Anybody remember when RTF files were just innocent little things?They were like the big brother of the .txt file, or .txt v2, if youwill. Just characters on a screen, but some of them might be differentfonts or colors or sizes – maybe the occasional clipart. Who would haveguessed they are apparently the most hostile files on the Internet thismonth? "When RTFs Go Bad!…" Okay, perhaps I’m exaggerating, but thismonth Microsoft is patching no less than three vulnerabilities, inseparate applications, that can be exploited via malicious RTF filesthat contain OLE objects.
Several of this month’s patches address issues that have beenexploited already in limited-distribution, targeted attacks. Thecombination of target-specific social engineering and privately heldvulnerability information is becoming more and more widely adopted byattackers with political and industrial motivations. While the "newbreed" of cybercriminals wants to cast as wide a net as possible, wecannot forget that there are also still those who have specific targetsand goals in mind.
In addition to those client-side vulnerabilities, we have a numberof other client-side issues resolved this month, as well as two localprivilege escalation issues, and one vulnerability that could beclient-side or fully remote, depending on the vector chosen by theattacker. This last one is our highest urgency patched MS vulnerabilityfor this month actually, and the only one that can be exploitedremotely with no user interaction.
The overwhelming majority that the "client-side" patches representthis month got me thinking. Anecdotally, we all know that Microsoft hasbeen patching more and more client-side issues lately. I had to wonderthough, how may more? How rapid has this rise been, and when did itstart? Luckily, I have the Symantec/SecurityFocus VulnerabilityDatabase handy, and I decided to do some digging.
I should point out that the figures below illustrate patchedvulnerabilities, not patches per se. If fixing one vulnerabilityrequires four patches, one for each affected platform, then that countsas one. If one patch addresses three vulnerabilities, then that countsas three. Additionally, just to avoid bickering later, for thisexperiment "client-side" means "requiring that a user be present andtake some action, be that clicking on a URL, opening an attachment, orotherwise." I rather arbitrarily chose to start the count on New Year’sDay 2004.
Figure 1: All patched Microsoft vulnerabilities
It might look like we’re getting off easy this quarter, but rememberwe’re only two thirds done! However, you can also see that the bulk ofthe area, especially in 2006 is made of client-side fixes. To make itclearer, I regraphed it as a percentage (figure 2).
Figure 2: Client-side vulnerabilities as percentage of all Microsoft vulnerabilities patched
So there you have it. A decidedly marked increase in the attentionbeing paid by Microsoft to client-side vulnerabilities. Mostpractitioners already knew this, and, therefore, I didn’t think thiswas worthy of a blog entry on its own, but seeing the actual proof doesmake an interesting tangent from the monthly patch list.
And now, on with our regularly scheduled program, starting with thismonth’s only (even potentially) truly remotely exploitablevulnerability…
• Microsoft AntiVirus Engine Remote Code Execution Vulnerability
BID 22479; CVE-2006-5270 (Symantec Urgency Rating: 8.9/10; MS Rating: Critical)
This vulnerability could allow a remote attacker to send a maliciousPDF file that will execute attacker-supplied code at the privilegelevel of the application that includes the engine. Potential affectedapplications are: Windows Live OneCare, Microsoft Antigen 9.x,Microsoft Windows Defender, Microsoft ForeFront Security for MicrosoftExchange Server 1.x, and Microsoft ForeFront Security for SharePointServer 1.x .
The PDF could arrive via any number of means including but notlimited to email, P2P file transfer, Web downloads etc. In the event ofexploitation via an email gateway scanner, no user interaction would berequired.
This patch addresses six distinct vulnerabilities in Word versionsfrom 2000 to the present. The first three of these vulnerabilities haveseen active exploitation already in the wild.
• Microsoft Word Malformed String Vulnerability
BID 21451; CVE-2006-5994 (Symantec Urgency Rating: 8.5/10; MS Rating: Critical)
This is the vulnerability that was exploited by Trojan.Mdropper.T in December of 2006 and first alluded to by Microsoft in an advisory released December 5. The exploit file was used to drop a keylogger on compromised systems.
• Microsoft Word 2000 Unspecified Code Execution Vulnerability
BID 22225; CVE-2007-0515 (Symantec Urgency Rating: 8.5/10; MS Rating: Critical)
Hostile functions in Word documents can execute arbitrary code.Discovery and exploitation of this issue was first observed in thesecond half of January as Trojan.Mdropper.W,which was seen dropping a combination of back doors and otherdownloaders. For a detailed explanation and a video of exploitation,please see this blog entry.
• Microsoft Word Malformed Data Structures Vulnerability
BID 21518; CVE-2006-6456 (Symantec Urgency Rating: 8.5/10; MS Rating: Important)
This vulnerability was also exploited in the wild to drop additional malcode onto victims' computers, this time by Trojan.Mdropper.X. The payloads of this exploit also tended to be back doors and keylogger programs.
• Microsoft Word Code Execution Vulnerability
BID 21589; CVE-2006-6561 (Symantec Urgency Rating: 8.5/10; MS Rating: Important)
Exploits for this vulnerability are publicly available.
• Microsoft Word Macro Permissions Bypass Arbitrary Code Execution Vulnerability
BID 22477; CVE-2007-0208 (Symantec Urgency Rating: 8.5/10; MS Rating: Important)
This vulnerability allows hostile macros in Word documents to bypassMicrosoft's security checking. Successful exploitation of this issuecould allow a hostile macro to execute arbitrary code.
• Microsoft Word Malformed Drawing Object Arbitrary Code Execution Vulnerability
BID 22482; CVE-2007-0209 (Symantec Urgency Rating: 8.5/10; MS Rating: Critical)
The code that handles drawing objects in Word files can be exploited to run attacker-supplied code.
This update addresses two vulnerabilities in Office, and replaces MS06-062 as well.
• Microsoft PowerPoint Record Improper Memory Access Remote Code Execution Vulnerability
BID 20325; CVE-2006-3887 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical)
This update addresses the same vulnerability as was originally addressvia MS06-058. After further post-release investigation Microsoftdetermined that the original patches did not adequately prevent allpotential exploitation vectors.
• Microsoft Office Malformed String Remote Code Execution Vulnerability
BID 22383; CVE-2007-0671 (Symantec Urgency Rating: 8.9/10; MS Rating: Critical)
This vulnerability was first discovered due to it’s usage by Trojan.Mdropper.Y in targeted attacks earlier in February. At the time, Microsoft released Advisory 932553 and patches are now available.
This cumulative update resolves three previously unpatchedvulnerabilities in IE 5.01 to IE6.0, and two in IE7.0 when configuredwith non-default allowed COM object types. This patch also replacesMS06-072 from last year.
• Microsoft Internet Explorer IMJPCKSI COM Object Instantiation Memory Corruption Vulnerability
BID 22486; CVE-2006-4697 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical/Low)
Instantiation of certain COM objects can lead to the execution ofarbitrary code when viewing a hostile Web site. While IE7.0 can beexploited in this manner, the affected COM objects are not on thedefault allow list. However, users can add them, in which caseexploitation could occur in the same fashion as with prior versions.Due to this, Microsoft has rated this vulnerability ‘Important’ for IE7on XP SP2, ‘Low’ for IE7 on Server 2003 SP1 (Enhanced SecurityConfiguration may mitigate on this platform), but ‘Critical’ for allother affected systems. Either way, IE7 on Vista is not vulnerable.
• Microsoft Internet Explorer COM Object Instantiation Variant Memory Corruption Vulnerability
BID 22504; CVE-2007-0219 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical)
This is a very similar issue to the previously described vulnerability but affects a number of COM object types.
• Microsoft Internet Explorer FTP Server Response Parsing Memory Corruption Vulnerability
BID 22489; CVE-2007-0217 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical)
The FTP client built into IE versions 5.01 to 6.0 can be compromised byhostile FTP servers, leading to arbitrary code execution in thesecurity context of the current user.
• Microsoft Internet Explorer ADODB.Connection Execute Memory Corruption Vulnerability
BID 20704; CVE-2006-5559 (Symantec Urgency Rating: 7.0/10; MS Rating: Critical)
This buffer overflow vulnerability was initially disclosed in October2006, and proof of concept code has been available since then. Whilethis was initially published as an IE vulnerability, IE is merely anexploit vector to the MDAC software itself.
• Microsoft HTML Help ActiveX Control Vulnerability
BID 22478; CVE-2007-0214 (Symantec Urgency Rating: 7.1/10; MS Rating: Critical/Moderate)
The ActiveX control that handles HTML Help fails to validate suppliedparameters, which can allow attacker-supplied code to be executed.While this is rated Critical by Microsoft for Windows 2000 and XP, itis only rated Moderate for Server 2003 due to the potential mitigationprovided by the Enhanced Security Configuration setting.
MS07-005; KB923723: Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution
• Microsoft Step-by-Step Interactive Training Buffer Overflow Vulnerability
BID 22484; CVE-2006-3448 (Symantec Urgency Rating: 7.1/10; MS Rating: Important)
This client-side vulnerability can be exploited when a user opens a malicious bookmark link file (.cbo, .cbl, or .cbm).
This patch addresses one vulnerability, which affects the RichEdit component used in Windows, Office, and Wordpad.
• Microsoft Office And Microsoft Windows RichEdit Component Remote Code Execution Vulnerability
BID 21876; CVE-2007-0032 (Symantec Urgency Rating: 7.1/10; MS Rating: Important)
An RTF file can contain a malicious OLE object that will exploit thisvulnerability. A user on the target system would have to open the fileand attempt to interact with the OLE object.
• Microsoft Windows OLE Dialog Remote Code Execution Vulnerability
BID 22483; CVE-2007-0026 (Symantec Urgency Rating: 7.1/10; MS Rating: Important)
This is another way that an RTF file containing a hostile OLE objectcan compromise a system when the file is opened and the object ismanipulated by the user.
• Microsoft Windows and Microsoft Visual Studios .Net MFC Remote Code Execution Vulnerability
BID 22476; CVE-2007-0025 (Symantec Urgency Rating: 7.1/10; MS Rating: Important)
This is yet another vulnerability that allows a malicious OLE object inan RTF file to run attacker-supplied code in the context of the localuser.
• Microsoft Windows Shell Hardware Detection Service Privilege Escalation Vulnerability
BID 22481; CVE-2007-0211 (Symantec Urgency Rating: 6.6/10; MS Rating: Important)
This privilege escalation vulnerability can only be leveraged by usersthat already have valid login credentials on the target computer. Viaexploitation of this vulnerability, users can obtain SYSTEM privileges.This could potentially be combined with other vulnerabilities toescalate the privilege level obtained by a remote attacker.
• Microsoft Windows Image Acquisition Service Privilege Escalation Vulnerability
BID 22499; CVE-2007-0210 (Symantec Urgency Rating: 6.6/10; MS Rating: Important)
This is another local privilege escalation vulnerability on XP SP2. Thecode that manages communications with imaging devices (scanners,cameras) can be manipulated to grant SYSTEM privilege. This could alsotheoretically be paired with any number of client-side vulnerabilitiesto give a remote attacker full access to the target system.