Hello, and welcome to this month’s blog onthe Microsoft patch releases. Microsoft released seven bulletins thismonth, covering a total of eleven vulnerabilities. Nine of thevulnerabilities affect Microsoft Vista either directly or throughapplications running on that operating system.
The first three bulletins discuss seven client-side vulnerabilitiesrated “Critical” by Microsoft. Four of those are vulnerabilities inInternet Explorer, two more affect DirectX, and the seventh is avulnerability affecting the Windows Media Format Runtime. These issuesdo require some sort of user interaction (such as visiting a maliciousWeb page, opening a malicious email, or opening a malicious file), butcan aid in the remote compromise of a victim’s computer. Users areadvised to use security best practices, including avoiding sites ofunknown or questionable integrity.
The remaining vulnerabilities (four issues rated...
Symantec Security Advisory SYMSA-2007-005[1]is now available. This covers a Teredo-related vulnerability in theVista version of Windows Firewall (BID 24779, CVE-2007-3038). (To beclear, this vulnerability is not connected to any of the nine Vistaissues I discussed in my last blog[2].)
Last fall, when Ollie Whitehouse[3] was analyzing whatTCP ports were open over a Teredo interface in a freshly installedWindows Vista RC2, he discovered that port 5357 was open over Teredo.We thought this odd since there is no functional reason this port,which corresponds to Web Services on Devices (WSD)[4], should beremotely accessible. When the release version of Vista becameavailable, we verified that this port was still open. (...
This month's Microsoft patch releaseincludes six bulletins, addressing 12 vulnerabilities in common clientand server software, including four in a popular developmentenvironment. Topping the heap in terms of urgency is a remotelyexploitable, server side code execution vulnerability in IIS, andthat's where we'll start:
MS07-041;KB939373Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution
This bulletin addresses a previously known issue in IIS 5.1 onWindows XP that was reported in late 2005 as a denial-of-serviceproblem. It is now known to be exploitable to run attacker code. IIS isnot running or installed by default on Windows XP.
Microsoft Internet Information Server 5.1 DLL Request Remote Code Execution Vulnerability BID...
We don't feel that most of the issues are especially significant.Microsoft reviewed the paper prior to its public release and Symantecwould participate in any warranted responsible disclosure forvulnerabilities.
Code Signing and UAC in Windows Vista havea relationship that should not be underestimated. Code Signing allowsUAC to provide a user with the details of an application's publisherand, thus, permits the user to ensure it is trusted before allowing itto elevate to full administrative privileges. Therefore, my recentobservation has left me dumbfounded.
The observation was this: if a signed binary is modified on diskand, thus, the code signing signature invalidated, you don’t get a bigklaxon going off with the computer screaming, “Danger Will Robinson!Danger!” Instead, the binary is simply treated as if it isn’t signed.Why is this an issue? The simple reason is that if, for example, youhave a world of poor file permissions (looking squarely at third-partysoftware here) and the user running as a restricted administrator canmodify a binary that is allowed to elevate, you could end up in asticky situation. That is, if a user is familiar with the fact that...
Greetings. For the last four months we have been busy taking a lookat the release (RTM) version of Windows Vista in an effort to updateour Windows Vista Network Attack Surface Analysis report fromlast July, which covered beta builds of Vista. To broaden and deepenour research, we have retested the results in the first report andexpanded our investigation of certain topics.
As of today, the new reportis available to you. The paper is 118 pages long, but don't worry, youdon't have to read it all! You can skip to the parts you are mostinterested in, or take a look at the 13 pages that summarize theresults in the paper. In addition, the appendices provide details ofour methodology and results. We hope you find this report useful as aWindows Vista network reference, and we hope you find value in both thedetailed security analysis and in the broad overview.
The media surrounding the effectiveness of Windows Vista's newsecurity features has (in my opinion) just begun. Microsoft's reach iswell beyond that of any other software vendor in the world, and withthis achievement comes fame, power, and a corporate life under amicroscope. To honor this tradition, I previously posted an entryabout the effects of malicious code executed under a default Vistaenvironment; if you haven't read it, you are certainly encouraged to.This research has now been completed and this new entry should serve asa compliment to my previous post. A paper detailing the full researchhas been made available here.
The outcome of the research:
In my previous blog, I mentioned that about seventy...
When I started this project, I had one goal in mind – to understandwhich binaries in Windows Vista were not /GS compiled. While this mayseem rather simple on the surface, as I started to dig, it became alittle more complex. That said, my goal was achievable and today I’mhappy to present my findings.
The purpose of my paper "Analysis of GS Protection in Windows Vista"was to show which binaries under a default installation of WindowsVista 32bit RTM were not protected by the Visual Studio 2005 /GScompiler flag. This, in turn, was designed to help Symantec and ourclients understand any exposure, either direct or indirect, which mayresult from this lack of protection.
The abstract for my paper is as follows:
Visual Studio 2002 introduced the Buffer Security Check(GS) option to protect stack variables from overflows that resulted inarbitrary code...
ASLR (Address Space Layout Randomization) is one of the cornerstones of Windows Vista and its enhanced security posture. ASLR workson the basis that it will move an application and its associated memoryaround, either each time it’s executed or when the host is rebooted,depending on the element concerned. The purpose of this is to hinder aclass of vulnerabilities commonly referred to as memory manipulation vulnerabilitiesby making it difficult for an attacker to know where an application isin memory. This would impede successful exploitation, which relies onfixed memory addresses.
Back in December, I decided to take a brief look at theimplementation of ASLR on Vista. I had seen some findings emerge duringits development, but these really didn’t show if the implementation wasgood, bad, or indifferent. Since my work load was winding down, as Ihad December off, and a tool I had written indicated there might besome problems, I decided to look at this in more detail. My...
Last July, I discussed how Windows Vista™ was one of the mostimportant technologies that we would see in 2007. Last year, SymantecAdvanced Threat Research released four research papers on the then betaversion of Windows Vista. These papers provided a security analysis ofthe new Windows Vista network stack, user-mode security defenses,kernel-mode security technologies, and the Teredo protocol—a key IPv6over IPv4 transition technology in Vista. Being one of the firstthird-party assessments on the progression of Windows Vista security,these papers were extremely well received in the technology industry.
Fast forward to today, and Windows Vista has now been released tobusinesses and consumers alike. Throughout its release, Symantec hastracked the evolution of Vista very closely and continued to assess itspotential in defeating today’s attackers. We’ve documented our findingsin a series of six research papers that are being released in thecourse of the next week. The goal of this...
People who have been following the notunexpected initial wave of security research with regards to WindowsVista will have seen a few informative blog posts recently. First, in ablog titled "Running Vista Every Day!"Joanna Rustkowska pointed out some issues with UAC, one of them being asimple implementation bug in UIPI. This, I believe in part, resulted inMark Russinovich writing his blog entry "PsExec, User Account Control and Security Boundaries." Joanna posted another blog, "Vista Security Model ? A Big Joke?" in response to Mark's blog post. And then followed it with "...
There has been much talk recently about thelaunch of Windows Vista, and one feature in particular: SpeechRecognition. Speech Recognition allows the user to dictate arbitrarytext to the computer (a letter for example) using speech instead of thekeyboard. It also allows the user to carry out normal computing tasksvia a choice of pre-defined commands. There are commands such as"delete that," "press escape key," and "what can I say?" This last oneshows the user what kinds of command they can use in the currentsituation. If Speech Recognition is running, but sleeping, the usersays "start listening" to activate it.
It has been suggested that Speech Recognition could be subverted fornefarious purposes using malicious audio clips. The scenario would beas follows:
• The user is browsing the Web, with Speech Recognition enabled. • They visit a Web site, with a background audio clip that plays as soon as the site is opened. • The audio clip contains...
