nCircle.com >> 360 Security >> VERT

« Full... errr... Irresponsible Disclosure: Hurting the community and the end user. | Main | XSS: What Type of Vuln Is It? »

August Patch Tuesday Round-up

Today's the day the teddy bears have their picnic... well actually it's MS Tuesday, we've got 9 patches, spanning 14 CVEs. What's interesting this month is that it's almost like it's the month of Social Engineering, reading through each patch, it's all about user interaction this month. There aren't any traditional remotes... no running services or servers are affected, not remotely anyways. Let's start with todays lineup and the I'll talk about some of the ones that interest me the most.

MS07-042: Microsoft XML Core Services Vulnerability (CVE-2007-2223)
MS07-043: Microsoft OLE Automation Memory Corruption Vulnerability (CVE-2007-2224)
MS07-044: Microsoft Excel Workspace Memory Corruption Vulnerability (CVE-2007-3890)
MS07-045: Microsoft Internet Explorer CSS Memory Corruption Vulnerability (CVE-2007-0943)
MS07-045: Microsoft Internet Explorer ActiveX Object Vulnerability (CVE-2007-2216)
MS07-045: Microsoft Internet Explorer ActiveX Object Memory Corruption Vulnerability (CVE-2007-3041)
MS07-046: Microsoft GDI Remote Code Execution Vulnerability (CVE-2007-3034)
MS07-047: Microsoft Windows Media Player Skin Parsing Remote Code Execution Vulnerability (CVE-2007-3037)
MS07-047: Microsoft Windows Media Player Skin Decompression Remote Code Execution Vulnerability (CVE-2007-3035)
MS07-048: Microsoft Windows Vista Feed Headlines Gadget Remote Code Execution Vulnerability (CVE-2007-3033)
MS07-048: Microsoft Windows Vista Contacts Gadget Code Execution Vulnerability (CVE-2007-3032)
MS07-048: Microsoft Windows Vista Weather Gadget Remote Code Execution Vulnerability (CVE-2007-3891)
MS07-049: Microsoft Virtual PC and Virtual Server Heap Overflow Vulnerability (CVE-2007-0948)
MS07-050: Microsoft VML Buffer Overrun Vulnerability (CVE-2007-1749)

If I had to pick three that interest me, I'd go with MS07-042, MS07-048 and MS07-049, so let's take a closer look at them...

MS07-042:

This is interesting for one reason... the number of affected products. Not only are there numerous versions of XML Core Services but the number of products affected is a large list, all versions of Windows, all versions of Office, Sharepoint and Groove. It's a massive list of software that has to be updated.

MS07-048:

This one is the one I find the most interesting. Remote Code Execution via an RSS feed. There was actually an article almost two years ago quoting a researcher at Trend Micro who said that RSS would be the botnets next stomping ground. This vulnerability could be proof of that. Sure it affects Vista which not everyone is running, and further more you have to be running Gadgets with the RSS Widget, however this is evidence of what may be coming in other (read: more popular) RSS readers. When you subscribe to an RSS feed you are implicitly trusting that feed. You are asking your feed reader to gather all new articles that are published via the feed. Essentially you are forming a trust relationship with the feed. This vulnerability takes advantage of that trust relationship, inserting malicious code into something that you are "blindly" trusting. Now generally you are adding "trusted" or at least "partially trusted" sources. The problem is in the compromise of these sources... we're seeing more and more vulnerabilities pop up in Wordpress, Blogger and other popular blogging software. Taking advantage of these vulnerabilities, an attacker could modify the RSS feed to provide the malicious code that would exploit the condition patched by MS07-048. While this vulnerability itself may not be critical, if only due to user base, it is a crystal ball into the future and into what we will be seeing. It's a scaring thought, this isn't like clicking a link in Internet Explorer... this action has been pre-approved. I'm interested to see where this will lead us.

MS07-049:

This affects both Virtual PC and Virtual Server. Let's focus on Virtual Server. More and more we're seeing ads regarding server virtualization. 20:1 and 50:1 consolidations are not unheard of. If this consolidation was performed with Virtual Server, the door is opened to big problems with this vulnerability. Virtualization is trusted and placed in mission critical situtations... large marketing projects from the virtualization companies have seen to that. So you've taken all your mission critical machines... physical hardware, segmented by the fact that they each exist in their own box and placed them into a single box, seperated now by the virtualization software. A request comes in for a 'sandbox' environment for testing, you have room on your Virtual Server, so you throw a new virtual machine in place and provide it to the user. This user, or their software, is malicious... and you've given the user admin because you set them up on a "throw-away" VM. Suddenly this user, or the software, own all the guests on the host, as well as the host itself because of the vulnerability patched by MS07-049. Serious... yes. Dangerous... yes. Does it make us ask questions about the security of virualization... without a doubt. This is a security scenario that many don't consider but, really should be considered and we may see it pop up more and more in the future.

Posted by Tyler Reguly on August 14, 2007 2:01 PM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/241

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Search


About

This page contains a single entry from the blog posted on August 14, 2007 2:01 PM.

The previous post in this blog was Full... errr... Irresponsible Disclosure: Hurting the community and the end user..

The next post in this blog is XSS: What Type of Vuln Is It?.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]