Archive | June, 2010

Avoid Ten Vulnerabilities By Upgrading To Firefox 3.6.4

Summary:

  • These vulnerabilities affect: Firefox 3.6.3  for Windows, Linux, and Macintosh
  • How an attacker exploits it: Typically by enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.4, or let Firefox’s automatic update do it for you

Exposure:

Yesterday, Mozilla released an advisory describing ten (count based on CVE number) vulnerabilities in Firefox 3.6.3 (and earlier versions) running on all platforms. Mozilla rates more than half of these vulnerabilities as critical;  meaning an attacker can leverage them to execute code and install software without user interaction beyond normal browsing. We summarize three of the most critical Firefox 3.6.3 vulnerabilities below:

  • XSLT related Integer Overflow Vulnerability (2010-30). Extensible Stylesheet Language Transformations (XSLT) is an XML-based language used to change one XML document into another XML document. A routine Firefox uses to sort XSLT nodes suffers from an integer overflow vulnerability that can cause memory a buffer overflow. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this buffer overflow to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • Four Memory Corruption Vulnerabilities (2010-26). Mozilla’s update fixes four unspecified memory corruption vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser and JavaScript engines. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • DOM related Buffer Overflow Vulnerability (2010-29). The Document Object Model (DOM) is a W3C specification for representing structured documents as objects, in a platform and language neutral manner. Some of Firefox’s DOM code suffers from a buffer overflow vulnerability. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this flaw to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. As usually, attacker may gain full control of your users’ computers if they have administrative privileges.

Mozilla’s alert describes four more vulnerabilities, including another code execution flaw, a potential Cross-Site Scripting (XSS) vulnerability, and an issue that could allow an attacker to record your keystrokes, or inject extra ones. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.4 fixes.

The vulnerabilities alone should convince you to upgrade, but if you need more reason, Firefox 3.6.4 also comes with a neat new feature called “plug-in isolation”. This feature should significantly improve Firefox’s stability. Part of Firefox’s draw lies in its extensive library of third party extensions or plug-ins, which deliver extra functionality to the popular browser. Previous to plug-in isolation, these extensions or plug-ins ran within the Firefox process, which meant that if a third party plug-in crashed, Firefox would crash. With Firefox 3.6.4, plug-ins now run as external processes, so Firefox can stay running even if a plug-in crashes. If you use third party extensions and plug-ins and have experienced Firefox crashes, this new feature may lessen crashes outside of Mozilla’s control.

Solution Path:

Mozilla has released Firefox 3.6.4, correcting ten security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.4 as soon as possible.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable JavaScript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.4 to fix these vulnerabilities.

References:

OS X 10.6.4 and Security Update 2010-004 Fixes 28 Vulnerabilities

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: Multiple vectors of attack, including visiting malicious websites or downloading and viewing various malicious media files
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, potentially gaining full control of it
  • What to do: OS X administrators should download, test and install Security Update 2010-004 or the 10.6.4 update as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes 28 (number based on CVE-IDs) security issues in 17 components that ship as part of OS X, including iChat, ImageIO, and Help Viewer. Some of these vulnerabilities allow attackers to gain full control of your OS X machines, so we rate this update Critical. Apply it as soon as you can. Some of the fixed vulnerabilities include:

  • Multiple ImageIO Memory Corruption Vulnerabilities. ImageIO is an OS X component that helps the operating system handle various types of graphical media. It suffers from memory-related vulnerabilities involving the way it handles certain types of images (TIFF) and movies (MPEG 2 encoded). Though the vulnerabilities differ technically, they share a very similar scope and impact. If an attacker can get a victim to view a specially crafted picture or movie (perhaps hosted on a malicious website), he could exploit one of these flaws to either crash the viewing application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. However, the attacker could also leverage other flaws in Apple’s alert to gain complete control of your user’s Mac.
  • Network Authorization Code Execution Vulnerability. Network Authorization is an OS X component that handles authenticating users over a network. According to Apple, the Network Authorization component does not properly handle specially crafted URLs that begin with the afp:, cifs:, or smb: URI schemes. By enticing one of your users to a web site containing specially crafted links, an attacker could exploit this vulnerability to execute code on that user’s computer, with that user’s privileges. Network Authorization also suffers from an elevation of privilege vulnerability that could allow a local  unprivileged user to gain complete system privileges on your Mac.
  • Multiple Kerberos Vulnerabilities. OS X’s kerberos component suffers from three different security vulnerabilities. The worst vulnerability has to do with a flaw in how kerberos handles specially crafted messages using AES or RC4 encryption. By sending a specially crafted, encrypted message to your kerberos KDC server, an unauthenticated attacker can exploit this vulnerability to execute code on your computer, gaining complete control of your Mac. Of course, you need to have a kerberos KDS server configured on one of your OS X computers to be vulnerable to this issue. The remaining two kerberos flaws include a second code execution vulnerability and a Denial of Service (DoS) issue.

Apple’s alert also describes many other vulnerabilities, including more Denial of Service (DoS) flaws, information disclosure issues, and Cross Site Scripting (XSS) vulnerabilities. Components patched by this security update include:

    CUPS DesktopServices
    Flash Player plug-in Folder Manager
    Help Viewer iChat
    ImageIO Kerberos
    libcurl Network Authorization
    Open Directory Printer Setup
    Printing Ruby
    SMB File Server SquirrelMail
    Wiki Server

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

Solution Path:

Apple has released OS X Security Update 2010-004 and OS X 10.6.4 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix this flaw.

References:

Update Fixes Adobe Flash Zero Day; Reader Still Vulnerable

Summary:

  • This vulnerability affects: Adobe Flash Player 10.0.45.2 and earlier, running on all platforms. Some flaws also affect Adobe AIR 1.5.3.9130
  • How an attacker exploits it: By enticing your users to visit a website containing malicious Flash content (or into opening a PDF with an embedded Flash file)
  • Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player and Air

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash, often formatted as a Shockwave (.SWF) file. Adobe’s Flash Player ships by default with many web browsers, including Internet Explorer (IE). It also runs on many operating systems.

In a security bulletin released yesterday, Adobe warned of 32 vulnerabilities (based on CVE numbers) that affect Adobe Flash Player 10.0.45.2 for Windows, Mac, and Linux (as well as all earlier versions); many of them critical. Some of the flaws also affect Adobe Air 1.5.3.9130 as well. Adobe’s bulletin describes the flaws in bare minimum detail. However, it does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, many of these unspecified vulnerabilities could be exploited to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC. If you use Adobe Flash Player in your network, we recommend you download and deploy the latest version throughout your network as soon as possible.

One of the flaws Adobe fixed with this update is a very recent zero day Flash flaw that researchers noticed attackers exploiting earlier this week. This flaw technically lies within how Flash handles specially malformed Flash files (SWF). However, it also affects Adobe Reader and Acrobat, since they ship with Flash components in order to parse Flash content embedded within PDF documents. Attackers can exploit this particular flaw either by enticing your users to a malicious website or by luring them into viewing a specially crafted PDF file with embedded Flash content. You can read more about this zero day flaw in Adobe’s early warning advisory or in this blog post, which contains deeper technical analysis of the flaw. As mentioned, this Flash update does fix this zero day vulnerability for Adobe Flash. However, it does not fix the flawed Flash component (authplay.dll) that ships with Adobe reader. That means, Reader uses are still susceptible to the PDF variant of this vulnerability. In their advisory, Adobe promises to release a Reader and Acrobat update on July 29th (earlier than their typical patch day). Until then, you should remain wary of unexpected PDF files, or follow the workaround mentioned below.

Solution Path

Adobe has released a new version of Flash Player and Air. Specifically:

If you use these products in your network, we recommend you download and deploy their updates as soon as possible.

Unfortunately, Adobe has not patched the Reader and Acrobat problem yet. They plan to do so on June 29th. Until then, we recommend you tell your users to remain suspicious of unexpected .PDF files. You can also use security devices, like your WatchGuard Firebox, to block .PDF files at your gateway. Finally, if you don’t mind preventing any Flash content from working within PDF files (which may result in some Reader crashes), you can delete the flawed authplay.dll component from your Reader directory. You can find details on how to do this in the “Mitigations” section of Adobe’s Reader advisory.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from accessing Flash and PDF files (.SWF and .PDF) via the web (HTTP, HTTPS) or in emails (SMTP, POP3). If you like, you can somewhat mitigate the risk of this vulnerability by blocking .SWF and PDF files using your Firebox’s proxy services. However, many websites rely on Flash for interactive content, and blocking Flash prevents these sites from working properly. Note that many popular video streaming sites, such as YouTube and JibJab, deliver video using a Flash front end, so this technique may render many video websites unusable. Also, most businesses rely on PDF files quite regularly. So blocking them may not be an option for everyone.

Nonetheless, if you choose to block Flash  and PDF content, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .SWF and .PDF files by their file extensions:

Status:

Adobe has released updates to fix these Flash and Air vulnerabilities. They expect to release an Reader and Acrobat patch on June 29.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

IE Cumulative Update Fixes Six New Vulnerabilities

Summary:

  • This vulnerability affects: All current versions of Internet Explorer, running on all current versions of Windows
  • How an attacker exploits it: By enticing one of your users to visit a malicious web page
  • Impact: In the worst case, an attacker can execute code on your user’s computer, gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes six new vulnerabilities in Internet Explorer (IE) 8.0 and earlier versions, running on all current versions of Windows (including Windows 7 and Windows Server 2008). Microsoft rates the aggregate severity of these new flaws as Critical for normal versions of Windows, and Moderate for Server versions of Windows.

The six vulnerabilities differ technically, but four of them share the same general scope and impact. These four issues involve various memory corruption flaws having to do with how IE handles various HTML elements and objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit any one of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

The two remaining vulnerabilities consist of Cross-Site or Cross-Domain Scripting (XSS) vulnerabilities. Among other things, an attacker might leverage this type of vulnerability to view information (such as cookies) from another domain or site, which he shouldn’t have access to; or to execute scripts with another domain or sites privileges.

Keep in mind, today’s attackers commonly hijack legitimate web pages and booby-trap them with malicious code. They do this via hosted web ads or through SQL injection attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

If you’d like to know more about the technical differences between these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.

* Note: These flaws do not affect Windows Server 2008 administrators who installed using the Server Core installation option.

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Five Vulnerabilities in Windows and its Components; Two Critical

Bulletins Affect Media Decompression Components, Kernel-mode Drivers, and More

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious media or to visit specially crafted websites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released five security bulletins describing at least 10 vulnerabilities (perhaps more, depending how you count them) that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-033: Two Media Decompression Code Execution Vulnerabilities

Windows ships with various components that help it process and play media files, such as videos. According to Microsoft, these media handling components suffer from two unspecified code execution vulnerabilities, involving the way they handle compressed data within specially crafted media. Though the flaws differ technically, an attacker could exploit them all  in the same way.  By enticing one of your users to download and play a specially crafted media file, or by luring them to a website containing such media, an attacker can exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.
Microsoft rating: Critical.

  • MS10-034: Cumulative ActiveX Kill Bit Update

Microsoft and external researchers have identified several Microsoft and third party ActiveX controls that suffer various security vulnerabilities. By enticing one of your users to a malicious website, an attacker could exploit any of these ActiveX controls to execute code on your user’s computer, with that user’s privileges. Like most Windows vulnerabilities, if your user has administrative privileges, the attacker would gain complete control of the user’s PC. This update sets the Kill Bit for all the vulnerable ActiveX controls, thereby disabling them in Windows. For more details about which ActiveX controls are disabled, see the Vulnerability Information section of Microsoft’s bulletin.
Microsoft rating: Critical.

  • MS10-032: Three Privilege Elevation Vulnerabilities in the Kernel-mode Driver (Win32k.sys)

The kernel is the core component of any computer operating system. In Windows, access to the kernel is provided via the Windows kernel-mode device driver (Win32k.sys). Win32k.sys suffers from three elevation of privilege (EoP) vulnerabilities. The three EoP flaws differ technically, but share a similar scope. By running a specially crafted program on one of your Windows computers, an attacker can leverage any of these flaws to gain complete control of that system, regardless of his original user privileges. However, the attacker needs to have local access to one of your computers in order to run a malicious program. So these vulnerabilities primarily pose an internal risk. That said, one of these three kernel-mode driver vulnerabilities involves the way Windows handles specially crafted TrueType fonts. While no Microsoft applications expose this font related vulnerability to remote attacks, theoretically, third party applications may. In this theoretical case, attackers could exploit one of these flaws remotely by luring your users into viewing content with specially crafted fonts.
Microsoft rating: Important.

  • MS10-041: .NET Framework Data Tampering Vulnerability

The .NET Framework is software framework used by developers to create new Windows and web applications. Among other things, the .NET framework includes capabilities to handle cryptographically signed XML content, to ensure unauthorized attackers can’t alter XML messages being sent to your application. Unfortunately, the .NET framework doesn’t implement XML signature checking properly. As a result, attackers could potentially send maliciously altered XML messages to applications you’ve created with the .NET framework. The impact of this vulnerability differs greatly depending on the application you’ve designed, and what type of data you passed in your XML. If you haven’t exposed any web applications that rely on signed XML, then the flaw doesn’t affect you at all.
Microsoft rating: Important.

  • MS10-037: OpenType Compact Font Format (CFF) Driver Privilege Elevation Vulnerability

Windows ships with many fonts, including the OpenType Compact Font Format (CFF) font. Unfortunately, the driver that helps Windows display the OpenType CFF font doesn’t properly validate certain data passed from user space to kernel space. By running a specially crafted program on one of your Windows computers, an attacker can exploit this flaw to gain complete control of that system, regardless of the attacker’s original user privileges. However, the attacker needs to have local access to one of your computers in order to run his malicious program. So this vulnerability primarily poses an internal risk.
Microsoft rating: Critical.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-033:

Note: In order to correct the vulnerabilities described in this security bulletin, you may have to install multiple patches on each of your Windows machines. If you have trouble figuring out which patches you really need for each version of Windows, we recommend you use Windows Update instead, as it will figure out what you need automatically.

MS10-034:

MS10-032:

MS10-041:

We recommend you see the “Affected Software” section of this Microsoft bulletin to find all the potential .NET framework patches. With all the different versions of .NET Framework, combined with the different Windows and Framework Service Pack variants, there are actually many confusing possibilities for which patches to apply. If it fits your organization’s policy, we highly recommend you use Windows’ automatic update feature to download the right patch.

MS10-037:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods, including some that require local access to your computers. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Remote IIS Code Execution Flaw Affects Only Select Web Servers

Summary:

  • This vulnerability affects: IIS 6.0, 7.0 and 7.5
  • How an attacker exploits it: By sending a specially crafted HTTP request
  • Impact: In the worst case, an attacker can gain complete control of your IIS server
  • What to do: Install Microsoft’s IIS updates, or let Windows Update do it for you

Exposure:

Microsoft’s Internet Information Services (IIS) is one of the most popular web servers used on the Internet. All server versions of Windows come with IIS, though some of its services may not start by default.

In a security bulletin released as part of Patch Day, Microsoft describes an unpatched code execution vulnerability in IIS. The flaw has to do with IIS’ inability to allocate memory properly when handling certain types of authentication information received from a client. By sending a specially crafted HTTP request containing such authentication information, a remote attacker could exploit this vulnerability to execute code on your IIS server with the privileges of the IIS Worker Process Identity (WPI). According to Microsoft, WPI has the same privileges as a Windows’ Network Service account by default. However, in some cases, IIS administrators may give WPI administrative privileges to get their web applications to work. In these cases, the attacker could leverage this IIS vulnerability to gain complete control of your web server.

Though this vulnerability sounds extremely serious, a few mitigating factors significantly lessen its severity. First of all, your IIS server is only vulnerable to this flaw if you’ve installed an add on feature called Extended Protection for Authentication. This add on came with a non-security update referred to in this Microsoft Knowledge Base article. Furthermore, even if you’ve installed this update, Extended Protection for Authentication is not enabled by default; you’d actually have to enable the component first. Finally, even if you’ve installed and enabled this optional component, Microsoft claims only authenticated attackers can exploit this vulnerability. Meaning, only users with valid account on your website could exploit this flaw.

Though the mitigating factors above significantly limit the severity of this vulnerability to average IIS administrators, this flaw does pose a very high risk to the IIS administrators that do use Extended Protection for Authentication. Whether or not you’re one of those administrators, we still recommend you apply Microsoft’s IIS update as soon as possible.

Solution Path:

Microsoft has released IIS updates to fix this vulnerability. IIS administrators should download, test and deploy the corresponding update as soon as possible, or let Windows Update do it for you:

For All WatchGuard Users:

WatchGuard’s HTTP-Server proxy action allows you to control many aspects pertaining to the HTTP requests you accept to your web server. In some cases, this control can allow you to configure your proxies in ways that prevent certain types of attacks from succeeding. However, neither Microsoft, nor this flaw’s original discoverer, have disclosed enough technical detail about this flaw for us to say whether or not our proxy can help. If we do learn technical details that suggest our proxies do help, we’ll update this alert. However for now, Microsoft’s patches are your primary recourse.

Status:

Microsoft has released updates to correct this vulnerability.

References:

  • Microsoft Security Bulletin MS10-40

This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft Office Security Bulletins Affect Excel and SharePoint

Summary:

  • These vulnerabilities affect: All current versions of Microsoft Office (for Windows and Mac) and Office SharePoint Server
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening malicious Office documents
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released three security bulletins describing 18 vulnerabilities that affect Microsoft Office, its various components, and other Office Suite related packages, such as SharePoint Server. Each vulnerability affects Office components to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-036: Office COM Validation Code Execution Vulnerability

Microsoft COM (Component Object Model) is a Windows technology that allows software components, such as the various Office packages, to communicate with one another. In their bulletin, Microsoft warns that Office doesn’t properly validate COM objects instantiated in its various applications (Excel, Word, PowerPoint, etc.). By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit this vulnerability to execute code on a victim’s computer, inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine. The attacker can trigger this flaw with any Office document.
Microsoft rating: Important.

  • MS10-038: Multiple Excel Code Execution Vulnerabilities.

Office’s spreadsheet application, Excel, suffers from 14 security vulnerabilities. Though the vulnerabilities differ technically, most of them share the same basic scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Excel document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine. Although this type of attack requires some user interaction (which is why Microsoft only rates it as Important), we suspect that your users interact with Office documents quite regularly. An attacker could easily convince many users to open a malicious Excel document, so we recommend you apply this Excel update immediately. These flaws also affect the Mac versions of Office.
Microsoft rating: Important.

  • MS10-039: SharePoint Elevation of Privilege and Information Disclosure Vulnerabilities.

SharePoint and InfoPath, two Microsoft Office related products, suffer from three security vulnerabilities. The worst are two Cross-Site Scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges to that of a logged in user. Of course, the attacker would first have to entice a logged in user to clicking a specially crafted link. The remaining flaw is a Denial of Service (DoS) vulnerability associated with the Sharepoint online help page. By sending specially crafted requests to the Sharepoint help page, an attacker could cause your SharePoint server to stop responding until you restart.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches that correct all of these Office related vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-036:

Note: Due to architecture issues, Microsoft is unable to release a proper update for Office XP to fix this problem. However, they have released a “FixIt” workaround for Office XP users. The XP link below refers to that FixIt.

Other versions of Office not affected.

MS10-038:

Excel update for:

MS10-039:

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Office documents, most organizations need to allow them in order to conduct business. Furthermore, you’d have to block all types of Office documents in order to mitigate the risk posed by one of these vulnerabilities. Therefore, the patches above are your best recourse.

Nonetheless, if you want to block all Office documents, the links below contain video instructions showing how your Fireboxes proxy policies can block files by extension. Keep in mind, this technique also blocks legitimate documents as well.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


%d bloggers like this: