Archive | March, 2010

Latest Oracle (Sun) Java Update Fixes 27 Vulnerabilities

March 31, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: All versions of Sun Java Runtime Environment (JRE) and Java Development Kit (JDK) released before 30 March, running on Windows, Solaris, and Linux platforms
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web page containing specially crafted Java
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate JRE (or JDK) update as soon as possible

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Most operating systems today implement a Java interpreter to recognize and process Java code from websites and other sources. Oracle’s Sun Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

Today, Secunia released a security alert warning of 27 vulnerabilities that affect all previous versions of Sun JRE (as well as Sun Java SDK) running on Windows, Solaris and Linux platforms. While the vulnerabilities differ quite a bit technically, an attacker can exploit many of them in a similar manner – by enticing your users to a malicious web page containing specially crafted Java. In the worst case, if your users visit such a site, an attacker could leverage some of these Java flaws to execute attack code on your user’s computer. If your user has local administrative privileges, the attacker could potentially leverage these flaws to gain complete control of that user’s machine. Some of the other vulnerabilities allow an attacker to launch Denial of Service attacks or to expose sensitive information on your users’ computer.

If you run a Solaris or Linux network, you probably know whether or not you use Sun JRE (in most cases, you do). However, if you manage a Windows network your status is less clear. In the past, Windows shipped with Microsoft’s own Java interpreter, called Java Virtual Machine (MSJVM). Since earlier editions of IE use MSJVM to interpret Java applets, most Windows users who browse with IE aren’t vulnerable to this flaw. Because of a legal conflict with Sun, Microsoft had to discontinue the use of MSJVM in its most recent versions of Windows. For instance, MSJVM doesn’t ship with Windows Server 2003 or versions of Windows XP that come prepackaged with SP1a or SP2 (XP users who upgraded to SP1 or SP2 on their own retain MSJVM). Windows 7 and Server 2008 also do not come with MSJVM. These newer Windows releases require that you download your own Java interpreter; in which case, you probably have Sun JRE and need to update as soon as possible.

Solution Path:

Sun has released various JRE and SDK updates to correct these issues. If you use Sun JRE in your network, download and deploy the appropriate updates as soon as possible:

Previous releases of Java have reached end of service life (EOSL) or end of life. For more information about these releases, see this page.

Note: Your Sun JRE client may also automatically inform you of an update. If it does, be sure to let it install this update for you.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading Java applets from websites. However, doing so also cripples legitimate websites using Java applets. If you do not want to block Java applets, download the appropriate Sun JRE updates as soon as possible. Furthermore, blocking Java applets may mitigate the risk of some of these vulnerabilities, but not all of them. Sun’s update is the best solution.

To learn how to use your Firebox’s HTTP proxy to block Java applets, see the “Deny Java Applets” section of the HTTP Proxy Advanced FAQ.

Status:

Sun has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
,

Firefox 3.6.x Gets its First Security Update – Mozilla Also Releases Security Updates for Legacy Firefox

March 31, 2010 by WatchGuard Technologies 0 Comments

On 24 March, 2010, we alerted LiveSecurity subscribers about Firefox 3.6.2, which corrected ten security vulnerabilities. When we first released this alert, the Mozilla Foundation had only released an update for the 3.6.x branch of Firefox. They had not released updates for the 3.0.x or 3.5.x branches of Firefox.

Yesterday, the Mozilla Foundation released Firefox 3.5.9 and 3.0.19, which fix many of the same vulnerabilities that Firefox 3.6.2 corrected. You can read more about the vulnerabilities these versions fix in our original alert, or the following Firefox Known Vulnerabilities pages:

If you can, we strongly encourage you use the latest branch of Firefox, 3.6.x. If you use 3.6.x, you probably already updated to version 3.6.2 when we sent our original Firefox alert, and can ignore this update. However, if you chose to stick with Firefox 3.0.x or 3.5.x for some reason, you should download and install Mozilla’s latest updates:

For additional details about the original vulnerability, and as a convenient reference, we reproduce our original 24 March alert below. You can also find it in the LiveSecurity Latest Broadcasts archive.

Summary:

  • These vulnerabilities affect: Firefox 3.6  for Windows, Linux, and Macintosh
  • How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.2

Exposure:

In late January, the Mozilla Foundation released a new branch of Firefox, version 3.6. This week, Mozilla released the first security update for Firefox 3.6, specifically version 3.6.2 (they did not release 3.6.1). This update fixes at least ten (count based on CVE number) vulnerabilities that affect the latest version of Firefox. Mozilla rates four of these vulnerabilities as critical, which they define as flaws that  attackers can leverage to execute code and install software; requiring no user interaction beyond normal browsing. We summarize the most critical Firefox 3.6.x vulnerabilities below:

  • WOFF Integer Overflow Vulnerability (2010-08). Firefox 3.6 introduced support for Web Open Font Format (WOFF), a new downloadable font format that supports compression. Firefox’s WOFF decoder suffers from an integer overflow vulnerability that can cause heap memory corruption, which  attackers can leverage to execute arbitrary code. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this flaw to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • Three Memory Corruption Vulnerabilities (2010-11). This update also fixes three other memory corruption vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser engine. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical

Mozilla’s alert describes six more vulnerabilities, including Cross-Site Scripting (XSS) flaws, browser defacement flaws, and issues that could help a phisher in social engineering attacks. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.2 fixes.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable Javascript (and other active scripts) by default.

Solution Path:

Mozilla has released Firefox 3.6.2, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.2 as soon as possible. Mozilla strongly recommends 3.0.x and 3.5.x users upgrade to 3.6.x, and so do we. If you are using an older version of Firefox, we recommend you move to 3.6.x, as it contains new security features, such as its ability to detect out-of-date and potentially insecure plug-ins and extensions.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

For All Users:

Many of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.2, fixing these security issues.

References:

Security Updates
, ,

Huge OS X Update Fixes Almost 100 Security Flaws

March 30, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: Multiple vectors of attack, including visiting malicious websites or enticing one of your users into downloading and viewing various malicious media files
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, potentially gaining full control of it
  • What to do: OS X administrators should download, test and install Security Update 2010-002 or the 10.6.3 update.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes well over 90 (number based on CVE-IDs) security issues in around 43 components that ship as part of OS X, including Quicktime, CoreMedia, and Mail. Some of these vulnerabilities allow attackers to gain full control of your OS X machines, so we rate this update Critical. Apply it as soon as you can. Some of the fixed vulnerabilities include:

  • Various QuickTime Code Execution Vulnerabilities. Quicktime is the multimedia (video and audio) player that ships with OS X. According to Apple, QuickTime suffers from nine code execution vulnerabilities involving its inability to properly handle maliciously crafted movie files. Though the flaws differ technically, they share the exact same scope and impact.  If an attacker can lure one of your users into playing a malicious movie (perhaps hosted on a malicious website), he could exploit this flaw to either crash QuickTime or to execute attack code on that user’s computer. By default, the attacker would only execute code with that user’s privileges. However, the attacker could also leverage other privilege elevation flaws described in Apple’s alert to gain complete control of your user’s Mac.
  • Multiple Image-related Memory Corruption Vulnerabilities. ImageIO and Image RAW are both OS X components that help the operating system handle various types of image files. Both components suffer from memory-related vulnerabilities involving the way they handle certain types of image files. Though the vulnerabilities differ technically, they share a very similar scope and impact. If an attacker can get a victim to view a specially crafted picture (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash the viewing application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. However, the attacker could also leverage other flaws in Apple’s alert to gain complete control of your user’s Mac.
  • Disk Images Code Execution Vulnerabilities. Disk Images is the OS X component that mounts the DMG disk image files commonly used to install software on Mac computers. Apple’s OS X update fixes two code execution vulnerabilities in Disk Images. Though they differ technically, an attacker could leverage both in the same way. By enticing you to mount a malicious DMG file, an attacker could exploit either of these flaws to execute code on your computer, with your privileges. Like the previous flaws, the attacker could then leverage other vulnerabilities to gain complete control of your Mac.

Apple’s alert also describes many other vulnerabilities, including some Denial of Service (DoS) flaws, information disclosure issues, and Cross Site Scripting (XSS) vulnerabilities. Components patched by this security update include:

AppKit Application Firewall
AFP Server Apache
ClamAV CoreAudio
CoreMedia CoreTypes
CUPS curl
Cyrus IMAP Cyrus SASL
Desktop Services Disk Images
Directory Services Dovecot
Event Monitor FreeRADIUS
FTP Server iChat Server
ImageIO Image RAW
Libsystem Mail
Mailman MySQL
OS Services Password Server
perl PHP
Podcast Producer Preferences
PS Normalizer Quicktime
Ruby Server Admin
SMB Tomcat
unzip vim
Wiki Server X11
xar

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details

As an aside, if you haven’t installed the Safari update Apple released earlier this month, we recommend you install it as well.

Solution Path:

Apple has released OS X Security Update 2010-002 and 10.6.3 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
,

Microsoft Mends Zero Day IE Flaw with Out-of-Cycle Update

March 30, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • This vulnerability affects: Internet Explorer 8 and all earlier versions, running on all current versions of Windows
  • How an attacker exploits it: By enticing one of your users to visit a malicious web page
  • Impact: In the worst case, an attacker can execute code on your user’s computer, gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately

Exposure:

In an out-of-cycle security bulletin released today, Microsoft describes nine new vulnerabilities in Internet Explorer (IE) 8.0 and earlier versions, running on all current versions of Windows (including Windows 7 and Windows Server 2008). One of the corrected vulnerabilities includes a critical zero day flaw that attackers have exploited in the wild since at least early March. For more information about this previously reported zero day IE flaw, see our Wire post on the subject.

The nine vulnerabilities differ technically, but seven of them share the same general scope and impact. These seven flaws involve various memory corruption issues having to do with how IE handles certain HTML objects and memory constructs. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer. The remaining two vulnerabilities are less risky information disclosure flaws.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, all of these IE flaws pose significant risk – especially, the zero day vulnerability that attackers have been exploiting in the wild. You should download and install this emergency IE patch immediately.

Keep in mind, today’s attackers commonly hijack legitimate web pages and booby-trap them with malicious code. They do this via hosted web ads or through SQL injection attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

Security Updates
, , ,

Malicious Media Files Usurp QuickTime and iTunes

March 30, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: QuickTime 7.6.x and iTunes 9.x running on any platform
  • How an attacker exploits them: Multiple vectors of attack, including enticing your user to view maliciously crafted images or videos, or to visit a malicious website
  • Impact: In the worst case, an attacker could execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Install QuickTime 7.6.6 and iTunes 9.1 for Windows or OS X

Exposure:

Today, Apple released two security updates [ QuickTime / iTunes ] to fix several vulnerabilities in QuickTime 7.6.x and iTunes 9.x running on Windows or OS X computers.

The QuickTime update fixes sixteen security issues (number based on CVE-IDs) involving how QuickTime handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, he could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. In Windows environments, users typically have local administrator access on their computers, meaning the attacker could leverage these vulnerabilities to gain complete control of their machines. However, OS X separates user accounts from the root account. So attackers can only exploit these flaws to gain user-level privileges on OS X machines.

Apple’s iTunes update corrects seven security issues (number based on CVE-IDs), the worst of which have to do with how iTunes handles certain image and media files. Like the QuickTime flaws above, if an attacker can trick one of your users into viewing a maliciously crafted image or media file in iTunes, the worst of these flaws could be exploited to execute code on that user’s computer, with that user’s privileges. In Windows, this often means the attacker gains control of your user’s computer. On a Mac, the attacker only gains user-level privileges. However, another of the iTunes vulnerabilities can allow local users to gain system privileges, so an attacker could leverage a combination of these vulnerabilities to gain complete control of a Mac as well.

If you allow the use of QuickTime or iTunes in your network, we recommend you download and install the latest versions as soon as possible. Keep in mind, iTunes now ships with QuickTime. If you have iTunes, you’ll likely need both updates.

Solution Path:

Apple has released QuickTime 7.6.6 and iTunes 9.1 to fix these security issues. Windows and OS X administrators should download, test, and deploy the appropriate updates as soon as possible.

For All Users:

Because these QuickTime flaws involve so many different media types (many of which are essential for doing business), trying to block exploitable file types using your firewall may not be the best way to support your organization’s mission. Instead, your best solution is to download and install Apple’s fixes.

Status:

Apple has released updates to fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, ,

Cisco Biannual Patch Day: Seven DoS Advisories Primarily Affect IOS

March 25, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: Devices running Cisco IOS and Cisco UCM
  • How an attacker exploits them: Multiple vectors of attack; in the most common, the attacker sends specially crafted network packets
  • Impact: Various Denial of Service (DoS) issues, can force a Cisco device to crash, reload, or halt. One may also allow an attacker to execute code
  • What to do: Administrators who manage Cisco IOS or UCM devices should download, test, and deploy the appropriate Cisco updates as soon as possible

Exposure:

Yesterday, Cisco released seven security advisories as part of their biannual patch day, which falls on the fourth Wednesday of March and September. All of these advisories cover Denial of Service (DoS) security vulnerabilities that primarily affect devices running Cisco’s Internetwork Operating System (IOS) software. IOS is the operating system that runs on most Cisco routers. That said, attackers could potentially leverage one of the IOS DoS flaws to execute code on your IOS device, potentially gaining control of it. Finally, one of the advisories also covers a DoS in Unified Communications Manager (UCM), which is Cisco’s enterprise-level, IP telephony call-processing system.

While Cisco’s IOS advisories differ technically, all of them cover vulnerabilities that attackers could exploit in DoS attacks. For a complete list of today’s Cisco advisories, check out Cisco’s Bundled Advisory for March 24th or their Security Advisories page. We summarize three of the IOS advisories below:

Cisco Document ID 111448: IOS SIP DoS and code execution vulnerabilities.

The Session Initiation Protocol (SIP) is a multimedia communication standard used to make voice and video calls over an IP network. IOS’s SIP implementation suffers from three unspecified vulnerabilities involving the way it handles SIP Messages. By sending specially crafted SIP packets, a remote attacker could exploit these vulnerabilities to either reload your IOS device, or to potentially execute code on your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit the DoS vulnerabilities to knock your network offline. In the case of code execution, the attacker could potentially gain complete control of your IOS device.
Base CVSS Score: 10

Cisco Document ID 111265: IOS H.323 DoS vulnerabilities.

H.323 is a protocol designed to stream multimedia over a network, and often used in video conferencing. IOS’s H.323 implementation suffers from two unspecified vulnerabilities involving the way it handles H.323 traffic. By sending specially crafted H.323 packets, a remote attacker could exploit these vulnerabilities to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8 (10 being the most severe)

Cisco Document ID 111266: IOS IPsec DoS vulnerability.

IPsec is a VPN standard designed to allow you to securely tunnel private communications over the Internet. IOS’s IPsec implementation suffers from a flaw in the way it handles specially crafted IPsec IKE packets. By sending specially crafted IKE packets to your Cisco device, a remote attacker could exploit this vulnerability to reload your IOS device. If you use a Cisco IOS router to get to the Internet, an attacker could repeatedly exploit these vulnerabilities to knock your network offline.
Base CVSS Score: 7.8

The remaining advisories also fix DoS flaws just as severe as the ones described above. For greater detail on all of Cisco’s March vulnerabilities, check out the individual advisories in the References section of this alert, or refer to Cisco’s bundled security advisory for March 2010.

Cisco also published an advisory describing a DoS vulnerability in their Unified Communications Manager (UCM). If you use Cisco UCM, be sure to apply these patches as well.

Solution Path:

Cisco has released patches to fix these vulnerabilities. If you use any Cisco device running IOS software or Cisco’s Unified Communications Manager (UCM), you should immediately consult the “Software Versions and Fixes” and “Obtaining Fixed Software” sections of the advisories listed in Cisco’s bundled security advisory for March 2010 to learn which fixes apply to your devices, and how to obtain them. You can also refer to the “Software Versions and Fixes” and “Obtaining Fixed Software” section of each of the individual alerts linked below.

For All WatchGuard Users:

Since these vulnerabilities can affect your router, which is typically in front of your WatchGuard firewall, the solutions above are your primary recourse.

Status:

Cisco has made fixes available.

References:

Security Updates
, ,

Malicious Excel Documents Contain Unwelcome Surprises

March 9, 2010 by WatchGuard Technologies 1 Comment

Summary:

  • These vulnerabilities affect: All current versions of Excel shipping with Microsoft Office, and ancillary Office products (like Excel Viewer)
  • How an attacker exploits them: By enticing you to open maliciously crafted Excel documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Excel patch immediately, or let Microsoft’s Automatic Update do it for you.

Exposure:

Today, Microsoft released a security bulletin describing seven vulnerabilities found in Excel, a component that ships with Microsoft Office. The vulnerabilities affect all current versions of Office for Mac and PC, as well as ancillary Office components, such as Excel Viewer and Office compatibility packs. They even affect Microsoft Sharepoint Server.

Though the seven vulnerabilities differ technically, they share the same basic scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Excel document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Although this type of attack requires some user interaction (which is why Microsoft only rates it as Important), we suspect that your users interact with Office documents quite regularly. An attacker could probably easily convince many users to open a malicious Excel document, so we recommend you apply this Excel update immediately.

Solution Path

Microsoft has released an Excel update to correct these vulnerabilities. You should download, test, and deploy the appropriate patch throughout your network immediately, or let the Microsoft Automatic Update feature do it for you.

MS10-017:

Excel update for:

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Excel documents, some organizations need to allow them in order to conduct business. Therefore, the patches above are your best recourse.

If you want to block Excel documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features by the .xls file extensions. Keep in mind, blocking files by extension blocks both malicious and legitimate documents.

Status:

Microsoft has released an Excel update to fix these vulnerabilities.

References:

Security Updates

Windows Movie Maker Code Execution Vulnerability

March 9, 2010 by WatchGuard Technologies 0 Comments

Summary:

  • These vulnerabilities affect: Affects Windows Movie Maker 2.1, 2.6, and 6.0. Also affects Microsoft Producer 2003
  • How an attacker exploits them: By enticing you to open maliciously crafted Movie Maker or Producer project
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Movie Maker patch as soon as possible, or let Microsoft’s Automatic Update do it for you.

Exposure:

Windows Movie Maker is a video capturing and editing application that you get free with Windows. Movie Maker actually ships with older versions of Windows, such as Windows XP and 2000. However, the latest versions of Windows (Windows Vista and 7), don’t provide the Movie Maker application on the installation disc. Instead, you have the option to download it for free as part of the Windows Live Essentials package. In short, if you have Windows XP, you have Windows Movie Maker. However, if you have Windows Vista or 7, you only have it if you chose to download and install the Live Essentials package.

Today, Microsoft released a security bulletin describing a buffer overflow vulnerability that affects Windows 2.1, 2.6, and 6.0. Also affects Microsoft Producer 2003 (Producer is another optional download that adds rich-media creation features to PowerPoint). Movie Maker and Producer do not properly parse specially crafted project files. If an attacker can entice you to download a specially crafted project file, then open that file in Movie Maker or Producer, he can exploit this flaw to execute code on your computer, with your privileges. If you have local administrative privileges, the attacker gains full control your computer.

While code execution flaws have the highest impact, we do not feel this flaw poses a high risk to most business users. Few business users ever run Movie Maker, so it would probably be more difficult to get them to interact with Movie Maker projects. Nonetheless, we still recommend you apply the Movie Maker update as soon as you can.

Solution Path

Microsoft has released updates for Windows Movie Maker to correct this vulnerability. You should download, test, and deploy the appropriate patch throughout your network as soon as possible (or just let the Microsoft Automatic Update feature do it for you). This flaw also affects Producer 2003, however, Microsoft has not released a patch for it. Instead, they recommend you uninstall the optional add-in, or remove its file associations. This Microsoft Fixit, will automatically remove Producer’s file associations for you.

MS10-016:

Updates for Movie Maker:

For All WatchGuard Users:

If you like, you can configure certain WatchGuard Firebox models to block Microsoft Movie Maker projects from arriving via the web, email, or through FTP transfers. If you don’t need Movie Maker projects to conduct business, we recommend you do this. Nonetheless, you should still apply Microsoft’s updates for full protection.

If you want to block Movie Maker projects, the links below provide video instructions on how to use your Firebox proxy’s content blocking features to block file extensions. The file extensions you should block include, .MSWMM, .MSProducer, .MSProducerZ, and .MSProducerBF. Keep in mind, blocking files by extension blocks both malicious and legitimate documents.

Status:

Microsoft has released a Movie Maker update to fix this flaw.

References:

Security Updates
,