Monday, July 20, 2009

July Patch Partly Addresses ActiveX Holes

By Jabulani Leffall07/14/2009

There are no surprises with Redmond's six-patch release on Tuesday, but there is plenty of work to be done, security pros contend.

With three "critical" and three "important" items in the July patch, Microsoft is addressing some longstanding issues as well as some rare security holes. As usual, items with remote code execution (RCE) implications dominate the slate, with four bulletins devoted to this exploit. The remaining bulletins are notable for attempting to keep elevation-of-privilege attacks at bay.


Microsoft also has been rather vocal about fixing various DirectX security bugs leading up to this patch.

"Microsoft's July Security Bulletin does not have any surprises due to the intense pre-release activity around the three zero-day advisories that came out in the last six weeks," said Wolfgang Kandek, chief technology officer of Qualys Inc. "Microsoft had already announced that they would address two advisories with patches MS09-028 and MS09-032 for DirectShow and Microsoft Video respectively."

Critical Items
Microsoft's Embedded OpenType (EOT) font engine, which facilitates the formation and structure of text fonts used on Web pages, is first on the roster of critical items in the patch. The fix addresses two privately disclosed holes and is be designed to stave off RCE exploits for all supported Windows OS versions.

The second critical item resolves one publicly reported hole and two privately reported weaknesses in Microsoft DirectShow. At the heart of the matter is the DirectX multimedia control solution. The patch will affect DirectX versions 7.0, 8.1 and 9.0 running on systems using Windows XP, Windows 2000 and Windows Server 2003.

In May, Microsoft began an investigation of a DirectX bug in its DirectShow framework for multimedia files. In June, the company announced it was investigating a potential DirectX bug in Internet Explorer.

The third critical item is what many security experts see as most critical because it suggests what Redmond plans to do to fix its many recurring ActiveX exploit problems.

This fix is a "cumulative security update of ActiveX kill bits," but it only resolves "a privately reported vulnerability" in Microsoft Video ActiveX control. Left unpatched, the vulnerability could allow RCE attacks via a malicious Web page where ActiveX controls are enabled.

Users with accounts configured to have fewer user rights on the system could be affected less by this bug than users having administrative rights.

"Typically, the fear is that you're downloading and installing a malicious ActiveX control from an untrustworthy source," explained Eric Voskuil, chief technology officer of access control solution provider BeyondTrust. "But here we're seeing the dangers from vulnerabilities in multiple nonmalicious ActiveX controls from a known trusted source, Microsoft. In both situations, implementing the best practice of least privilege can have significant security benefits."

Wolfgang Kandek of Qualys added that Monday's zero-day security advisory on ActiveX in Microsoft Office Web Components was nominally addressed through the cumulative patch rollout. However, he cautioned that "until an actual patch comes," IT pros should take a close look at the workaround published in Redmond's knowledgebase article released on Monday.

Yet another security gadfly, Tyler Reguly, doesn't think Redmond went far enough with these ActiveX security bulletins.

"It's interesting to once again see Microsoft issuing a bulletin for an ActiveX control, especially since the fix to this issue isn't to patch but to simply set killbits," said Reguly who is senior security engineer at nCircle. "This means if the malicious individual can manage to convince you to revert the killbits, then you're once again vulnerable. This is a really sad day, when a poor mitigation is acceptable as a valid patch. I expect more from Microsoft."

Important Items
The first "important" fix is designed to stop potential elevation-of-privilege attacks in Microsoft Virtual PC 2004 and Microsoft Virtual PC 2007 editions, as well as Microsoft Virtual Server 2005 R2 and Virtual Server 2005 R2 x64.

Redmond is addressing a vulnerability that could allow for code execution on an infected "guest operating system." Having floating operating systems and guest sessions are key aspects of running virtual machines.

The second important fix addresses Microsoft Internet Security and Acceleration Server 2006. ISA Server provides an application-layer firewall and protects Web servers. The patch is said to help thwart a scenario where "an attacker successfully impersonates an administrative user account" for an ISA server configured specifically for Radius One Time (OTP) password parameters.

Such a highly technical attack may make this vulnerability less of a risk, security experts say.

"These [ISA Server 2006 and Virtual PC patches] are some you don't see very often," commented Eric Schultze, chief technology officer at Shavlik Technologies.

The last important item deals with 2007 Microsoft Office System Service Pack 1 in general, and Microsoft Office Publisher 2007 Service Pack 1 in particular. It is the rollout's fourth RCE exploit fix and is made to protect against an exploit trigger that happens when a user opens a malicious Publisher file.

All six items may require a restart.

Microsoft also provides a July knowledgebase article that describes nonsecurity changes for Vista and Windows Server 2008 as delivered via Windows Update, Microsoft Update and Windows Server Update Services.



Six Security Fixes Expected on Patch Tuesday