二月份資訊安全公告 Feb 16, 2007 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security,...

二月份資訊安全公告二月份資訊安全公告 Feb 16, 2007Feb 16, 2007

Richard Chen Richard Chen 陳政鋒陳政鋒(Net+, Sec+, MCSE2003+Security, CISSP)(Net+, Sec+, MCSE2003+Security, CISSP)

資深技術支援工程師資深技術支援工程師台灣微軟技術支援處台灣微軟技術支援處

Questions and AnswersQuestions and Answers

• Submit text questions using the Submit text questions using the “Ask a Question” button “Ask a Question” button

What We Will CoverWhat We Will Cover

• Review of February releasesReview of February releases– New security bulletinsNew security bulletins– High-priority non-security updatesHigh-priority non-security updates

• Other security resourcesOther security resources– Prepare for new WSUSSCAN.CAB architecturePrepare for new WSUSSCAN.CAB architecture– Lifecycle InformationLifecycle Information– Windows Malicious Software Removal ToolWindows Malicious Software Removal Tool

• ResourcesResources• Questions and answersQuestions and answers

Feb. 2007 Security BulletinsFeb. 2007 Security BulletinsSummarySummary

• On Feb 14:On Feb 14:– 12 New Security Bulletins12 New Security Bulletins

• 6 critical6 critical• 6 important6 important

– 8 High-priority non-security updates8 High-priority non-security updates

Feb. 2007 Security Bulletins Feb. 2007 Security Bulletins OverviewOverview

Bulletin Bulletin NumberNumber

Title Title Maximum Severity Maximum Severity RatingRating

Products AffectedProducts Affected

MS07-005MS07-005Vulnerability in Step-by-Step Interactive Training Vulnerability in Step-by-Step Interactive Training

Could Allow Remote Code Execution (923723)Could Allow Remote Code Execution (923723)Important Step-by-Step Interactive Step-by-Step Interactive

TrainingTraining

MS07-006MS07-006Vulnerability in Windows Shell Could Allow Elevation Vulnerability in Windows Shell Could Allow Elevation

of Privilege (928255)of Privilege (928255)Important Windows XP, Windows Server Windows XP, Windows Server

20032003

MS07-007MS07-007Vulnerability in Windows Image Acquisition Service Vulnerability in Windows Image Acquisition Service

Could Allow Elevation of Privilege (927802)Could Allow Elevation of Privilege (927802)Important Windows XPWindows XP

MS07-008MS07-008Vulnerability in HTML Help ActiveX Control Could Vulnerability in HTML Help ActiveX Control Could

Allow Remote Code Execution (928843)Allow Remote Code Execution (928843)Critical Windows 2000, Windows XP, Windows 2000, Windows XP,

Windows Server 2003Windows Server 2003

MS07-009MS07-009Vulnerability in Microsoft Data Access Components Vulnerability in Microsoft Data Access Components

Could Allow Remote Code Execution (927779)Could Allow Remote Code Execution (927779)Critical Microsoft Data Access Microsoft Data Access

ComponentsComponents

MS07-010MS07-010Vulnerability in Microsoft Malware Protection Engine Vulnerability in Microsoft Malware Protection Engine

Could Allow Remote Code Execution (932135)Could Allow Remote Code Execution (932135)Critical Microsoft Malware Protection Microsoft Malware Protection

EngineEngine

MS07-011MS07-011Vulnerability in Microsoft OLE Dialog Could Allow Vulnerability in Microsoft OLE Dialog Could Allow

Remote Code Execution (926436)Remote Code Execution (926436)Important Windows 2000, Windows XP, Windows 2000, Windows XP,


MS07-012MS07-012Vulnerability in Microsoft MFC Could Allow Remote Vulnerability in Microsoft MFC Could Allow Remote

Code Execution (924667)Code Execution (924667)Important

Windows 2000, Windows XP, Windows 2000, Windows XP, Windows Server 2003, Visual Windows Server 2003, Visual Studio .NETStudio .NET

Feb. 2007 Security Bulletins Feb. 2007 Security Bulletins Overview (cont.)Overview (cont.)

Bulletin Bulletin NumberNumber

Title Title Maximum Severity Maximum Severity RatingRating

Products AffectedProducts Affected

MS07-013MS07-013 Vulnerability in Microsoft RichEdit Could Allow Vulnerability in Microsoft RichEdit Could Allow

Remote Code Execution (918118)Remote Code Execution (918118)Important Windows 2000, Windows XP, Windows 2000, Windows XP,

Windows Server 2003, Office Windows Server 2003, Office 2000, Office 2003, Office 2004 2000, Office 2003, Office 2004 for Macfor Mac

MS07-014MS07-014 Vulnerabilities in Microsoft Word Could Allow Vulnerabilities in Microsoft Word Could Allow

Remote Code Execution (929434)Remote Code Execution (929434)Critical Word 2000, Word 2002, Word Word 2000, Word 2002, Word

2003, Word 2004 for Mac2003, Word 2004 for Mac

MS07-015MS07-015 Vulnerabilities in Microsoft Office Could Allow Vulnerabilities in Microsoft Office Could Allow

Remote Code Execution (932554)Remote Code Execution (932554)Critical Office 2000, Office XP, Office Office 2000, Office XP, Office

2003, Office 2004 for Mac2003, Office 2004 for Mac

MS07-016MS07-016 Cumulative Security Update for Internet Cumulative Security Update for Internet

Explorer (928090)Explorer (928090)Critical Windows 2000, Windows XP, Windows 2000, Windows XP,


Feb. 2007 Security BulletinsFeb. 2007 Security BulletinsSeverity SummarySeverity Summary

Bulletin Number

Windows 2000 SP 4

Windows XP SP 2 Windows Server 2003 Windows Server 2003 SP1

Windows Vista

MS07-006 Not Affected Important Important Important Not Affected

MS07-007 Not Affected Not Affected Important Not Affected Not Affected

MS07-008 Critical Critical Moderate Moderate Not Affected

MS07-009 Critical Critical Moderate Not Affected Not Affected

MS07-011 Important Important Important Important Not Affected



Microsoft Visual Studio .NET 2002

Microsoft Visual Studio .NET 2002 Service Pack 1

Microsoft Visual Studio .NET 2003

Microsoft Visual Studio .NET 2003 Service Pack 1

MS07-012 Important Important Important Important

Step-by-Step Interactive Training

MS07-005 Important

Feb. 2007 Security BulletinsFeb. 2007 Security BulletinsSeverity Summary (cont.)Severity Summary (cont.)

Microsoft Office 2000

Microsoft Office XP

Microsoft Office 2003

Microsoft Office 2004, X for Mac

MS07-013 Important Important Important Important

MS07-015 Critical Important Important Important

Microsoft Word 2000

Microsoft Word 2002

Microsoft Word 2003

Microsoft Word 2004 for Mac

MS07-014 Critical Important Important Important

Windows Live OneCare

Microsoft Antigen for Exchange Server 9.x

Microsoft Antigen for SMTP Server 9.x

Microsoft Windows Defender

Microsoft Forefront Security for Exchange Server 10

Microsoft Forefront Security for SharePoint Server 10

MS07-010 Critical Critical Critical Critical Critical Critical

Internet Explorer 5.01 SP 4

Internet Explorer 6 SP 1

Internet Explorer 6 for Windows Server 2003 & SP1

IE 6.0 for Windows XP SP 2

IE 7.0 For Windows XP SP2

IE 7.0 for Windows Server 2003

MS07-016 Critical Critical Critical Critical Important Low

MS07-005 – Vulnerability in Step-by-Step Interactive MS07-005 – Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723) Training Could Allow Remote Code Execution (923723) – – ImportantImportant

VulnerabilityVulnerability Remote code execution vulnerability in Step-by-Step Interactive training due to bookmark link Remote code execution vulnerability in Step-by-Step Interactive training due to bookmark link file handlingfile handling

Possible Attack Possible Attack VectorsVectors

• Attacker creates specially formed Step-by-Step Interactive training bookmark link file Attacker creates specially formed Step-by-Step Interactive training bookmark link file (.cbo, .cbl and .cbm)(.cbo, .cbl and .cbm)

• Attacker posts file on Web site or sends file through e-mailAttacker posts file on Web site or sends file through e-mail• Attacker convinces user to visit Web site or open file from e-mailAttacker convinces user to visit Web site or open file from e-mail

Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user

Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• Cannot be exploited automatically through e-mail: user must open attached fileCannot be exploited automatically through e-mail: user must open attached file

ReplacedReplaced • MS05-031MS05-031

Public Disclosed Public Disclosed /Known Exploits/Known Exploits

• NoneNone

MS07-006 – Vulnerability in Windows Shell Could Allow MS07-006 – Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255) – Elevation of Privilege (928255) – ImportantImportant

VulnerabilityVulnerability Privilege elevation vulnerability in Windows Shell due to detection and registration of new Privilege elevation vulnerability in Windows Shell due to detection and registration of new hardwarehardware


• Attacker logs on to systemAttacker logs on to system• Attacker loads specially crafted applicationAttacker loads specially crafted application• Attacker executes specially crafted applicationAttacker executes specially crafted application

Impact of AttackImpact of Attack Elevation of privilege to Elevation of privilege to LocalSystem security contextLocalSystem security context

Mitigating FactorsMitigating Factors • Valid logon credential requiredValid logon credential required• Windows XP SP2 & Windows Server 2003 SP1: Administrator privileges required to exploit Windows XP SP2 & Windows Server 2003 SP1: Administrator privileges required to exploit vulnerability remotely vulnerability remotely



• NoneNone

MS07-007 – Vulnerability in Windows Image MS07-007 – Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege Acquisition Service Could Allow Elevation of Privilege (927802) – (927802) – ImportantImportant

VulnerabilityVulnerability Privilege elevation vulnerability due to how Windows Image Acquisition service starts Privilege elevation vulnerability due to how Windows Image Acquisition service starts applicationsapplications


• Attacker logs on to systemAttacker logs on to system• Attacker loads specially crafted applicationAttacker loads specially crafted application• Attacker executes specially crafted applicationAttacker executes specially crafted application

Impact of AttackImpact of Attack Elevation of privilege to Elevation of privilege to LocalSystem security contextLocalSystem security context

Mitigating FactorsMitigating Factors • Valid logon credential requiredValid logon credential required

ReplacedReplaced • NoneNone


• NoneNone

MS07-008 – Vulnerability in HTML Help ActiveX Control MS07-008 – Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843) – Could Allow Remote Code Execution (928843) – CriticalCritical

VulnerabilityVulnerability Remote code execution vulnerability in HTML Help ActiveX controlRemote code execution vulnerability in HTML Help ActiveX control


• Attacker creates specially formed Web pageAttacker creates specially formed Web page• Attacker posts page on Web site or sends page as HTML e-mailAttacker posts page on Web site or sends page as HTML e-mail• Attacker convinces user to visit Web site or view e-mailAttacker convinces user to visit Web site or view e-mail


Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability Vulnerability cannot be exploited automatically through browsingcannot be exploited automatically through browsing. User must navigate to . User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• All supported versions of Outlook and Outlook Express open HTML e-mail messages in the All supported versions of Outlook and Outlook Express open HTML e-mail messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail.controls from being used when reading HTML e-mail.• Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and e-mail vectors on select vulnerabilities.browsing and e-mail vectors on select vulnerabilities.



• NoneNone

MS07-009 – Vulnerability in Microsoft Data Access MS07-009 – Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution Components Could Allow Remote Code Execution (927779) – (927779) – CriticalCritical

VulnerabilityVulnerability Remote code execution vulnerability in ADODB.Connection ActiveX controlRemote code execution vulnerability in ADODB.Connection ActiveX control




Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• All supported versions of Outlook and Outlook Express open HTML e-mail messages in the All supported versions of Outlook and Outlook Express open HTML e-mail messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail.controls from being used when reading HTML e-mail.• Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and e-mail vectors on select vulnerabilities.browsing and e-mail vectors on select vulnerabilities.

Additional Additional InformationInformation

• Addresses issue discussed on Oct. 27, 2006 in MSRC Weblog:Addresses issue discussed on Oct. 27, 2006 in MSRC Weblog:http://blogs.technet.com/msrc/archive/2006/10/27/adodb-connection-poc-published.aspx

ReplacedReplaced • MS06-014, except MDAC 2.8 SP1 on Windows XP SP2, MDAC 2.8 on Windows 2003 and MS06-014, except MDAC 2.8 SP1 on Windows XP SP2, MDAC 2.8 on Windows 2003 and Windows 2003 ia64Windows 2003 ia64


• Public Disclosed Public Disclosed but none known exploits.but none known exploits.

http://blogs.technet.com/msrc/archive/2006/10/27/adodb-connection-poc-published.aspx

MS07-010 – Vulnerability in Microsoft Malware MS07-010 – Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution Protection Engine Could Allow Remote Code Execution (932135) – (932135) – CriticalCritical

VulnerabilityVulnerability Code execution vulnerability in Microsoft Malware Protection Engine when parsing malformed Code execution vulnerability in Microsoft Malware Protection Engine when parsing malformed Portable Document Format (.PDF) filesPortable Document Format (.PDF) files


• Attacker crafts specially formed .PDF fileAttacker crafts specially formed .PDF file• Attacker places .PDF document on web page or includes in e-mail as attachmentAttacker places .PDF document on web page or includes in e-mail as attachment• Attacker convinces user to visit Web site or view e-mail and open attachmentAttacker convinces user to visit Web site or view e-mail and open attachment

Impact of AttackImpact of Attack Run code in Run code in context of LocalSystemcontext of LocalSystem

Mitigating FactorsMitigating Factors • NoneNone


• Products which utilize Microsoft Malware Protection EngineProducts which utilize Microsoft Malware Protection Engine• Windows Live OneCareWindows Live OneCare• Microsoft Antigen for Exchange Server 9.xMicrosoft Antigen for Exchange Server 9.x• Microsoft Antigen for SMTP Server 9.xMicrosoft Antigen for SMTP Server 9.x• Microsoft Windows DefenderMicrosoft Windows Defender• Microsoft Windows Defender x64 EditionMicrosoft Windows Defender x64 Edition• Microsoft Forefront Security for Exchange Server 10Microsoft Forefront Security for Exchange Server 10• Microsoft Forefront Security for SharePoint Server 10Microsoft Forefront Security for SharePoint Server 10

• Updates to Microsoft Malware Protection provided through automatic updating technologies Updates to Microsoft Malware Protection provided through automatic updating technologies on a per product basis: see bulletin for detailson a per product basis: see bulletin for details



• NoneNone

MS07-011 – Vulnerability in Microsoft OLE Dialog MS07-011 – Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436) – Could Allow Remote Code Execution (926436) – ImportantImportant

VulnerabilityVulnerability Windows OLD Dialog component s do not perform sufficient validation when parsing OLD Windows OLD Dialog component s do not perform sufficient validation when parsing OLD objects embedded in the RTF files that may corrupt system memory and may leads to Remote objects embedded in the RTF files that may corrupt system memory and may leads to Remote code execution.code execution.


• Attacker Attacker creates.RTF file with specially formed embedded OLE objectcreates.RTF file with specially formed embedded OLE object• Attacker posts file on Web site or sends file through e-mailAttacker posts file on Web site or sends file through e-mail• Attacker convinces user to visit Web site or open file from e-mailAttacker convinces user to visit Web site or open file from e-mail• Attacker convinces user to navigate within .RTF document and manipulate embedded Attacker convinces user to navigate within .RTF document and manipulate embedded

OLE objectOLE object

Impact of AttackImpact of Attack Run code in Run code in context of logged on usercontext of logged on user

Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• Vulnerability requires user to locate and interact with embedded OLE object: vulnerability Vulnerability requires user to locate and interact with embedded OLE object: vulnerability cannot be exploited just from opening .RTF filecannot be exploited just from opening .RTF file• Cannot be exploited automatically through e-mail: user must open attached fileCannot be exploited automatically through e-mail: user must open attached file


• Contains defense-in-depth change to help address attack vectors related to MS07-012Contains defense-in-depth change to help address attack vectors related to MS07-012



• NoneNone

MS07-012 – Vulnerability in Microsoft MFC Could Allow MS07-012 – Vulnerability in Microsoft MFC Could Allow Remote Code Execution (924667) – Remote Code Execution (924667) – ImportantImportant

VulnerabilityVulnerability Remote code execution vulnerability in Remote code execution vulnerability in MFC component MFC component related to OLE object handlingrelated to OLE object handling


• Attacker Attacker creates.RTF file with specially formed embedded OLE objectcreates.RTF file with specially formed embedded OLE object• Attacker posts file on Web site or sends file through e-mailAttacker posts file on Web site or sends file through e-mail• Attacker convinces user to visit Web site or open file from e-mailAttacker convinces user to visit Web site or open file from e-mail• Attacker convinces user to navigate within .RTF document and manipulate embedded OLE Attacker convinces user to navigate within .RTF document and manipulate embedded OLE

objectobject


Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• Vulnerability requires user to locate and interact with embedded OLE object: vulnerability cannot Vulnerability requires user to locate and interact with embedded OLE object: vulnerability cannot be exploited just from opening .RTF filebe exploited just from opening .RTF file• Cannot be exploited automatically through e-mail: user must open attached fileCannot be exploited automatically through e-mail: user must open attached file

Additional InformationAdditional Information • MS07-011 contains defense-in-depth change to help address attack vectors MS07-011 contains defense-in-depth change to help address attack vectors • Updates available for redistributable components within Visual StudioUpdates available for redistributable components within Visual Studio

• mfc70u.dll - Visual Studio .NET 2002 mfc70u.dll - Visual Studio .NET 2002 • mfc71u.dll - Visual Studio .NET 2003.mfc71u.dll - Visual Studio .NET 2003.

• Apply updates to development systems and provide updated versions of applications that use Apply updates to development systems and provide updated versions of applications that use these filesthese files• Contact vendor for questions about applications that use these filesContact vendor for questions about applications that use these files



• NoneNone

MS07-013 – Vulnerability in Microsoft RichEdit Could MS07-013 – Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution (918118) – Allow Remote Code Execution (918118) – ImportantImportant

VulnerabilityVulnerability Remote code execution vulnerability in RichEdit components related to OLE object handlingRemote code execution vulnerability in RichEdit components related to OLE object handling


• Attacker Attacker creates.RTF file with specially formed embedded OLE objectcreates.RTF file with specially formed embedded OLE object• Attacker posts file on Web site or sends file through e-mailAttacker posts file on Web site or sends file through e-mail• Attacker convinces user to visit Web site or open file from e-mailAttacker convinces user to visit Web site or open file from e-mail• Attacker convinces user to navigate within .RTF document and manipulate embedded Attacker convinces user to navigate within .RTF document and manipulate embedded

OLE objectOLE object


Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• Vulnerability requires user to locate and interact with embedded OLE object: vulnerability Vulnerability requires user to locate and interact with embedded OLE object: vulnerability cannot be exploited just from opening .RTF filecannot be exploited just from opening .RTF file• Cannot be exploited automatically through e-mail: user must open attached fileCannot be exploited automatically through e-mail: user must open attached file



• NoneNone

MS07-014 – Vulnerabilities in Microsoft Word Could MS07-014 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (929434) – Allow Remote Code Execution (929434) – CriticalCritical

VulnerabilitiesVulnerabilities Six code execution vulnerabilities when processing Word files with malformed data elementsSix code execution vulnerabilities when processing Word files with malformed data elements

Possible Attack VectorsPossible Attack Vectors • Attacker crafts specially formed Word documentAttacker crafts specially formed Word document• Attacker places Word document on web page or includes in e-mail as attachmentAttacker places Word document on web page or includes in e-mail as attachment• Attacker convinces user to visit Web site or view e-mail and open attachmentAttacker convinces user to visit Web site or view e-mail and open attachment


Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Word 2002 or Word 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent Word 2002 or Word 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent in e-mail.in e-mail.• Word 2002 or Word 2003: cannot be exploited automatically through Web page. User must click through trust decision Word 2002 or Word 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box.dialog box.

– Dialog box does not occur in Office 2000.Dialog box does not occur in Office 2000.– Dialog box can be added to Office 2000 by installing Office Document Open Confirmation ToolDialog box can be added to Office 2000 by installing Office Document Open Confirmation Tool

• User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automated.User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automated.

Additional InformationAdditional Information •Addresses four publicly disclosed issues; 3 issues subject to very limited, targeted attacks:Addresses four publicly disclosed issues; 3 issues subject to very limited, targeted attacks:•CVE-2006-5994 - Dec. 5, 2006CVE-2006-5994 - Dec. 5, 2006

•http://blogs.technet.com/msrc/archive/2006/12/06/microsoft-security-advisory-929433-posted.aspx•http://www.microsoft.com/technet/security/advisory/929433.mspx

•CVE-2006-6456 - Dec. 10, 2006CVE-2006-6456 - Dec. 10, 2006•http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx

•CVE-2006-6561 - Dec. 15, 2006CVE-2006-6561 - Dec. 15, 2006•http://blogs.technet.com/msrc/archive/2006/12/15/update-on-current-word-vulnerability-reports.aspx

•CVE-2007-0515 - Jan. 26, 2007CVE-2007-0515 - Jan. 26, 2007•http://blogs.technet.com/msrc/archive/2007/01/26/microsoft-security-advisory-932114-posted.aspx •http://www.microsoft.com/technet/security/advisory/932114.mspx


Public Disclosed /Known Public Disclosed /Known ExploitsExploits

• No: CVE-2007-0209/CVE-2007-0209No: CVE-2007-0209/CVE-2007-0209• Yes: CVE-2006-5994, CVE-2006-6456, CVE-2006-6561 and CVE-2007-0515Yes: CVE-2006-5994, CVE-2006-6456, CVE-2006-6561 and CVE-2007-0515

http://www.microsoft.com/technet/security/advisory/932114.mspx

http://www.microsoft.com/technet/downloads/sms/2003/tools/msupdates.mspx

http://go.microsoft.com/fwlink/?LinkId=76054

http://support.microsoft.com/kb/926464

http://www.microsoft.com/malwareremove

http://www.microsoft.com/technet/security/advisory/932114.mspx

MS07-015 – Vulnerabilities in Microsoft Office Could MS07-015 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (932554) – Allow Remote Code Execution (932554) – CriticalCritical

VulnerabilitiesVulnerabilities Two code execution vulnerabilities when processing Office files with malformed data elementsTwo code execution vulnerabilities when processing Office files with malformed data elements

Possible Attack VectorsPossible Attack Vectors • Attacker crafts specially formed Office documentAttacker crafts specially formed Office document• Attacker places Office document on web page or includes in e-mail as attachmentAttacker places Office document on web page or includes in e-mail as attachment• Attacker convinces user to visit Web site or view e-mail and open attachmentAttacker convinces user to visit Web site or view e-mail and open attachment

Impact of AttackImpact of Attack Run code Run code in context of logged on userin context of logged on user

Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Office XP or Office 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent Office XP or Office 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent in e-mail.in e-mail.• Office XP or Office 2003: cannot be exploited automatically through Web page. User must click through trust decision Office XP or Office 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box.dialog box.

– Dialog box does not occur in Office 2000.Dialog box does not occur in Office 2000.– Dialog box can be added to Office 2000 by installing Office Document Open Confirmation ToolDialog box can be added to Office 2000 by installing Office Document Open Confirmation Tool

• User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automatedUser must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automated

Additional Information Additional Information •Addresses publicly disclosed issue subject to very limited, targeted attacks:Addresses publicly disclosed issue subject to very limited, targeted attacks:•CVE-2007-0671 - Feb. 2, 2007:CVE-2007-0671 - Feb. 2, 2007:

•http://blogs.technet.com/msrc/archive/2007/02/02/microsoft-security-advisory-932553-posted.aspx•http://www.microsoft.com/technet/security/advisory/932553.mspx http://www.microsoft.com/technet/security/advisory/932553.mspx

•CVE-2006-3877 CVE-2006-3877 •Originally discussed in MS06-058Originally discussed in MS06-058•Update was found to not address issueUpdate was found to not address issue•Issue addressed in MS07-015Issue addressed in MS07-015•MS06-058 updated to reflect thisMS06-058 updated to reflect this•MS06-058 DOES protect against other three vulnerabilities discussedMS06-058 DOES protect against other three vulnerabilities discussed


Public Disclosed /Known Public Disclosed /Known ExploitsExploits

• Public disclosed: CVE-2007-0671 Public disclosed: CVE-2007-0671 (NOT disclosed: CVE-2006-3877)(NOT disclosed: CVE-2006-3877)• Known exploits: NoneKnown exploits: None

http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-jan.mspx

MS07-016 – Cumulative Security Update for Internet MS07-016 – Cumulative Security Update for Internet Explorer (928090) – Explorer (928090) – CriticalCritical

VulnerabilitiesVulnerabilities Three remote code execution vulnerabilities (2 COM object instantiations, 1 FTP server Three remote code execution vulnerabilities (2 COM object instantiations, 1 FTP server response parsing)response parsing)




Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must navigate to Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.attacker’s site manually or through links in e-mail or IM.• All supported versions of Outlook and Outlook Express open HTML e-mail messages in the All supported versions of Outlook and Outlook Express open HTML e-mail messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail.controls from being used when reading HTML e-mail.• Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and e-mail vectors on select vulnerabilities.browsing and e-mail vectors on select vulnerabilities.



• Public Disclosed: CVE-2006-4697 Public Disclosed: CVE-2006-4697 (others are not disclosed)(others are not disclosed)• Known exploits: NoneKnown exploits: None

Detection and DeploymentDetection and Deployment

WU/SUS/AU Office Update & SMS Microsoft Office Inventory Tool for Updates

MBSA 1.2 & SMS Security Update Inventory Tool

Enterprise Scan Tool & SMS Security Update Scan Tools

MU/WSUS/AU, SMS 2003 ITMU, & MBSA 2.0

MS07-005MS07-005 Yes NA No Yes Yes

MS07-006MS07-006 Yes NA Yes NA Yes



MS07-009MS07-009 Yes NA Yes (except Windows 2000) Windows 2000 only Yes

MS07-010MS07-010 See Bulletin See Bulletin See Bulletin See Bulletin See Bulletin


MS07-012MS07-012 Yes NA Windows only Visual Studio only Windows only

MS07-013MS07-013 Windows only Office only Yes (Office: local only) NA Yes (except Office 2000)

MS07-014MS07-014 NA Yes Local only NA Yes (except Office 2000 and Mac)

MS07-015MS07-015 NA Yes Local only NA Yes (except Office 2000 and Mac)


Other Update InformationOther Update Information

Bulletin Restart Hotpatching Uninstall Replaces

MS07-005MS07-005 May be required N/AN/A YesYes MS05-031MS05-031

MS07-006MS07-006 Required NoNo YesYes MS06-045MS06-045

MS07-007MS07-007 Required N/AN/A YesYes NoneNone

MS07-008MS07-008 Required N/AN/A YesYes MS06-046MS06-046

MS07-009MS07-009 Required N/AN/A YesYes MS06-014MS06-014

MS07-010MS07-010 May be required N/AN/A No (Except Defender on Vista)No (Except Defender on Vista) NoneNone

MS07-011MS07-011 May be required NoNo YesYes NoneNone

MS07-012MS07-012 Required NoNo YesYes NoneNone

MS07-013MS07-013 May be required NoNo Yes (except Office 2000)Yes (except Office 2000) NoneNone

MS07-014MS07-014 May be required N/AN/A Yes (except 2000 and Mac)Yes (except 2000 and Mac) MS06-060MS06-060

MS07-015MS07-015 May be required N/AN/A Yes (except 2000 and Mac)Yes (except 2000 and Mac) MS06-062MS06-062

MS07-016MS07-016 Required NoNo YesYes MS06-072MS06-072

February 2007 Non-Security UpdatesFebruary 2007 Non-Security Updates

NUMBERNUMBER TITLETITLE DistributionDistribution

931836931836 Update for Windows XP (Daylight Savings Time)Update for Windows XP (Daylight Savings Time) WU, MUWU, MU

925720925720 February 2007 CardSpace Update for Windows XP February 2007 CardSpace Update for Windows XP WU, MUWU, MU

924885924885 Update for Outlook Junk Email Filter 2003Update for Outlook Junk Email Filter 2003 MUMU

924884924884 Update for Outlook Junk Email Filter 2007Update for Outlook Junk Email Filter 2007 MUMU

925251925251 Update for Office 2003 Update for Office 2003 MUMU

929058929058 Update for Excel 2003 Update for Excel 2003 MUMU

929060929060 Update for PowerPoint 2003 Update for PowerPoint 2003 MUMU

926666926666 Update for Daylight Saving Time changes in 2007 for Exchange 2003Update for Daylight Saving Time changes in 2007 for Exchange 2003 MUMU

New WSUSSCAN.CAB architectureNew WSUSSCAN.CAB architecture

• New architecture for wsusscan.cab begins since November 2006• Support for existing wsusscan.cab architecture ends on March 2007• SMS ITMU customers: download and deploy updated version of the

SMS ITMU– http://www.microsoft.com/technet/downloads/sms/2003/tools/msupdates.mspx

• MBSA 2.0 offline scan customers: – Download updated version of MBSA 2.0.1 now– Or download the new offline scan file, wsusscn2.cab, by clicking

http://go.microsoft.com/fwlink/?LinkId=76054. Save this file to C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\wsusscn2.cab.

• If you only run MBSA 2.0 in the online mode, do anything. • See Microsoft KB Article 926464 for more information

– http://support.microsoft.com/kb/926464

http://www.microsoft.com/technet/downloads/sms/2003/tools/msupdates.mspx

http://go.microsoft.com/fwlink/?LinkId=76054

http://support.microsoft.com/kb/926464

US Daylight Savings Time non-US Daylight Savings Time non-security Updatesecurity Update

• Change to comply with US Energy Policy Act of 2005Change to comply with US Energy Policy Act of 2005– DST starts three weeks earlier: 2:00 am second Sunday in DST starts three weeks earlier: 2:00 am second Sunday in

March (11 March 2007)March (11 March 2007)– Ends one week later: 2:00 am first Sunday in November (4 Ends one week later: 2:00 am first Sunday in November (4

November 2007)November 2007)

• Updates to enable thisUpdates to enable this– Windows (931836) Windows (931836) – Exchange 2003 (926666)Exchange 2003 (926666)

• Updates available through AU, WU, SUS, WSUS and Updates available through AU, WU, SUS, WSUS and ITMUITMU

• More informationMore information– http://www.microsoft.com/dst2007http://www.microsoft.com/dst2007

Windows Malicious Software Removal Windows Malicious Software Removal Tool – KB890830Tool – KB890830

• The Feb. update adds the ability to remove:The Feb. update adds the ability to remove:– Win32/StrationWin32/Stration– Win32/MitgliederWin32/Mitglieder

• Available as priority update through Windows Update or Available as priority update through Windows Update or Microsoft Update for Windows XP usersMicrosoft Update for Windows XP users– Offered through WSUS; not offered through SUS 1.0Offered through WSUS; not offered through SUS 1.0

• Also as an ActiveX control or download at Also as an ActiveX control or download at www.microsoft.com/malwareremovewww.microsoft.com/malwareremove

• Deployment step-by-stsp: KB891716Deployment step-by-stsp: KB891716

ResourcesResources• Feb. 2007 Security Bulletin Webcast (US)Feb. 2007 Security Bulletin Webcast (US)

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032323262&EventCategory=4&culture=en-US&CountryCode=USEventID=1032323262&EventCategory=4&culture=en-US&CountryCode=US

• Security Bulletins SummarySecurity Bulletins Summaryhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms07-jan.mspxhttp://www.microsoft.com/taiwan/technet/security/bulletin/ms07-jan.mspx

• Security Bulletins SearchSecurity Bulletins Searchwww.microsoft.com/technet/security/current.aspxwww.microsoft.com/technet/security/current.aspx

• Security AdvisoriesSecurity Advisorieswww.microsoft.com/taiwan/technet/security/advisory/www.microsoft.com/taiwan/technet/security/advisory/

• MSRC BlogMSRC Bloghttp://blogs.technet.com/msrchttp://blogs.technet.com/msrc

• NotificationsNotificationswww.microsoft.com/technet/security/bulletin/notify.mspxwww.microsoft.com/technet/security/bulletin/notify.mspx

• TechNet RadioTechNet Radiowww.microsoft.com/tnradiowww.microsoft.com/tnradio

• IT Pro Security NewsletterIT Pro Security Newsletterwww.microsoft.com/technet/security/secnews/www.microsoft.com/technet/security/secnews/

• TechNet Security CenterTechNet Security Centerwww.microsoft.com/taiwan/technet/securitywww.microsoft.com/taiwan/technet/security

• TechNet Forum ITProTechNet Forum ITProhttp://forums.microsoft.com/technet-cht/default.aspx?siteid=23http://forums.microsoft.com/technet-cht/default.aspx?siteid=23

• Detection and deployment guidance for the Feb 2007 security releaseDetection and deployment guidance for the Feb 2007 security releasehttp://support.microsoft.com/default.aspx?scid=kb;EN-US;910723http://support.microsoft.com/default.aspx?scid=kb;EN-US;910723

Questions and AnswersQuestions and Answers

• Submit text questions using the Submit text questions using the “Ask a Question” button “Ask a Question” button

• Don’t forget to fill out the surveyDon’t forget to fill out the survey• For upcoming and previously recorded For upcoming and previously recorded

webcasts: webcasts: http://www.microsoft.com/taiwan/technet/webcast/default.aspxhttp://www.microsoft.com/taiwan/technet/webcast/default.aspx

• Webcast content suggestions:Webcast content suggestions:[email protected]@microsoft.com

二月份資訊安全公告 Feb 16, 2007 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security,...

Documents

Transcript of 二月份資訊安全公告 Feb 16, 2007 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security,...