consists of three vulnerabilities, the worst of which has been rated as critical by Microsoft.
The first issue is the MsgBox (CSRSS) Remote Code Execution Vulnerability (CVE-2006-6696/BID 23324).This is a remote code execution vulnerability affecting the WindowsClient/Server Run-time Subsystem (CSRSS) component of Microsoft Windows2000, XP, Server 2003, and Vista. The issue is due to incorrecthandling of error messages that are processed by the vulnerablecomponent. Attack vectors for this vulnerability include both local andWeb-based attacks. A successful exploit would completely compromise theaffected computer. Microsoft has rated this vulnerability as critical.
This vulnerability encapsulates a number of issues that werepublicly reported in December of 2006 in addition to some issues thatwere discovered internally by Microsoft. These issues were initiallybelieved to be limited to local attacks but the security bulletindetails a new remote Web-based attack vector.
The second issue is the CSRSS Local Elevation of Privilege Vulnerability (CVE-2007-1209/BID 23338).This vulnerability is limited to Windows Vista systems. This is acode-execution vulnerability that could let a local attacker completelycompromise a computer. Microsoft has rated this vulnerability asimportant.
The third issue is the CSRSS DoS Vulnerability (CVE-2006-6797/BID 21688),which is a local denial of service vulnerability affecting MicrosoftWindows 2000, XP, Server 2003, and Vista. Microsoft has rated thisvulnerability low on Microsoft Windows 2000 Professional, XP, and Vistaworkstations, but moderate on server-oriented operating systems such asWindows 2000 Server, Server 2003. This vulnerability was also publiclyannounced in December of 2006.
• MS07-022 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784)
This bulletin consists of one issue – the Kernel Local Elevation of Privilege Vulnerability (CVE-2007-1206/BID 23367).This is a locally exploitable privilege escalation issue that could letan attacker completely compromise the affected system. The cause ofthis issue is due to incorrect permissions on a mapped memory segment.Microsoft has rated this vulnerability as important.
It is worth noting that local vulnerabilities may be exploited byattackers or malicious software in multi-staged attacks that start witha remote attack that allows a limited compromise of the system. Theattack may then use local privilege escalation attacks to leveragetheir foothold into a complete system compromise.