Video Screencast Help
Security Response

Microsoft Patch Tuesday for December

Created: 11 Dec 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:43:52 GMT
Robert Keith's picture
0 0 Votes
Login to vote

Hello, and welcome to this month’s blog onthe Microsoft patch releases. Microsoft released seven bulletins thismonth, covering a total of eleven vulnerabilities. Nine of thevulnerabilities affect Microsoft Vista either directly or throughapplications running on that operating system.

The first three bulletins discuss seven client-side vulnerabilitiesrated “Critical” by Microsoft. Four of those are vulnerabilities inInternet Explorer, two more affect DirectX, and the seventh is avulnerability affecting the Windows Media Format Runtime. These issuesdo require some sort of user interaction (such as visiting a maliciousWeb page, opening a malicious email, or opening a malicious file), butcan aid in the remote compromise of a victim’s computer. Users areadvised to use security best practices, including avoiding sites ofunknown or questionable integrity.

The remaining vulnerabilities (four issues rated as “Important”) areeach documented in their own bulletin. They include vulnerabilities inMSMQ (Microsoft’s Message Queuing Service), Vista’s Server MessageBlock version 2 (SMBv2), and the Windows kernel. As well there is anupdate to a previously documented vulnerability (BID 26121) in Macrovision SafeDisc (secdrv.sys). Microsoft’s summary of the December releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx

1. Vulnerability in Windows Media Format Could Allow Remote Code Execution (KB941569 and KB944275)

CVE-2007-0064 (BID 26776)Microsoft Windows Media Format Runtime ASF File Remote Code ExecutionVulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.5/10)

This is a client-side vulnerability affecting the Windows MediaFormat Runtime when handling malformed Advanced Systems Format (ASF)files. An attacker exploits this issue by tricking an unsuspectingvictim into viewing a Web page or email with malicious ASF content. Asuccessful attack will result in the execution of attacker-suppliedcode with the permissions of the currently logged in user.

Affected: Windows Media Format Runtime 7.1, 9, 9.5, 11, 9.5 x86 edition, and Windows Media Services 9.1 and 9.1 x64.

Not Affected: Windows Media Services 4.1, and Windows Media Player 6.4 on Windows 2000, Server 2003, and XP

2. Cumulative Security Update for Internet Explorer (KB942615)

CVE-2007-3902 (BID 26506)Microsoft Internet Explorer Unspecified Remote Memory CorruptionVulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

This is a remote code execution vulnerability in Internet Explorer.The problem occurs because IE accesses an object that has not beencorrectly initialized or deleted. An attacker exploits this issue bytricking an unsuspecting victim into visiting a malicious Web site. Asuccessful exploit will result in the execution of attacker-suppliedcode in the context of the currently logged in user.

Affected: Internet Explorer 5.01, 6, and 7

CVE-2007-3903 (BID 26816)Microsoft Internet Explorer Variant Unspecified Remote MemoryCorruption Vulnerability (MS Rating: Critical / Symantec UrgencyRating: 7.1/10)

This is a remote code execution vulnerability in Internet Explorer.The problem occurs because IE accesses an object that has not beencorrectly initialized or deleted. An attacker exploits this issue bytricking an unsuspecting victim into visiting a malicious Web site. Asuccessful exploit will result in the execution of attacker-suppliedcode in the context of the currently logged in user.

Affected: Internet Explorer 6, and 7

CVE-2007-5344 (BID 26817)Microsoft Internet Explorer Second Variant Unspecified Remote MemoryCorruption Vulnerability (MS Rating: Critical / Symantec UrgencyRating: 7.1/10)

This is a remote code execution vulnerability in Internet Explorer.The problem occurs because IE accesses an object that has not beencorrectly initialized or deleted. An attacker exploits this issue bytricking an unsuspecting victim into visiting a malicious Web site. Asuccessful exploit will result in the execution of attacker-suppliedcode in the context of the currently logged in user.

Affected: Internet Explorer 6, and 7

CVE-2007-5347 (BID 26427)Microsoft Internet Explorer DHTML Object Memory CorruptionVulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

This is a remote code execution vulnerability in Internet Explorer.The problem occurs because of the way IE displays a Web page thatcontains certain unexpected method calls to HTML objects. An attackerexploits this issue by tricking an unsuspecting victim into visiting amalicious Web site. A successful exploit will result in the executionof attacker-supplied code in the context of the currently logged inuser.

Microsoft has received reports that this issue is being exploited in the wild.

Affected: Internet Explorer 6 and 7

This security bulletin also includes updates that set the kill bitfor ActiveX controls from Intuit and Vantage. Microsoft reports thatthese vendors have released security bulletins detailing the scope ofthe vulnerabilities. These issues are documented in BIDs 25544, 26819, and 26815.

3. Vulnerabilities in DirectX Could Allow Remote Code Execution (KB941568)

CVE-2007-3901 (BID 26789)Microsoft DirectX SAMI File Parsing Remote Code Execution Vulnerability(MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

This is a client-side vulnerability affecting DirectX, or morespecifically DirectShow, which is a component of DirectX. DirectShowdoes not perform sufficient parsing of parameters when handlingmalformed Synchronized Accessible Media Interchange (SAMI) files. Anattacker exploits this issue by tricking an unsuspecting victim intoopening a malicious file. A successful attack will result in theexecution of attacker-supplied code with the permissions of thecurrently logged in user.

Affected: DirectX 7.0, DirectX 8.1, and DirectX 9.0c, running onWindows 2000, XP, and Server 2003, and DirectX 10.0 running on Vista.

CVE-2007-3895 (BID 26804)Microsoft DirectX WAV and AVI File Parsing Remote Code ExecutionVulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

This is a client-side vulnerability affecting DirectX, or morespecifically DirectShow, which is a component of DirectX. DirectShowdoes not perform sufficient parsing of parameters when handlingmalformed WAV and AVI format files. An attacker exploits this issue bytricking an unsuspecting victim into opening a malicious file. Asuccessful attack will result in the execution of attacker-suppliedcode with the permissions of the currently logged in user.

Affected: DirectX 7.0, DirectX 8.1, and DirectX 9.0c, running onWindows 2000, XP, and Server 2003, and DirectX 10.0 running on Vista.

4. Vulnerability in Message Queuing Service Could Allow Remote Code Execution (KB937894)

CVE-2007-3039 (BID 26797) Message Queuing Service Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency Rating: 8.2/10)

This is a buffer-overflow vulnerability in Message Queuing Service(MSMQ). Specifically, input strings are not properly bounds-checkedbefore being used. This issue can be exploited remotely on Windows 2000systems in order to execute code with LOCAL SYSTEM privileges. OnWindows XP and Windows 2000 Professional the attacker must have localinteractive access to an affected computer to exploit this issue. Asuccessful exploit on these systems will result inprivilege-escalation.

Note: MSMQ is not installed by default on any of the operating systems and requires administrative access to install.

Affected: Windows 2000, Windows XP

5. Vulnerability in SMB Could Allow Remote Code Execution (KB942624)

CVE-2007-5351 (BID 26777)Microsoft Windows SMBv2 Code Signing Remote Code ExecutionVulnerability (MS Rating: Important / Symantec Urgency Rating: 6.9/10)

This is a remote code execution vulnerability in Server MessageBlock version 2 (SMBv2). The problem occurs because SMBv2 signing isnot correctly implemented. An attacker can perform a man-in-the-middleattack to modify the SMBv2 packet. A successful attacker will result inthe execution of arbitrary attacker-supplied code in the context of thecurrently logged in user.

Affected: Windows Vista, Vista x64

6. Vulnerability in Windows Kernel Could Allow Elevation of Privilege (KB943078)

CVE-2007-5350 (BID 26757)Microsoft Windows Vista Kernel ALPC Local Privilege EscalationVulnerability (MS Rating: Important / Symantec Urgency Rating: 6.6/10)

This is a local privilege-escalation vulnerability in the Windowskernel. The problem occurs when handling certain access requests due tothe ALPC (Advanced Local Procedure Call) improperly validating certainconditions in legacy reply paths. A local attacker could exploit thisissue to execute arbitrary code with kernel-level privileges. Thiswould facilitate the complete compromise of an affected computer.

Affected: Windows Vista, Vista x64

7. Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (KB944653)

CVE-2007-5587 (BID 26121)Macrovision SafeDisc SecDRV.SYS Method_Neither Local PrivilegeEscalation Vulnerability (MS Rating: Important / Symantec UrgencyRating: 7.3/10)

This is an update to a previously documented localprivilege-escalation vulnerability in Macrovision SafeDisc. This issueoccurs because the ‘secdrv.sys’ driver uses the ‘METHOD_NEITHER’ IOCTLin an insecure way. This issue was originally detected in October ofthis year by Elia Florio of Symantec.

Affected: Macrovision SafeDisk running on Windows XP, and Windows Server 2003.

More information on this and other vulnerabilities is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.