Richard Chen 陳政鋒(Net+, Sec+, MCSE2003+Security, CISSP)

資深技術支援工程師台灣微軟技術支援處

五月份資訊安全公告 May 10, 2007

• Security Bulletins7 New Critical updates

• Non-Security Releases4 Non-security updates

• Detection and Deployment• Other Information

Windows Malicious Software Removal ToolLifeCycle Information

• References

What Will We cover?

Questions and Answers

• Submit text questions using the

“Ask a Question” button

Hot issue updates

• Svchost.exe high CPU (99%) when doing update scan

• Resolution: Try to install Windows Update Agent v3http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/Windows

UpdateAgent30-x86.exe

http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/Windows

UpdateAgent30-x64.exe

http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/Windows

UpdateAgent30-ia64.exe

• Further information can be found at http://blogs.technet.com/wsus/archive/2007/04/28/update-on.aspx

May 2007 Security Bulletins Overview

Bulletin Bulletin NumberNumber

Title Title Maximum Maximum Severity RatingSeverity Rating

Products AffectedProducts Affected

MS07-023MS07-023 Vulnerabilities in Microsoft Excel Could Vulnerabilities in Microsoft Excel Could

Allow Remote Code Execution (934233)Allow Remote Code Execution (934233)Critical All currently supported All currently supported

versions of Microsoft Excelversions of Microsoft Excel

MS07-024MS07-024 Vulnerabilities in Microsoft Word Could Vulnerabilities in Microsoft Word Could

Allow Remote Code Execution (934232)Allow Remote Code Execution (934232)Critical Microsoft Word 2000, 2002, Microsoft Word 2000, 2002,

20032003

MS07-025MS07-025 Vulnerability in Microsoft Office Could Vulnerability in Microsoft Office Could

Allow Remote Code Execution (934873)Allow Remote Code Execution (934873)Critical All currently supported All currently supported

versions of Microsoft Officeversions of Microsoft Office

MS07-026MS07-026 Vulnerabilities in Microsoft Exchange Vulnerabilities in Microsoft Exchange

Could Allow Remote Code Execution Could Allow Remote Code Execution

(931832)(931832)

Critical All current versions of All current versions of Microsoft ExchangeMicrosoft Exchange

MS07-027MS07-027 Cumulative Security Update for Internet Cumulative Security Update for Internet

Explorer (931768)Explorer (931768)Critical All current versions Internet All current versions Internet

Explorer on all currently Explorer on all currently supported versions of supported versions of Microsoft WindowsMicrosoft Windows

MS07-028MS07-028 Vulnerability in CAPICOM Could Allow Vulnerability in CAPICOM Could Allow

Remote Code Execution (931906)Remote Code Execution (931906)Critical CAPICOM, BizTalk ServerCAPICOM, BizTalk Server

MS07-029MS07-029 Vulnerability in RPC on Windows DNS Vulnerability in RPC on Windows DNS

Server Could Allow Remote Code Server Could Allow Remote Code

Execution (935966)Execution (935966)

Critical Windows 2000 (server), Windows 2000 (server), Windows Server 2003Windows Server 2003

May 2007 Security BulletinsSeverity Summary

Bulletin Number

Microsoft Excel 2000

Microsoft Excel 2002

Microsoft Excel 2003

Excel 2007

MS07-023 Critical Important Important Important

Microsoft Word 2000

Microsoft Word 2002

Microsoft Word 2003

Microsoft Word 2007

Microsoft Word 2004 for Mac

MS07-024 Critical Important Important Not Affected Important

Microsoft Office 2000

Microsoft Office XP

Microsoft Office 2003

Microsoft Office 2007

Microsoft Office 004 for Mac

MS07-025 Critical Important Important Important Important

May 2007 Security BulletinsSeverity Summary (2)

Bulletin Number

IE5.01 SP4 IE6 SP1 Internet Explorer 6 & 7 for Windows Server 2003 SP1 & SP2

IE 6.0 for XPSP 2

IE 7.0 For XP SP2

IE 7.0 for Vista

MS07-027 Critical Critical Moderate Critical Critical Critical

Microsoft Exchange 2000 Server

Microsoft Exchange Server 2003 SP1& SP2

Microsoft Exchange Server 2007

MS06-026 Critical Critical Critical

CAPICOM BizTalk Server 2004

MS07-028 Critical Critical

Windows 2000 SP 4

Windows Server 2003 SP1 & SP2

MS07-029 Critical Critical

MS07-023 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233) – Critical

VulnerabilitiesVulnerabilities Three code execution vulnerabilities due to Excel’s handling of malformed data Three code execution vulnerabilities due to Excel’s handling of malformed data elementselements

Possible Attack Possible Attack VectorsVectors

• Attacker crafts specially formed Excel documentAttacker crafts specially formed Excel document• Attacker places Excel document on web page or includes in e-mail as attachmentAttacker places Excel document on web page or includes in e-mail as attachment• Attacker convinces user to visit Web site or view e-mail and open attachmentAttacker convinces user to visit Web site or view e-mail and open attachment

Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user

Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Excel 2002,Excel 2003 and Excel 2007: cannot be exploited automatically through e-Excel 2002,Excel 2003 and Excel 2007: cannot be exploited automatically through e-mail. User must open an attachment that is sent in e-mail.mail. User must open an attachment that is sent in e-mail.• Excel 2002, Excel 2003 and Excel 2007: cannot be exploited automatically through Excel 2002, Excel 2003 and Excel 2007: cannot be exploited automatically through Web page. User must click through trust decision dialog box.Web page. User must click through trust decision dialog box.

–Dialog box does not occur in Office 2000.Dialog box does not occur in Office 2000.–Dialog box can be added to Office 2000 by installing Office Document Open Dialog box can be added to Office 2000 by installing Office Document Open

Confirmation ToolConfirmation Tool• User must navigate to attacker’s site manually or through links in e-mail or IM. Access User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automated.to sites cannot be automated.•Excel 2007: issue affects handling of older Excel file format. File blocking can help Excel 2007: issue affects handling of older Excel file format. File blocking can help protectprotect

• http://technet2.microsoft.com/Office/en-us/library/fe3f431c-8d7a-45c8-954f-1268f3b533161033.mspx?mfr=true

MS07-023 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233) – Critical

Replaced Updates:

MS07-002MS07-002

Publicly Disclosed/

Known Exploits

• PD: NoPD: No• KE: NoKE: No

More Information KB: KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-024.mspx

MS07-024 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232) – Critical

VulnerabilitiesVulnerabilities Three code execution vulnerabilities due to Word’s handling of malformed data Three code execution vulnerabilities due to Word’s handling of malformed data elementselements

Possible Attack Possible Attack VectorsVectors

• Attacker crafts specially formed Word documentAttacker crafts specially formed Word document• Attacker places Word document on web page or includes in e-mail as attachmentAttacker places Word document on web page or includes in e-mail as attachment• Attacker convinces user to visit Web site or view e-mail and open attachmentAttacker convinces user to visit Web site or view e-mail and open attachment

Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user

Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Word 2002 or Word 2003: cannot be exploited automatically through e-mail. User Word 2002 or Word 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent in e-mail.must open an attachment that is sent in e-mail.• Word 2002 or Word 2003: cannot be exploited automatically through Web page. User Word 2002 or Word 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box.must click through trust decision dialog box.

–Dialog box does not occur in Office 2000.Dialog box does not occur in Office 2000.–Dialog box can be added to Office 2000 by installing Office Document Open Dialog box can be added to Office 2000 by installing Office Document Open

Confirmation ToolConfirmation Tool• User must navigate to attacker’s site manually or through links in e-mail or IM. User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automated.Access to sites cannot be automated.

MS07-024 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232) – Critical

Replaced Updates: MS07-014MS07-014

Publicly Disclosed/

Known Exploits

• CVE-2007-0870 is public disclosed and there are known exploits reported.CVE-2007-0870 is public disclosed and there are known exploits reported.• Others are not.Others are not.

More Information Addresses issue discussed in Microsoft Security Advisory 933052Addresses issue discussed in Microsoft Security Advisory 933052

http://www.microsoft.com/taiwan/technet/security/advisory/933052.mspx

KB: KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-024.mspx

MS07-025 – Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873) – Critical

VulnerabilityVulnerability One code execution vulnerability exists in the way Microsoft Office handles a One code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing objectspecially crafted drawing object

Possible Attack Possible Attack VectorsVectors

• Attacker crafts specially formed Office documentAttacker crafts specially formed Office document• Attacker places Office document on web page or includes in e-mail as Attacker places Office document on web page or includes in e-mail as

attachmentattachment• Attacker convinces user to visit Web site or view e-mail and open Attacker convinces user to visit Web site or view e-mail and open

attachmentattachment

Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user

Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Office XP or Office 2003: cannot be exploited automatically through e-mail. Office XP or Office 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent in e-mail.User must open an attachment that is sent in e-mail.• Office XP or Office 2003: cannot be exploited automatically through Web page. Office XP or Office 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box.User must click through trust decision dialog box.

–Dialog box does not occur in Office 2000.Dialog box does not occur in Office 2000.–Dialog box can be added to Office 2000 by installing Office Document Dialog box can be added to Office 2000 by installing Office Document

Open Confirmation ToolOpen Confirmation Tool• User must navigate to attacker’s site manually or through links in e-mail or IM. User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automatedAccess to sites cannot be automated

MS07-025 – Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873) – Critical

Replaced Updates:

MS07-015MS07-015

Publicly Disclosed/

Known Exploits

• PD: NoPD: No• KE: NoKE: No

More Information http://www.microsoft.com/taiwan/technet/security/bulletin/ms04-025.mspx

MS07-026 – Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832) – Critical

VulnerabilitiesVulnerabilities One remote code execution , one information disclosure and two denial of One remote code execution , one information disclosure and two denial of service vulnerabilitiesservice vulnerabilities

Possible Attack Possible Attack VectorsVectors

• Attacker creates e-mail with specially formed e-mail messageAttacker creates e-mail with specially formed e-mail message• Attacker sends e-mail to Exchange ServerAttacker sends e-mail to Exchange Server

Impact of AttackImpact of Attack Run code in context of LocalSystemRun code in context of LocalSystem

Mitigating FactorsMitigating Factors NoneNone

Replaced Updates:

MS06-019MS06-019

MS06-029MS06-029

Publicly Disclosed/

Known Exploits

PD: NoPD: No

KE: NoKE: No

More Information KB: KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-026.mspx

MS07-027 – Cumulative Security Update for Internet Explorer (931768) – Critical

VulnerabilitiesVulnerabilities Five code execution vulnerabilitiesFive code execution vulnerabilities

Possible Attack Possible Attack VectorsVectors

• Attacker creates specially formed Web pageAttacker creates specially formed Web page• Attacker posts page on Web site or sends page as HTML e-mailAttacker posts page on Web site or sends page as HTML e-mail• Attacker convinces user to visit Web site or view e-mailAttacker convinces user to visit Web site or view e-mail

Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user

Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.navigate to attacker’s site manually or through links in e-mail or IM.•All supported versions of Outlook and Outlook Express open HTML e-mail All supported versions of Outlook and Outlook Express open HTML e-mail messages in the Restricted sites zone, which helps reduce attacks preventing messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e-Active Scripting and ActiveX controls from being used when reading HTML e-mail.mail.• Internet Explorer on Windows Server 2003 in Enhanced Security Configuration Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and e-mail vectors on select vulnerabilities.mitigates the browsing and e-mail vectors on select vulnerabilities.

MS07-027 – Cumulative Security Update for Internet Explorer (931768) – Critical

Replaced Updates:

MS07-016MS07-016

Publicly Disclosed/

Known Exploits

• PD: PD: CVE-2007-0942 COM 物件例項記憶體損毀弱點 , others are not.• KE: NoKE: No

More Information • Sets killbit for the ActiveX control LaunchApp Software available from Acer Sets killbit for the ActiveX control LaunchApp Software available from Acer IncorporatedIncorporated

• See See http://global.acer.com/support/patch20070101.htm for more for more informationinformation

• Sets killbit for an ActiveX control developed by Research In Motion (RIM)Sets killbit for an ActiveX control developed by Research In Motion (RIM)• See See http://na.blackberry.com/eng/ataglance/security/news.jsp for more for more

informationinformation

KB: KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-027.mspx

MS07-028 – Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)) – Critical

VulnerabilityVulnerability A code execution vulnerability in Cryptographic API Component Object Model A code execution vulnerability in Cryptographic API Component Object Model (CAPICOM) due to input handling in the ActiveX control(CAPICOM) due to input handling in the ActiveX control

Possible Attack Possible Attack VectorsVectors

• Attacker creates specially formed Web pageAttacker creates specially formed Web page• Attacker posts page on Web site or sends page as HTML e-mailAttacker posts page on Web site or sends page as HTML e-mail• Attacker convinces user to visit Web site or view e-mailAttacker convinces user to visit Web site or view e-mail

Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user

Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.navigate to attacker’s site manually or through links in e-mail or IM.•All supported versions of Outlook and Outlook Express open HTML e-mail All supported versions of Outlook and Outlook Express open HTML e-mail messages in the Restricted sites zone, which helps reduce attacks preventing messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e-Active Scripting and ActiveX controls from being used when reading HTML e-mail.mail.• Internet Explorer on Windows Server 2003 in Enhanced Security Configuration Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and e-mail vectors on select vulnerabilities.mitigates the browsing and e-mail vectors on select vulnerabilities.•ActiveX control is not on IE 7 ActiveX opt-in list: user must explicitly approve ActiveX control is not on IE 7 ActiveX opt-in list: user must explicitly approve first-time running of controlfirst-time running of control

MS07-028 – Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)) – Critical

Replaced Updates:

NoneNone

Publicly Disclosed/

Known Exploits

• PD: NoPD: No• KE: NoKE: No

More Information What is CAPICOM?What is CAPICOM?

http://msdn2.microsoft.com/en-us/library/ms995332.aspx

KB: KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-027.mspx

MS07-029 Situation Overview

• First obtained partial information of limited attacks on April 6, 2007

• Investigation yielded information about new vulnerability on April

11, 2007

• Workarounds identified and Security Advisory 935964 released on

April 12, 2007

• Information released to Microsoft Security Alliance (MSRA)

partners to help provide broader protections

• Ongoing monitoring indicated attacks remained limited

MS07-029 – Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution (935966) – Critical

Vulnerability Code execution vulnerability in RPC management of DNS Server service

Possible Attack Vectors

• Attacker creates specially formed network packet• Attacker sends packet to vulnerable system

Impact of Attack Run code in LocalSystem context

Workarounds • Block TCP/UDP 139/445 and all ports above 1024• Add RpcProtocol key =1 under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Replaced Updates: • None

Publicly Disclosed/

Known Exploits

• PD: Yes• KE: Yes

More Information • Addresses issue discussed in Microsoft Security Advisory 935964http://www.microsoft.com/taiwan/technet/security/advisory/935964.mspx

• Security update will not undo any workarounds put in place: must be rolled back manually

KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-029.mspx

Detection and Deployment

WU/SUS/AU Office Update & SMS Microsoft Office Inventory Tool for Updates

MBSA 1.2 & SMS Security Update Inventory Tool

Enterprise Scan Tool & SMS Security Update Scan Tools

MU/WSUS/AU, SMS 2003 ITMU, & MBSA 2.0

MS07-023 NA Yes (except 2007) Yes (local except 2007)

No Yes (except 2000)

MS07-024 NA Yes Yes (local) No Yes (except 2000)

MS07-025 NA Yes (except 2007) Yes (local except 2007)

No Yes (except 2000)

MS07-026 NA NA Yes (except 2007) No Yes

MS07-027 Yes NA Yes (except Vista) No Yes

MS07-028 Yes NA No Yes Yes

MS07-029 Yes NA Yes No Yes

Detection and Deployment Support in Windows Vista

• SupportedWindows Update

Microsoft Update

MBSA 2.1 (beta, remote only)

MBSA 2.0.1 (remote only)

WSUS

SMS 2003 with ITMU V3

• Not Supported

Software update Services

MBSA 1.2.1

SMS Security Update

Inventory Tool

SMS 2003 with ITMU

earlier than V3

Other Update Information

Bulletin Restart Hotpatching Uninstall Replaces

MS07-023MS07-023 No NANA Yes (Except 2000)Yes (Except 2000) MS07-002MS07-002

MS07-024MS07-024 No NANA Yes (Except 2000)Yes (Except 2000) MS07-014MS07-014

MS07-025MS07-025 No NANA Yes (Except 2000)Yes (Except 2000) MS07-015MS07-015

MS07-026MS07-026 No NANA YesYes MS06-019, MS06-019, MS06-029MS06-029

MS07-027MS07-027 Yes NANA YesYes MS07-016MS07-016

MS07-028MS07-028 No NANA YesYes NANA

MS07-029MS07-029 Yes NoNo YesYes NANA

May 2007 Non-Security Updates

NUMBERNUMBER TITLETITLE DistributionDistribution

930916 Update for Windows XP (KB930916) WU, MU

934708 Update for Outlook 2003 Junk Email Filter (KB934708) MU

934655 Update for Outlook 2007 Junk Email Filter (KB934655) MU

933669 Update for PowerPoint 2003 (KB933669) MU

934173 Update for Word 2007 (KB934173) MU

25

Windows Malicious Software Removal Tool

• Adds the ability to remove:– Win32/Renos

• Available as priority update through Windows Update or Microsoft Update for Windows XP users

Offered through WSUS; not offered through SUS 1.0Also available as a download atwww.microsoft.com/malwareremove

26

Lifecycle Support Information

• April 2007

– Windows Server 2003 RTM (SP0)

• July 10, 2007

– Software Update Services 1.0

– SQL Server 2000 Service Pack 3a

– SQL Server 2005 RTM (SP0)

Resources

• Security Bulletins Summary http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-may.mspx

• Security Bulletins Searchwww.microsoft.com/technet/security/current.aspx

• Security Advisorieswww.microsoft.com/taiwan/technet/security/advisory/

• MSRC Bloghttp://blogs.technet.com/msrc

• Notificationswww.microsoft.com/technet/security/bulletin/notify.mspx

• TechNet Radiowww.microsoft.com/tnradio

• IT Pro Security Newsletterwww.microsoft.com/technet/security/secnews/

• TechNet Security Centerwww.microsoft.com/taiwan/technet/security

• TechNet Forum ITProhttp://forums.microsoft.com/technet-cht/default.aspx?siteid=23

• Detection and deployment guidance for the May 2007 security releasehttp://support.microsoft.com/kb/936981/en-us

Questions and Answers

• Submit text questions using the

“Ask a Question” button

• Don’t forget to fill out the survey

• For upcoming and previously recorded webcasts:

http://www.microsoft.com/taiwan/technet/webcast/default.aspx

• Webcast content suggestions:

http://www.microsoft.com/taiwan/technet/forum