Post on 02-Jan-2016
二月份資訊安全公告二月份資訊安全公告 Feb 16, 2007Feb 16, 2007
Richard Chen Richard Chen 陳政鋒陳政鋒(Net+, Sec+, MCSE2003+Security, CISSP)(Net+, Sec+, MCSE2003+Security, CISSP)
資深技術支援工程師資深技術支援工程師台灣微軟技術支援處台灣微軟技術支援處
Questions and AnswersQuestions and Answers
• Submit text questions using the Submit text questions using the “Ask a Question” button “Ask a Question” button
What We Will CoverWhat We Will Cover
• Review of February releasesReview of February releases– New security bulletinsNew security bulletins– High-priority non-security updatesHigh-priority non-security updates
• Other security resourcesOther security resources– Prepare for new WSUSSCAN.CAB architecturePrepare for new WSUSSCAN.CAB architecture– Lifecycle InformationLifecycle Information– Windows Malicious Software Removal ToolWindows Malicious Software Removal Tool
• ResourcesResources• Questions and answersQuestions and answers
Feb. 2007 Security BulletinsFeb. 2007 Security BulletinsSummarySummary
• On Feb 14:On Feb 14:– 12 New Security Bulletins12 New Security Bulletins
• 6 critical6 critical• 6 important6 important
– 8 High-priority non-security updates8 High-priority non-security updates
Feb. 2007 Security Bulletins Feb. 2007 Security Bulletins OverviewOverview
Bulletin Bulletin NumberNumber
Title Title Maximum Severity Maximum Severity RatingRating
Products AffectedProducts Affected
MS07-005MS07-005Vulnerability in Step-by-Step Interactive Training Vulnerability in Step-by-Step Interactive Training
Could Allow Remote Code Execution (923723)Could Allow Remote Code Execution (923723)Important Step-by-Step Interactive Step-by-Step Interactive
TrainingTraining
MS07-006MS07-006Vulnerability in Windows Shell Could Allow Elevation Vulnerability in Windows Shell Could Allow Elevation
of Privilege (928255)of Privilege (928255)Important Windows XP, Windows Server Windows XP, Windows Server
20032003
MS07-007MS07-007Vulnerability in Windows Image Acquisition Service Vulnerability in Windows Image Acquisition Service
Could Allow Elevation of Privilege (927802)Could Allow Elevation of Privilege (927802)Important Windows XPWindows XP
MS07-008MS07-008Vulnerability in HTML Help ActiveX Control Could Vulnerability in HTML Help ActiveX Control Could
Allow Remote Code Execution (928843)Allow Remote Code Execution (928843)Critical Windows 2000, Windows XP, Windows 2000, Windows XP,
Windows Server 2003Windows Server 2003
MS07-009MS07-009Vulnerability in Microsoft Data Access Components Vulnerability in Microsoft Data Access Components
Could Allow Remote Code Execution (927779)Could Allow Remote Code Execution (927779)Critical Microsoft Data Access Microsoft Data Access
ComponentsComponents
MS07-010MS07-010Vulnerability in Microsoft Malware Protection Engine Vulnerability in Microsoft Malware Protection Engine
Could Allow Remote Code Execution (932135)Could Allow Remote Code Execution (932135)Critical Microsoft Malware Protection Microsoft Malware Protection
EngineEngine
MS07-011MS07-011Vulnerability in Microsoft OLE Dialog Could Allow Vulnerability in Microsoft OLE Dialog Could Allow
Remote Code Execution (926436)Remote Code Execution (926436)Important Windows 2000, Windows XP, Windows 2000, Windows XP,
Windows Server 2003Windows Server 2003
MS07-012MS07-012Vulnerability in Microsoft MFC Could Allow Remote Vulnerability in Microsoft MFC Could Allow Remote
Code Execution (924667)Code Execution (924667)Important
Windows 2000, Windows XP, Windows 2000, Windows XP, Windows Server 2003, Visual Windows Server 2003, Visual Studio .NETStudio .NET
Feb. 2007 Security Bulletins Feb. 2007 Security Bulletins Overview (cont.)Overview (cont.)
Bulletin Bulletin NumberNumber
Title Title Maximum Severity Maximum Severity RatingRating
Products AffectedProducts Affected
MS07-013MS07-013 Vulnerability in Microsoft RichEdit Could Allow Vulnerability in Microsoft RichEdit Could Allow
Remote Code Execution (918118)Remote Code Execution (918118)Important Windows 2000, Windows XP, Windows 2000, Windows XP,
Windows Server 2003, Office Windows Server 2003, Office 2000, Office 2003, Office 2004 2000, Office 2003, Office 2004 for Macfor Mac
MS07-014MS07-014 Vulnerabilities in Microsoft Word Could Allow Vulnerabilities in Microsoft Word Could Allow
Remote Code Execution (929434)Remote Code Execution (929434)Critical Word 2000, Word 2002, Word Word 2000, Word 2002, Word
2003, Word 2004 for Mac2003, Word 2004 for Mac
MS07-015MS07-015 Vulnerabilities in Microsoft Office Could Allow Vulnerabilities in Microsoft Office Could Allow
Remote Code Execution (932554)Remote Code Execution (932554)Critical Office 2000, Office XP, Office Office 2000, Office XP, Office
2003, Office 2004 for Mac2003, Office 2004 for Mac
MS07-016MS07-016 Cumulative Security Update for Internet Cumulative Security Update for Internet
Explorer (928090)Explorer (928090)Critical Windows 2000, Windows XP, Windows 2000, Windows XP,
Windows Server 2003Windows Server 2003
Feb. 2007 Security BulletinsFeb. 2007 Security BulletinsSeverity SummarySeverity Summary
Bulletin Number
Windows 2000 SP 4
Windows XP SP 2 Windows Server 2003 Windows Server 2003 SP1
Windows Vista
MS07-006 Not Affected Important Important Important Not Affected
MS07-007 Not Affected Not Affected Important Not Affected Not Affected
MS07-008 Critical Critical Moderate Moderate Not Affected
MS07-009 Critical Critical Moderate Not Affected Not Affected
MS07-011 Important Important Important Important Not Affected
MS07-012 Important Important Important Important Not Affected
MS07-013 Important Important Important Important Not Affected
Microsoft Visual Studio .NET 2002
Microsoft Visual Studio .NET 2002 Service Pack 1
Microsoft Visual Studio .NET 2003
Microsoft Visual Studio .NET 2003 Service Pack 1
MS07-012 Important Important Important Important
Step-by-Step Interactive Training
MS07-005 Important
Feb. 2007 Security BulletinsFeb. 2007 Security BulletinsSeverity Summary (cont.)Severity Summary (cont.)
Microsoft Office 2000
Microsoft Office XP
Microsoft Office 2003
Microsoft Office 2004, X for Mac
MS07-013 Important Important Important Important
MS07-015 Critical Important Important Important
Microsoft Word 2000
Microsoft Word 2002
Microsoft Word 2003
Microsoft Word 2004 for Mac
MS07-014 Critical Important Important Important
Windows Live OneCare
Microsoft Antigen for Exchange Server 9.x
Microsoft Antigen for SMTP Server 9.x
Microsoft Windows Defender
Microsoft Forefront Security for Exchange Server 10
Microsoft Forefront Security for SharePoint Server 10
MS07-010 Critical Critical Critical Critical Critical Critical
Internet Explorer 5.01 SP 4
Internet Explorer 6 SP 1
Internet Explorer 6 for Windows Server 2003 & SP1
IE 6.0 for Windows XP SP 2
IE 7.0 For Windows XP SP2
IE 7.0 for Windows Server 2003
MS07-016 Critical Critical Critical Critical Important Low
MS07-005 – Vulnerability in Step-by-Step Interactive MS07-005 – Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723) Training Could Allow Remote Code Execution (923723) – – ImportantImportant
VulnerabilityVulnerability Remote code execution vulnerability in Step-by-Step Interactive training due to bookmark link Remote code execution vulnerability in Step-by-Step Interactive training due to bookmark link file handlingfile handling
Possible Attack Possible Attack VectorsVectors
• Attacker creates specially formed Step-by-Step Interactive training bookmark link file Attacker creates specially formed Step-by-Step Interactive training bookmark link file (.cbo, .cbl and .cbm)(.cbo, .cbl and .cbm)
• Attacker posts file on Web site or sends file through e-mailAttacker posts file on Web site or sends file through e-mail• Attacker convinces user to visit Web site or open file from e-mailAttacker convinces user to visit Web site or open file from e-mail
Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• Cannot be exploited automatically through e-mail: user must open attached fileCannot be exploited automatically through e-mail: user must open attached file
ReplacedReplaced • MS05-031MS05-031
Public Disclosed Public Disclosed /Known Exploits/Known Exploits
• NoneNone
MS07-006 – Vulnerability in Windows Shell Could Allow MS07-006 – Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255) – Elevation of Privilege (928255) – ImportantImportant
VulnerabilityVulnerability Privilege elevation vulnerability in Windows Shell due to detection and registration of new Privilege elevation vulnerability in Windows Shell due to detection and registration of new hardwarehardware
Possible Attack Possible Attack VectorsVectors
• Attacker logs on to systemAttacker logs on to system• Attacker loads specially crafted applicationAttacker loads specially crafted application• Attacker executes specially crafted applicationAttacker executes specially crafted application
Impact of AttackImpact of Attack Elevation of privilege to Elevation of privilege to LocalSystem security contextLocalSystem security context
Mitigating FactorsMitigating Factors • Valid logon credential requiredValid logon credential required• Windows XP SP2 & Windows Server 2003 SP1: Administrator privileges required to exploit Windows XP SP2 & Windows Server 2003 SP1: Administrator privileges required to exploit vulnerability remotely vulnerability remotely
ReplacedReplaced • MS06-045MS06-045
Public Disclosed Public Disclosed /Known Exploits/Known Exploits
• NoneNone
MS07-007 – Vulnerability in Windows Image MS07-007 – Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege Acquisition Service Could Allow Elevation of Privilege (927802) – (927802) – ImportantImportant
VulnerabilityVulnerability Privilege elevation vulnerability due to how Windows Image Acquisition service starts Privilege elevation vulnerability due to how Windows Image Acquisition service starts applicationsapplications
Possible Attack Possible Attack VectorsVectors
• Attacker logs on to systemAttacker logs on to system• Attacker loads specially crafted applicationAttacker loads specially crafted application• Attacker executes specially crafted applicationAttacker executes specially crafted application
Impact of AttackImpact of Attack Elevation of privilege to Elevation of privilege to LocalSystem security contextLocalSystem security context
Mitigating FactorsMitigating Factors • Valid logon credential requiredValid logon credential required
ReplacedReplaced • NoneNone
Public Disclosed Public Disclosed /Known Exploits/Known Exploits
• NoneNone
MS07-008 – Vulnerability in HTML Help ActiveX Control MS07-008 – Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843) – Could Allow Remote Code Execution (928843) – CriticalCritical
VulnerabilityVulnerability Remote code execution vulnerability in HTML Help ActiveX controlRemote code execution vulnerability in HTML Help ActiveX control
Possible Attack Possible Attack VectorsVectors
• Attacker creates specially formed Web pageAttacker creates specially formed Web page• Attacker posts page on Web site or sends page as HTML e-mailAttacker posts page on Web site or sends page as HTML e-mail• Attacker convinces user to visit Web site or view e-mailAttacker convinces user to visit Web site or view e-mail
Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability Vulnerability cannot be exploited automatically through browsingcannot be exploited automatically through browsing. User must navigate to . User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• All supported versions of Outlook and Outlook Express open HTML e-mail messages in the All supported versions of Outlook and Outlook Express open HTML e-mail messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail.controls from being used when reading HTML e-mail.• Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and e-mail vectors on select vulnerabilities.browsing and e-mail vectors on select vulnerabilities.
ReplacedReplaced • MS06-046MS06-046
Public Disclosed Public Disclosed /Known Exploits/Known Exploits
• NoneNone
MS07-009 – Vulnerability in Microsoft Data Access MS07-009 – Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution Components Could Allow Remote Code Execution (927779) – (927779) – CriticalCritical
VulnerabilityVulnerability Remote code execution vulnerability in ADODB.Connection ActiveX controlRemote code execution vulnerability in ADODB.Connection ActiveX control
Possible Attack Possible Attack VectorsVectors
• Attacker creates specially formed Web pageAttacker creates specially formed Web page• Attacker posts page on Web site or sends page as HTML e-mailAttacker posts page on Web site or sends page as HTML e-mail• Attacker convinces user to visit Web site or view e-mailAttacker convinces user to visit Web site or view e-mail
Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• All supported versions of Outlook and Outlook Express open HTML e-mail messages in the All supported versions of Outlook and Outlook Express open HTML e-mail messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail.controls from being used when reading HTML e-mail.• Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and e-mail vectors on select vulnerabilities.browsing and e-mail vectors on select vulnerabilities.
Additional Additional InformationInformation
• Addresses issue discussed on Oct. 27, 2006 in MSRC Weblog:Addresses issue discussed on Oct. 27, 2006 in MSRC Weblog:http://blogs.technet.com/msrc/archive/2006/10/27/adodb-connection-poc-published.aspx
ReplacedReplaced • MS06-014, except MDAC 2.8 SP1 on Windows XP SP2, MDAC 2.8 on Windows 2003 and MS06-014, except MDAC 2.8 SP1 on Windows XP SP2, MDAC 2.8 on Windows 2003 and Windows 2003 ia64Windows 2003 ia64
Public Disclosed Public Disclosed /Known Exploits/Known Exploits
• Public Disclosed Public Disclosed but none known exploits.but none known exploits.
MS07-010 – Vulnerability in Microsoft Malware MS07-010 – Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution Protection Engine Could Allow Remote Code Execution (932135) – (932135) – CriticalCritical
VulnerabilityVulnerability Code execution vulnerability in Microsoft Malware Protection Engine when parsing malformed Code execution vulnerability in Microsoft Malware Protection Engine when parsing malformed Portable Document Format (.PDF) filesPortable Document Format (.PDF) files
Possible Attack Possible Attack VectorsVectors
• Attacker crafts specially formed .PDF fileAttacker crafts specially formed .PDF file• Attacker places .PDF document on web page or includes in e-mail as attachmentAttacker places .PDF document on web page or includes in e-mail as attachment• Attacker convinces user to visit Web site or view e-mail and open attachmentAttacker convinces user to visit Web site or view e-mail and open attachment
Impact of AttackImpact of Attack Run code in Run code in context of LocalSystemcontext of LocalSystem
Mitigating FactorsMitigating Factors • NoneNone
Additional Additional InformationInformation
• Products which utilize Microsoft Malware Protection EngineProducts which utilize Microsoft Malware Protection Engine• Windows Live OneCareWindows Live OneCare• Microsoft Antigen for Exchange Server 9.xMicrosoft Antigen for Exchange Server 9.x• Microsoft Antigen for SMTP Server 9.xMicrosoft Antigen for SMTP Server 9.x• Microsoft Windows DefenderMicrosoft Windows Defender• Microsoft Windows Defender x64 EditionMicrosoft Windows Defender x64 Edition• Microsoft Forefront Security for Exchange Server 10Microsoft Forefront Security for Exchange Server 10• Microsoft Forefront Security for SharePoint Server 10Microsoft Forefront Security for SharePoint Server 10
• Updates to Microsoft Malware Protection provided through automatic updating technologies Updates to Microsoft Malware Protection provided through automatic updating technologies on a per product basis: see bulletin for detailson a per product basis: see bulletin for details
ReplacedReplaced • NoneNone
Public Disclosed Public Disclosed /Known Exploits/Known Exploits
• NoneNone
MS07-011 – Vulnerability in Microsoft OLE Dialog MS07-011 – Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436) – Could Allow Remote Code Execution (926436) – ImportantImportant
VulnerabilityVulnerability Windows OLD Dialog component s do not perform sufficient validation when parsing OLD Windows OLD Dialog component s do not perform sufficient validation when parsing OLD objects embedded in the RTF files that may corrupt system memory and may leads to Remote objects embedded in the RTF files that may corrupt system memory and may leads to Remote code execution.code execution.
Possible Attack Possible Attack VectorsVectors
• Attacker Attacker creates.RTF file with specially formed embedded OLE objectcreates.RTF file with specially formed embedded OLE object• Attacker posts file on Web site or sends file through e-mailAttacker posts file on Web site or sends file through e-mail• Attacker convinces user to visit Web site or open file from e-mailAttacker convinces user to visit Web site or open file from e-mail• Attacker convinces user to navigate within .RTF document and manipulate embedded Attacker convinces user to navigate within .RTF document and manipulate embedded
OLE objectOLE object
Impact of AttackImpact of Attack Run code in Run code in context of logged on usercontext of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• Vulnerability requires user to locate and interact with embedded OLE object: vulnerability Vulnerability requires user to locate and interact with embedded OLE object: vulnerability cannot be exploited just from opening .RTF filecannot be exploited just from opening .RTF file• Cannot be exploited automatically through e-mail: user must open attached fileCannot be exploited automatically through e-mail: user must open attached file
Additional Additional InformationInformation
• Contains defense-in-depth change to help address attack vectors related to MS07-012Contains defense-in-depth change to help address attack vectors related to MS07-012
ReplacedReplaced • NoneNone
Public Disclosed Public Disclosed /Known Exploits/Known Exploits
• NoneNone
MS07-012 – Vulnerability in Microsoft MFC Could Allow MS07-012 – Vulnerability in Microsoft MFC Could Allow Remote Code Execution (924667) – Remote Code Execution (924667) – ImportantImportant
VulnerabilityVulnerability Remote code execution vulnerability in Remote code execution vulnerability in MFC component MFC component related to OLE object handlingrelated to OLE object handling
Possible Attack Possible Attack VectorsVectors
• Attacker Attacker creates.RTF file with specially formed embedded OLE objectcreates.RTF file with specially formed embedded OLE object• Attacker posts file on Web site or sends file through e-mailAttacker posts file on Web site or sends file through e-mail• Attacker convinces user to visit Web site or open file from e-mailAttacker convinces user to visit Web site or open file from e-mail• Attacker convinces user to navigate within .RTF document and manipulate embedded OLE Attacker convinces user to navigate within .RTF document and manipulate embedded OLE
objectobject
Impact of AttackImpact of Attack Run code in Run code in context of logged on usercontext of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• Vulnerability requires user to locate and interact with embedded OLE object: vulnerability cannot Vulnerability requires user to locate and interact with embedded OLE object: vulnerability cannot be exploited just from opening .RTF filebe exploited just from opening .RTF file• Cannot be exploited automatically through e-mail: user must open attached fileCannot be exploited automatically through e-mail: user must open attached file
Additional InformationAdditional Information • MS07-011 contains defense-in-depth change to help address attack vectors MS07-011 contains defense-in-depth change to help address attack vectors • Updates available for redistributable components within Visual StudioUpdates available for redistributable components within Visual Studio
• mfc70u.dll - Visual Studio .NET 2002 mfc70u.dll - Visual Studio .NET 2002 • mfc71u.dll - Visual Studio .NET 2003.mfc71u.dll - Visual Studio .NET 2003.
• Apply updates to development systems and provide updated versions of applications that use Apply updates to development systems and provide updated versions of applications that use these filesthese files• Contact vendor for questions about applications that use these filesContact vendor for questions about applications that use these files
ReplacedReplaced • NoneNone
Public Disclosed Public Disclosed /Known Exploits/Known Exploits
• NoneNone
MS07-013 – Vulnerability in Microsoft RichEdit Could MS07-013 – Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution (918118) – Allow Remote Code Execution (918118) – ImportantImportant
VulnerabilityVulnerability Remote code execution vulnerability in RichEdit components related to OLE object handlingRemote code execution vulnerability in RichEdit components related to OLE object handling
Possible Attack Possible Attack VectorsVectors
• Attacker Attacker creates.RTF file with specially formed embedded OLE objectcreates.RTF file with specially formed embedded OLE object• Attacker posts file on Web site or sends file through e-mailAttacker posts file on Web site or sends file through e-mail• Attacker convinces user to visit Web site or open file from e-mailAttacker convinces user to visit Web site or open file from e-mail• Attacker convinces user to navigate within .RTF document and manipulate embedded Attacker convinces user to navigate within .RTF document and manipulate embedded
OLE objectOLE object
Impact of AttackImpact of Attack Run code in Run code in context of logged on usercontext of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• Vulnerability requires user to locate and interact with embedded OLE object: vulnerability Vulnerability requires user to locate and interact with embedded OLE object: vulnerability cannot be exploited just from opening .RTF filecannot be exploited just from opening .RTF file• Cannot be exploited automatically through e-mail: user must open attached fileCannot be exploited automatically through e-mail: user must open attached file
ReplacedReplaced • NoneNone
Public Disclosed Public Disclosed /Known Exploits/Known Exploits
• NoneNone
MS07-014 – Vulnerabilities in Microsoft Word Could MS07-014 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (929434) – Allow Remote Code Execution (929434) – CriticalCritical
VulnerabilitiesVulnerabilities Six code execution vulnerabilities when processing Word files with malformed data elementsSix code execution vulnerabilities when processing Word files with malformed data elements
Possible Attack VectorsPossible Attack Vectors • Attacker crafts specially formed Word documentAttacker crafts specially formed Word document• Attacker places Word document on web page or includes in e-mail as attachmentAttacker places Word document on web page or includes in e-mail as attachment• Attacker convinces user to visit Web site or view e-mail and open attachmentAttacker convinces user to visit Web site or view e-mail and open attachment
Impact of AttackImpact of Attack Run code in Run code in context of logged on usercontext of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Word 2002 or Word 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent Word 2002 or Word 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent in e-mail.in e-mail.• Word 2002 or Word 2003: cannot be exploited automatically through Web page. User must click through trust decision Word 2002 or Word 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box.dialog box.
– Dialog box does not occur in Office 2000.Dialog box does not occur in Office 2000.– Dialog box can be added to Office 2000 by installing Office Document Open Confirmation ToolDialog box can be added to Office 2000 by installing Office Document Open Confirmation Tool
• User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automated.User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automated.
Additional InformationAdditional Information •Addresses four publicly disclosed issues; 3 issues subject to very limited, targeted attacks:Addresses four publicly disclosed issues; 3 issues subject to very limited, targeted attacks:•CVE-2006-5994 - Dec. 5, 2006CVE-2006-5994 - Dec. 5, 2006
•http://blogs.technet.com/msrc/archive/2006/12/06/microsoft-security-advisory-929433-posted.aspx•http://www.microsoft.com/technet/security/advisory/929433.mspx
•CVE-2006-6456 - Dec. 10, 2006CVE-2006-6456 - Dec. 10, 2006•http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx
•CVE-2006-6561 - Dec. 15, 2006CVE-2006-6561 - Dec. 15, 2006•http://blogs.technet.com/msrc/archive/2006/12/15/update-on-current-word-vulnerability-reports.aspx
•CVE-2007-0515 - Jan. 26, 2007CVE-2007-0515 - Jan. 26, 2007•http://blogs.technet.com/msrc/archive/2007/01/26/microsoft-security-advisory-932114-posted.aspx •http://www.microsoft.com/technet/security/advisory/932114.mspx
ReplacedReplaced • MS06-060MS06-060
Public Disclosed /Known Public Disclosed /Known ExploitsExploits
• No: CVE-2007-0209/CVE-2007-0209No: CVE-2007-0209/CVE-2007-0209• Yes: CVE-2006-5994, CVE-2006-6456, CVE-2006-6561 and CVE-2007-0515Yes: CVE-2006-5994, CVE-2006-6456, CVE-2006-6561 and CVE-2007-0515
MS07-015 – Vulnerabilities in Microsoft Office Could MS07-015 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (932554) – Allow Remote Code Execution (932554) – CriticalCritical
VulnerabilitiesVulnerabilities Two code execution vulnerabilities when processing Office files with malformed data elementsTwo code execution vulnerabilities when processing Office files with malformed data elements
Possible Attack VectorsPossible Attack Vectors • Attacker crafts specially formed Office documentAttacker crafts specially formed Office document• Attacker places Office document on web page or includes in e-mail as attachmentAttacker places Office document on web page or includes in e-mail as attachment• Attacker convinces user to visit Web site or view e-mail and open attachmentAttacker convinces user to visit Web site or view e-mail and open attachment
Impact of AttackImpact of Attack Run code Run code in context of logged on userin context of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Office XP or Office 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent Office XP or Office 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent in e-mail.in e-mail.• Office XP or Office 2003: cannot be exploited automatically through Web page. User must click through trust decision Office XP or Office 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box.dialog box.
– Dialog box does not occur in Office 2000.Dialog box does not occur in Office 2000.– Dialog box can be added to Office 2000 by installing Office Document Open Confirmation ToolDialog box can be added to Office 2000 by installing Office Document Open Confirmation Tool
• User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automatedUser must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automated
Additional Information Additional Information •Addresses publicly disclosed issue subject to very limited, targeted attacks:Addresses publicly disclosed issue subject to very limited, targeted attacks:•CVE-2007-0671 - Feb. 2, 2007:CVE-2007-0671 - Feb. 2, 2007:
•http://blogs.technet.com/msrc/archive/2007/02/02/microsoft-security-advisory-932553-posted.aspx•http://www.microsoft.com/technet/security/advisory/932553.mspx http://www.microsoft.com/technet/security/advisory/932553.mspx
•CVE-2006-3877 CVE-2006-3877 •Originally discussed in MS06-058Originally discussed in MS06-058•Update was found to not address issueUpdate was found to not address issue•Issue addressed in MS07-015Issue addressed in MS07-015•MS06-058 updated to reflect thisMS06-058 updated to reflect this•MS06-058 DOES protect against other three vulnerabilities discussedMS06-058 DOES protect against other three vulnerabilities discussed
ReplacedReplaced • MS06-062MS06-062
Public Disclosed /Known Public Disclosed /Known ExploitsExploits
• Public disclosed: CVE-2007-0671 Public disclosed: CVE-2007-0671 (NOT disclosed: CVE-2006-3877)(NOT disclosed: CVE-2006-3877)• Known exploits: NoneKnown exploits: None
MS07-016 – Cumulative Security Update for Internet MS07-016 – Cumulative Security Update for Internet Explorer (928090) – Explorer (928090) – CriticalCritical
VulnerabilitiesVulnerabilities Three remote code execution vulnerabilities (2 COM object instantiations, 1 FTP server Three remote code execution vulnerabilities (2 COM object instantiations, 1 FTP server response parsing)response parsing)
Possible Attack Possible Attack VectorsVectors
• Attacker creates specially formed Web pageAttacker creates specially formed Web page• Attacker posts page on Web site or sends page as HTML e-mailAttacker posts page on Web site or sends page as HTML e-mail• Attacker convinces user to visit Web site or view e-mailAttacker convinces user to visit Web site or view e-mail
Impact of AttackImpact of Attack Run code in Run code in context of logged on usercontext of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• All supported versions of Outlook and Outlook Express open HTML e-mail messages in the All supported versions of Outlook and Outlook Express open HTML e-mail messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail.controls from being used when reading HTML e-mail.• Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and e-mail vectors on select vulnerabilities.browsing and e-mail vectors on select vulnerabilities.
ReplacedReplaced • MS06-072MS06-072
Public Disclosed Public Disclosed /Known Exploits/Known Exploits
• Public Disclosed: CVE-2006-4697 Public Disclosed: CVE-2006-4697 (others are not disclosed)(others are not disclosed)• Known exploits: NoneKnown exploits: None
Detection and DeploymentDetection and Deployment
WU/SUS/AU Office Update & SMS Microsoft Office Inventory Tool for Updates
MBSA 1.2 & SMS Security Update Inventory Tool
Enterprise Scan Tool & SMS Security Update Scan Tools
MU/WSUS/AU, SMS 2003 ITMU, & MBSA 2.0
MS07-005MS07-005 Yes NA No Yes Yes
MS07-006MS07-006 Yes NA Yes NA Yes
MS07-007MS07-007 Yes NA Yes NA Yes
MS07-008MS07-008 Yes NA Yes NA Yes
MS07-009MS07-009 Yes NA Yes (except Windows 2000) Windows 2000 only Yes
MS07-010MS07-010 See Bulletin See Bulletin See Bulletin See Bulletin See Bulletin
MS07-011MS07-011 Yes NA Yes NA Yes
MS07-012MS07-012 Yes NA Windows only Visual Studio only Windows only
MS07-013MS07-013 Windows only Office only Yes (Office: local only) NA Yes (except Office 2000)
MS07-014MS07-014 NA Yes Local only NA Yes (except Office 2000 and Mac)
MS07-015MS07-015 NA Yes Local only NA Yes (except Office 2000 and Mac)
MS07-016MS07-016 Yes NA Yes NA Yes
Other Update InformationOther Update Information
Bulletin Restart Hotpatching Uninstall Replaces
MS07-005MS07-005 May be required N/AN/A YesYes MS05-031MS05-031
MS07-006MS07-006 Required NoNo YesYes MS06-045MS06-045
MS07-007MS07-007 Required N/AN/A YesYes NoneNone
MS07-008MS07-008 Required N/AN/A YesYes MS06-046MS06-046
MS07-009MS07-009 Required N/AN/A YesYes MS06-014MS06-014
MS07-010MS07-010 May be required N/AN/A No (Except Defender on Vista)No (Except Defender on Vista) NoneNone
MS07-011MS07-011 May be required NoNo YesYes NoneNone
MS07-012MS07-012 Required NoNo YesYes NoneNone
MS07-013MS07-013 May be required NoNo Yes (except Office 2000)Yes (except Office 2000) NoneNone
MS07-014MS07-014 May be required N/AN/A Yes (except 2000 and Mac)Yes (except 2000 and Mac) MS06-060MS06-060
MS07-015MS07-015 May be required N/AN/A Yes (except 2000 and Mac)Yes (except 2000 and Mac) MS06-062MS06-062
MS07-016MS07-016 Required NoNo YesYes MS06-072MS06-072
February 2007 Non-Security UpdatesFebruary 2007 Non-Security Updates
NUMBERNUMBER TITLETITLE DistributionDistribution
931836931836 Update for Windows XP (Daylight Savings Time)Update for Windows XP (Daylight Savings Time) WU, MUWU, MU
925720925720 February 2007 CardSpace Update for Windows XP February 2007 CardSpace Update for Windows XP WU, MUWU, MU
924885924885 Update for Outlook Junk Email Filter 2003Update for Outlook Junk Email Filter 2003 MUMU
924884924884 Update for Outlook Junk Email Filter 2007Update for Outlook Junk Email Filter 2007 MUMU
925251925251 Update for Office 2003 Update for Office 2003 MUMU
929058929058 Update for Excel 2003 Update for Excel 2003 MUMU
929060929060 Update for PowerPoint 2003 Update for PowerPoint 2003 MUMU
926666926666 Update for Daylight Saving Time changes in 2007 for Exchange 2003Update for Daylight Saving Time changes in 2007 for Exchange 2003 MUMU
New WSUSSCAN.CAB architectureNew WSUSSCAN.CAB architecture
• New architecture for wsusscan.cab begins since November 2006• Support for existing wsusscan.cab architecture ends on March 2007• SMS ITMU customers: download and deploy updated version of the
SMS ITMU– http://www.microsoft.com/technet/downloads/sms/2003/tools/msupdates.mspx
• MBSA 2.0 offline scan customers: – Download updated version of MBSA 2.0.1 now– Or download the new offline scan file, wsusscn2.cab, by clicking
http://go.microsoft.com/fwlink/?LinkId=76054. Save this file to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\wsusscn2.cab.
• If you only run MBSA 2.0 in the online mode, do anything. • See Microsoft KB Article 926464 for more information
– http://support.microsoft.com/kb/926464
US Daylight Savings Time non-US Daylight Savings Time non-security Updatesecurity Update
• Change to comply with US Energy Policy Act of 2005Change to comply with US Energy Policy Act of 2005– DST starts three weeks earlier: 2:00 am second Sunday in DST starts three weeks earlier: 2:00 am second Sunday in
March (11 March 2007)March (11 March 2007)– Ends one week later: 2:00 am first Sunday in November (4 Ends one week later: 2:00 am first Sunday in November (4
November 2007)November 2007)
• Updates to enable thisUpdates to enable this– Windows (931836) Windows (931836) – Exchange 2003 (926666)Exchange 2003 (926666)
• Updates available through AU, WU, SUS, WSUS and Updates available through AU, WU, SUS, WSUS and ITMUITMU
• More informationMore information– http://www.microsoft.com/dst2007http://www.microsoft.com/dst2007
Windows Malicious Software Removal Windows Malicious Software Removal Tool – KB890830Tool – KB890830
• The Feb. update adds the ability to remove:The Feb. update adds the ability to remove:– Win32/StrationWin32/Stration– Win32/MitgliederWin32/Mitglieder
• Available as priority update through Windows Update or Available as priority update through Windows Update or Microsoft Update for Windows XP usersMicrosoft Update for Windows XP users– Offered through WSUS; not offered through SUS 1.0Offered through WSUS; not offered through SUS 1.0
• Also as an ActiveX control or download at Also as an ActiveX control or download at www.microsoft.com/malwareremovewww.microsoft.com/malwareremove
• Deployment step-by-stsp: KB891716Deployment step-by-stsp: KB891716
ResourcesResources• Feb. 2007 Security Bulletin Webcast (US)Feb. 2007 Security Bulletin Webcast (US)
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032323262&EventCategory=4&culture=en-US&CountryCode=USEventID=1032323262&EventCategory=4&culture=en-US&CountryCode=US
• Security Bulletins SummarySecurity Bulletins Summaryhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms07-jan.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms07-jan.mspx
• Security Bulletins SearchSecurity Bulletins Searchwww.microsoft.com/technet/security/current.aspxwww.microsoft.com/technet/security/current.aspx
• Security AdvisoriesSecurity Advisorieswww.microsoft.com/taiwan/technet/security/advisory/www.microsoft.com/taiwan/technet/security/advisory/
• MSRC BlogMSRC Bloghttp://blogs.technet.com/msrchttp://blogs.technet.com/msrc
• NotificationsNotificationswww.microsoft.com/technet/security/bulletin/notify.mspxwww.microsoft.com/technet/security/bulletin/notify.mspx
• TechNet RadioTechNet Radiowww.microsoft.com/tnradiowww.microsoft.com/tnradio
• IT Pro Security NewsletterIT Pro Security Newsletterwww.microsoft.com/technet/security/secnews/www.microsoft.com/technet/security/secnews/
• TechNet Security CenterTechNet Security Centerwww.microsoft.com/taiwan/technet/securitywww.microsoft.com/taiwan/technet/security
• TechNet Forum ITProTechNet Forum ITProhttp://forums.microsoft.com/technet-cht/default.aspx?siteid=23http://forums.microsoft.com/technet-cht/default.aspx?siteid=23
• Detection and deployment guidance for the Feb 2007 security releaseDetection and deployment guidance for the Feb 2007 security releasehttp://support.microsoft.com/default.aspx?scid=kb;EN-US;910723http://support.microsoft.com/default.aspx?scid=kb;EN-US;910723
Questions and AnswersQuestions and Answers
• Submit text questions using the Submit text questions using the “Ask a Question” button “Ask a Question” button
• Don’t forget to fill out the surveyDon’t forget to fill out the survey• For upcoming and previously recorded For upcoming and previously recorded
webcasts: webcasts: http://www.microsoft.com/taiwan/technet/webcast/default.aspxhttp://www.microsoft.com/taiwan/technet/webcast/default.aspx
• Webcast content suggestions:Webcast content suggestions:twwebst@microsoft.comtwwebst@microsoft.com