Severity: Medium

Summary:

Today, Apple released an update that fixes two security vulnerabilities in Quicktime 7.1.6 (and earlier versions) for Windows and OS X. By enticing one of your users into visiting a malicious web page, an attacker can exploit the worst of these vulnerabilities to execute arbitrary code on your user's computer, possibly gaining control of it. If you allow Quicktime or iTunes in your network, or suspect that users have installed them, you should have users either remove the applications or install Apple's update.

Exposure:

Today, Apple released an alert describing two security vulnerabilities in Apple's popular media player application, Quicktime 7.1.6 (and possibly earlier versions). Current versions of iTunes also ship with Quicktime. If your users have iTunes, they most likely have Quicktime. These applications run on Windows and Macintosh computers; the vulnerabilities affect both platforms.

The vulnerabilities involve Quicktime's inability to properly handle specially crafted Java applets. By tricking one of your Quicktime users into visiting a booby-trapped web page, an attacker can exploit either of these flaws in one of two ways: He could either exploit the first flaw to execute arbitrary code on that user's computer, perhaps gaining full control of the user's machine; or, he could exploit the second flaw to read your user's web browser memory, which could disclose sensitive information about your user and her web browsing habits. Neither case bodes well for your Quicktime users.

Solution Path:

Apple has released an update for Quicktime 7.1.6 that corrects these vulnerabilities. If you allow (or suspect that users have installed) Quicktime or iTunes in your network, recommend that users either remove the applications or install this upgrade.

The latest versions of Quicktime and iTunes for Windows ship with Apple Software Update. Apple Software Update automatically detects updates such as this one for Quicktime, then informs you, so that you can install the update as soon as possible. If you choose to allow Quicktime or iTunes in your network, we recommend you set Apple Software Update to check for new updates daily and allow it to assist you in keeping your Apple software current.

Note: By default, Apple ships Quicktime combined with iTunes. If you do not want iTunes, download the standalone version of Quicktime.

Status:

Apple released an update for Quicktime 7.1.6, which fixes this issue.

Severity: High

Summary:

Today, Microsoft released a security bulletin describing four security vulnerabilities in Microsoft Exchange. By sending a specially crafted email to anyone in your network, an anonymous and remote attacker can exploit the worst of these flaws to gain complete control of your email server. If you use Exchange, you should download, test, and install Microsoft's update right away.

Exposure:

Microsoft Exchange is one of the most popular email servers used today.

In a security bulletin released today, Microsoft describes four security vulnerabilities affecting all current versions of Exchange. The worst of these flaws involves Exchange's inability to properly decode specially crafted MIME content. Specifically, Exchange doesn't properly handle base64 encoded MIME content. By sending a maliciously crafted email to any valid email address on your Exchange server, an attacker can exploit this vulnerability to gain total control of your email server. Not only does this earn the attacker full access to your sensitive email, it also provides a valuable foothold for the attacker to penetrate the rest of your network. You should consider this flaw of the utmost risk and patch it immediately.

Microsoft's bulletin also describes three remaining flaws, including two Denial of Service (DoS) vulnerabilities, and an information disclosure flaw. However, the MIME decoding vulnerability alone should convince most administrators to patch right away.

Solution Path:

Microsoft has released patches to fix these critical Exchange issues. If you manage an Exchange email server, we urge you to download, test, and deploy the appropriate patch immediately.

Status:

Microsoft has released patches to fix this flaw.

References:

• Security Bulletin MS07-026

Severity: High

Summary:

Today, Microsoft released a security bulletin describing five vulnerabilities which are exploited via Internet Explorer. By tricking one of your users into visiting a maliciously crafted Web page, an attacker could leverage flaws in the way Internet Explorer handles ActiveX objects and computer memory to execute code on your user's computer, with your user's privileges. If you use Internet Explorer in your network, you should download, test, and deploy the appropriate Internet Explorer patches immediately.

Exposure:

In security bulletins (MS07-027) released today as part of their monthly patch update, Microsoft describes five new vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7, running under operating systems ranging from Windows 2000 to Vista. The vulnerabilities break down as follows:

IE improperly starts a COM object

The vulnerability here lies in the way IE starts (or, in geek speak, instantiates ) a specific Component Object Model (COM ) object. Not all COM objects were meant to be started by IE, and Microsoft's bulletin provides the identification number of the vulnerable COM object. A knowledgeable attacker can build a Web page which forces IE to start this COM object, and then uses it to corrupt the system's memory (similar to a buffer overflow attack), gaining the same level of authority on the system that the logged-on user has. If that user has administrator rights, then so does the attacker.

IE improperly manages memory

Using various tricks Microsoft doesn't explain, an attacker can exploit flaws in the way IE handles:

• Uninitialized memory, not yet serving a particular purpose
• Memory set aside for handling properties of objects called in a web page
• Memory set aside for handling HTML objects such as scripts or ActiveX applets

While the details for each of these three vulnerabilities differ, exploiting any of them would feature a clever attacker building a web page and tricking users to come to it. Once the users have connected to the web site, the attacker owns their computer. If the user had administrator rights, so does the attacker.

IE improperly calls an ActiveX control from Windows Media Server 4.1

This vulnerability is very similar to the first one, in that an ActiveX control that was never intended to be called by IE creates a vulnerability when called via IE. In this case, the root of the problem is a DLL (msauth.dll) from Windows Media Server 4.1. You can probably guess the rest: an attacker creates a web page to exploit the vulnerability, lures victims to his site, and takes control of their computers. Like all the other vulnerabilities in this alert, if the victim has administrator permissions on the system when the attack succeeds, so does the attacker.

Solution Path:

The Microsoft-approved workarounds for the issues covered by these bulletins feature various ways of keeping IE from accessing the vulnerable components. By disabling ActiveX, disabling Active Scripting, setting the IE Security zone to high, and directly editing the registry, you can protect yourself from the common vectors of attack. In most cases, their advice leads to a reduction in functionality and may not be a realistic option for you.

Microsoft's alert covers all current versions of IE. While the newer versions of IE running on the newer versions of Windows are generally not as vulnerable as the older versions, in light of the seriousness of these vulnerabilities we recommend that you download, test, and deploy the appropriate IE patches for your environment as soon as possible.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

• MS Security Bulletin MS07-027

Severity: High

Summary:

Today, Microsoft released security bulletins describing seven vulnerabilities affecting Microsoft Office for Windows and Mac. By enticing one of your users into opening a maliciously formed Office file, an attacker could exploit any of these flaws to execute code on your user's computer, with your user's privileges, potentially gaining control of that computer. If you use Office in your network, you should download, test, and deploy the appropriate patches immediately.

Exposure:

Microsoft's three security bulletins describe seven vulnerabilities found in components or programs that ship with Microsoft Office for Windows and Mac. Some of these flaws also affect Microsoft Works Suite. Each vulnerability affects different versions of Office to a different extent. The seven flaws affect different components and applications within Office, but the end result is always the same. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim's computer, inheriting that user's level of privileges and permissions. If your user has local administrative privilege, the attacker gains full control of that machine.

An attacker can exploit this flaw using just about any Office document. While two of Microsoft's bulletins specifically mention Word (.doc) and Excel (.xls) files, the third involves something called a Drawing Object, which an attacker could embed into just about any Office document. So beware of all unexpected Office documents.

If you'd like to learn more about each individual flaw, drill into the "Vulnerability Details" section of the security bulletins listed below:

• MS07-023: Three Excel Vulnerabilities
• MS07-024: Three Word Vulnerabilities
• MS07-025: Drawing Object Vulnerability
  

Although Microsoft hasn't confirmed this yet, their Word update may fix a previously unresolved vulnerability that we mentioned in this post from February. Attackers have been exploiting this flaw in the wild for over two months. This makes it particularly crucial for you to test and deploy these Office patches immediately, in case one of them does fix this zero day vulnerability.

Solution Path

Microsoft has released patches for Office and Works that correct these vulnerabilities. Download, test, and deploy the appropriate patches throughout your network immediately.

MS07-023

MS07-024

MS07-025

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS07-023
• Microsoft Security Bulletin MS07-024
• Microsoft Security Bulletin MS07-025

Severity: Medium

Update:

On Friday 13 April, we published an alert about a zero day buffer overflow vulnerability affecting the DNS service that ships with Windows Server 2000 and 2003. By sending a specially crafted packet, a remote attacker can exploit a flaw in the RPC interface to gain complete control of your Microsoft DNS Server.

In a security bulletin released today as part of their monthly patch update, Microsoft patched this vulnerability. As we mentioned in our original alert, attackers have exploited this flaw in the wild since mid-April. It poses a serious risk. If you manage a Microsoft DNS Server, you should download, test and deploy Microsoft's corresponding patches immediately.

Summary:

Today, Microsoft released an early advisory warning of a serious, zero day vulnerability affecting Windows 2000 and 2003 servers that run the DNS service. By sending a specially crafted RPC packet, a remote attacker can exploit this flaw to gain complete control of your Microsoft DNS Server. If you manage a Microsoft DNS Server, you should implement the workarounds described in the Solution Path section of this alert until Microsoft releases a patch.

Exposure:

In their early security advisory, Microsoft describes a new, unpatched buffer overflow vulnerability in the DNS service that ships with Windows 2000 and Windows Server 2003. Other versions of Windows are not affected. The buffer overflow flaw specifically involves the RPC interface associated with Microsoft's DNS service. By sending a maliciously crafted RPC packet, an anonymous, remote attacker can exploit this flaw to gain complete control of your DNS server. By controlling your DNS server, an attacker gains significant leverage toward owning the rest of your network.

Microsoft first discovered this new vulnerability in the wild, which means attackers have already started to exploit it (though on a limited scale). Furthermore, Microsoft has not had time to patch the flaw. Combine those factors with this vulnerability's serious impact, and it seems to pose an extremely high risk. However, one mitigating factor significantly dampens its severity. Though the vulnerability involves the DNS service, attackers can't exploit it over the typical DNS port (TCP port 53). The DNS service's vulnerable RPC interface binds itself to a port within the range of 1024-5000. An attacker must have access to this range of ports on your DNS server to exploit this flaw. Firewalls like WatchGuard's Firebox block these ports by default. Most administrators with firewalls are protected from an Internet-based attacker that exploits this vulnerability.

Solution Path:

Microsoft hasn't had time to patch this zero day vulnerability. However, they have listed workarounds for it in the "Suggest Actions" section of their advisory. We recommend you implement these workarounds until Microsoft releases their patch. We'll let you know when the patch comes out.

Status:

Microsoft has not released a patch for this issue. We will update you when they do.

Severity: Medium

Summary:

Today, Microsoft released a security bulletin describing a vulnerability in a developer library called Cryptographic API Component Object Model (CAPICOM). By enticing one of your users to a malicious web page, an attacker could exploit this vulnerability to gain complete control of the user's computer. If you manage a Biztalk Server, or use any third party applications that rely on CAPICOM, you should download, test and install Microsoft's patch immediately.

Exposure

Cryptographic API Component Object Model (CAPICOM) is one of the cryptography dynamic link libraries (DLL) that Windows application developers can use to handle digital signatures. CAPICOM ships with Biztalk Server 2004, and may also ship with other third party Windows applications that use digital signatures. However, it doesn't ship with Windows by default. If you don't know whether or not you have it, just search your computer for a file called CAPICOM.dll. If you find that file, you have CAPICOM. Biztalk Server inspires Microsoft to new levels of abstract description, defining it as "middleware… that enables you to integrate systems within your organization" and as "business process management software that enables companies to… optimize business processes."

In a security bulletin released today as part of their monthly patch update, Microsoft describes a vulnerability that affects CAPICOM and Biztalk Server 2004. The vulnerability involves the way a CAPICOM ActiveX control (called CAPICOM.Certificates) mishandles user input. By tricking one of your users into visiting a malicious web page, an attacker can exploit this vulnerability to gain complete control of that user's computer.

Solution Path:

Microsoft has released a patch to correct this flaw. If you manage a Biztalk 2004 Server, or use any third party applications that rely on CAPICOM, you should download, test and install the CAPICOM patch as soon as possible.

Status:

Microsoft has released a patch to fix this issue.

References:

• Microsoft Security Bulletin MS07-028

Severity: Medium

Today, Microsoft released an early advisory warning of a serious, zero day vulnerability affecting Windows 2000 and 2003 servers that run the DNS service. By sending a specially crafted RPC packet, a remote attacker can exploit this flaw to gain complete control of your Microsoft DNS Server. If you manage a Microsoft DNS Server, you should implement the workarounds described in the Solution Path section of this alert until Microsoft releases a patch.

Exposure:

In their early security advisory, Microsoft describes a new, unpatched buffer overflow vulnerability in the DNS service that ships with Windows 2000 and Windows Server 2003. Other versions of Windows are not affected. The buffer overflow flaw specifically involves the RPC interface associated with Microsoft's DNS service. By sending a maliciously crafted RPC packet, an anonymous, remote attacker can exploit this flaw to gain complete control of your DNS server. By controlling your DNS server, an attacker gains significant leverage toward owning the rest of your network.

Microsoft first discovered this new vulnerability in the wild, which means attackers have already started to exploit it (though on a limited scale). Furthermore, Microsoft has not had time to patch the flaw. Combine those factors with this vulnerability's serious impact, and it seems to pose an extremely high risk. However, one mitigating factor significantly dampens its severity. Though the vulnerability involves the DNS service, attackers can't exploit it over the typical DNS port (TCP port 53). The DNS service's vulnerable RPC interface binds itself to a port within the range of 1024-5000. An attacker must have access to this range of ports on your DNS server to exploit this flaw. Firewalls like WatchGuard's Firebox block these ports by default. Most administrators with firewalls are protected from an Internet-based attacker that exploits this vulnerability.

Solution Path:

Microsoft hasn't had time to patch this zero day vulnerability. However, they have listed workarounds for it in the "Suggest Actions" section of their advisory. We recommend you implement these workarounds until Microsoft releases their patch. We'll let you know when the patch comes out.

For all Server Administrators:

A hacker can exploit this issue only if he can access your DNS server over ports 1024 to 5000. Unless you have specifically created a custom service that allows incoming access to these ports, your DNS server should have these ports blocked to protect it from Internet-based attackers that exploit this vulnerability.

Status:

Microsoft has not released a patch for this issue. We will update you when they do.

References:

• Microsoft's DNS Vulnerability Security Advisory