User login

The Microsoft Security Response Center Blog

Syndicate content
Working to help protect customers from vulnerabilities in Microsoft software
Updated: 12 years 14 weeks ago

SQL Injection Attacks Exploiting Unverified User Data Input

Tue, 06/24/2008 - 18:35

Hey Andrew Cushman here.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 

Today I’m pleased to announce the coordinated release of three security tools in Security Advisory 954462 to help customers deal with SQL injection attacks:

 

·         UrlScan version 3.0 Beta, a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan helps prevent potentially harmful requests.

·         Microsoft Source Code Analyzer for SQL Injection Community Technology Preview (June 2008), a tool that can be used to detect ASP code susceptible to SQL injection attacks.

·         Scrawlr, a free scanner, developed by HP Web Security Research Group in conjunction with Microsoft, which will allow customers to identify whether their Web sites might be susceptible to SQL injection. 

 

Back in the day, I participated in the first release of URLScan as a member of the IIS team. Things are a bit different now than they were back then. Nowadays people applaud IIS’ excellent security track record and point to it as a “poster child” of the SDL (Security Development Lifecycle).

 

Some things are unchanged though. Microsoft teams and partners remain committed to deliver tools and solutions to make it easier for Administrators to protect themselves from mis-configuration and application coding errors.  URLScan v3.0 beta, Microsoft Code Analyzer for SQL Injection and HP Scrawlr continue the tradition of development collaboration. These tools, and the quick turn around by the teams, demonstrate to me the dedication to a more secure computing experience by the SQL Server and IIS teams and our friends at Hewlett-Packard.. 

 

Special thanks go to Wade Hilmo on the IIS team and Bala Neerumalla on the SQL team.

Wade is the original and sole developer of URLScan. Another great job! Bala is the driving force behind the SQL tool and is responsible for the idea and the realization of it. 

Thanks guys!

 

Microsoft has posted a number of new related blogs posts. In addition to the SQL and IIS blogs mentioned above, I encourage you to check out the SVRD blog and the SDL blog from my colleagues down the hall.

 

 

Thanks!

Andrew

Director, MSRC

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

MS08-030 Re-released for Windows XP SP2 and SP3

Thu, 06/19/2008 - 15:37

Hello, this is Christopher Budd.

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

I wanted to let folks know that we’ve just re-released MS08-030. This is to let you know there’s a new version of this security update available for Windows XP SP2 and SP3 customers and to encourage them to deploy these new updates. There are no new updates for the other versions of Windows discussed in the bulletin.

 

After we released MS08-030 we learned that the security updates for Windows XP SP2 and SP3 might not have been fully protecting against the issues discussed in that bulletin. As soon as we learned of that possibility, we mobilized our Software Security Incident Response Process (SSIRP) to investigate the issue.

 

Our investigation found that while the other security updates were providing protections for the issues discussed in the bulletin, the Windows XP SP2 and SP3 updates were not.

 

Our engineering teams immediately set to work to address the issue and release new versions of the security updates for Windows XP SP2 and SP3. These are available now and are being delivered through the same detection and deployment tools as the original update.

 

If you’re running Windows XP SP2 or SP3, you should go ahead and test and deploy these new security updates. If you’ve deployed security updates for MS08-030 for other versions of Windows, you don’t need to take any action for those systems.

 

Our focus has been on delivering new versions of these updates to protect customers as quickly as possible. Now that that’s done, as part of our standard process, we’re beginning an investigation into how this happened. We’re just starting this investigation, but early on, it appears that there may have been two separate human issues involved. When we’re done with our investigation, we’ll take steps to better prevent it in the future.

 

Thanks.

 

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Microsoft Security Advisory 954474 Updated

Tue, 06/17/2008 - 17:17

Hello,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

This is Christopher Budd again. I wanted to let you know we’ve just updated Microsoft Security Advisory 954474 to let you know we’ve released  an update that affected customers can apply to their System Center Configuration Manager (ConfigMgr) 2007 servers to resolve the issue we discussed in our posting on Friday June 13.

There are more details in the advisory, but we recommend any ConfigMgr 2007 customers with System Management Server (SMS) 2003 clients go ahead and review the KB and plan to deploy the update.

Thanks

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Security Advisory 954474: Deployment Issue affecting System Center Configuration Manager 2007servers with SMS 2003 clients

Sat, 06/14/2008 - 01:34

Hello,

This is Christopher Budd. I’m back here on the MSRC weblog after spending some time learning the Privacy side of our business (and getting my CIPP certification).

I’m here to let you know that we’ve just posted Microsoft Security Advisory 954474.

This advisory is to let customers know that we’re aware of an issue that is affecting the deployment of the June 2008 security updates. This issue only affects customers using System Center Configuration Manager (ConfigMgr) 2007; none of our other detection or deployment technologies are affected. Also, the issue only affects the deployment of security updates to System Management Server (SMS) 2003 clients of ConfigMgr 2007 servers. This means that to be affected by this issue, you must be running a mixed ConfigMgr 2007 and SMS 2003 environment. If you are not running this specific configuration, this issue does not affect you.

The impact of this issue is that customers in this configuration cannot deploy the June 2008 security updates to their SMS 2003 clients using the Inventory Tool for Microsoft Updates (ITMU). 

Our security response process focuses not just on releasing security updates but also on monitoring and making sure customers can deploy them. Because of this, in response to this issue, we’ve activated our Software Security Incident Response Process (SSIRP) and our engineering teams are working to develop a solution for this issue. We’ll update the MSRC weblog and the advisory with more information as we have it.

In the meantime, customers can use the Software Distribution within ConfigMgr 2007 to deploy the June security updates as indicated in the security advisory.

Thanks,

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

June 2008 Monthly Release

Tue, 06/10/2008 - 16:50

Hello! This is Tami Gallupe (MSRC Release Manager) and I want to let you know that we just posted our June 2008 Bulletins.  We released seven bulletins today, which includes three bulletins with severity rating of Critical three bulletins with severity rating of Important and one with the severity rating of Moderate.

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

Here is a summary of what we released:

 

MS08-030: Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)

-          Rating: Critical

-          Impact of Vulnerability: Remote Code Execution

 

MS08-031: Cumulative Security Update for Internet Explorer (950759)

-          Rating: Critical

-          Impact of Vulnerability: Remote Code Execution              

 

MS08-032:  Cumulative Security Update of ActiveX Kill Bits (950760)        

-          Rating: Moderate

-          Impact of Vulnerability: Remote Code Execution

 

MS08-033: Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)          

-          Rating: Critical

-          Impact of Vulnerability: Remote Code Execution

 

MS08-034: Vulnerability in WINS Could Allow Elevation of Privilege (948745)

-          Rating: Important

-          Impact of Vulnerability: Elevation of Privilege

 

MS08-035: Vulnerability in Active Directory Could Allow Denial of Service (953235)

-          Rating: Important

-          Impact of Vulnerability: Denial of Service

 

MS08-036: Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)

-          Rating: Important

-          Impact of Vulnerability: Denial of Service             

 

We also re-released MS06-078 and MS07-068 with a detection only changes.

 

Delving "under the hood" this month, our Security Vulnerability Research & Defense blog this month discusses MS08-036, MS08-033, and MS08-030. You can read about these and more at http://blogs.technet.com/swi/.

 

While we're talking about updates and blogs, I’ll also mentioned that we’ve provided new Knowledge Base (KB) articles that document installation procedures for any possible future SQL Server security updates for Microsoft SQL Server 7, Microsoft SQL 2000 or Microsoft SQL Server 2005. In particular, there are steps that SQL Server 2000 and SQL Server 2005 administrators can take in advance that could help expedite deployment of any possible future security updates.  We encourage all SQL administrators to review all these (KB) articles and consider following the steps now to better prepare for any future SQL Server updates that may be released in the future. Additional information can be found by clicking the below links.

 

·         SQL Server 2000 and MSDE 2000 installers stop dependent services

·         SQL Server 2005 installers stop dependent services

·         SQL Server 2000 installers will not update disabled SQL Server instances

·         SQL Server 2005 installers do not update an instance of the SQL Server service that is in a disabled state

·         Supported method for applying updates to SQL Server 7.0

 

As usual, I also want to remind that our monthly webcast that starts tomorrow (Wednesday, June 10th) at 11:00 AM PST.  This is a favorite event as it gives us a chance to take questions and answer them live, on the air tomorrow. Click here to Register now for the June Security Bulletin Webcast.  We look forward to hearing from you tomorrow.

 

Cheers!

  Tami

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

June 2008 Advance Notification

Thu, 06/05/2008 - 16:40

Hello, Bill here.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, June 10, 2008 around 10 a.m. Pacific Standard Time.

It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release:

 

·        Three Microsoft Security Bulletins rated Critical, three Important, and one Moderate. These updates may require a restart and will be detectable using the newly released version of the Microsoft Baseline Security Analyzer.

 

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

 

Finally, we are planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.

 

As always, we’ll be holding the June edition of the monthly security bulletin webcast on Wednesday, June 11, 2008 at 11 a.m., Pacific Standard Time.  We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well.

 

You can register for the webcast here:

 

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032357225&Culture=en-US

 

Thanks,

 

Bill Sisk

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Security Advisory 953818 Posted

Fri, 05/30/2008 - 22:56

Hi,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

This is Tim Rains.

Very quickly, I wanted to let you know that we’ve just posted Microsoft Security Advisory 953818. This security advisory talks about new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari web browser for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default: it must be installed independently or through the Apple Software Update application.

If you run Safari on the affected platforms, we encourage you to review this advisory.

We’ve activated our Software Security Incident Response Process (SSIRP) and are working with our colleagues at Apple to investigate the issue. We have identified steps customers can take to protect themselves in the workaround section of the advisory.

We are currently not aware of any attacks and are monitoring the issue and are working with our MSRA partners to help protect customers. We will update the advisory and this blog as new information becomes available.

Tim

*This posting is provided "AS IS" with no warranties, and confers no rights.*

May 2008 Monthly Release

Tue, 05/13/2008 - 16:20

This is Tami Gallupe, MSRC Release Manager, and I want to let you know that we just posted our May 2008 Bulletins. We released four bulletins today, which include three bulletins with severity rating of critical and one with the severity rating of moderate. We also re-released MS06-069 to add XP SP3 as an affected version. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 

Here is a summary of what we released:

 

MS08-026  Vulnerabilities in Microsoft Word Could Allow Remote Code Execution

MS08-027  Vulnerability in Microsoft Publisher Could Allow Remote Code Execution

MS08-028  Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution

MS08-029 Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service

 

I think it is also worth noting that MS08-026 includes additional security mitigations against attacks as identified in Microsoft Security Advisory 950627. We recommend that customers install the updates provided in both MS08-026 and MS08-028 for the most up to date protection against these types of attacks.  

 

Our Security Vulnerability Research & Defense blog this month discusses MS08-026.  You can find a post discussing built-in functionality to turn off the vulnerable parsing code for one of the fixed vulnerabilities at http://blogs.technet.com/swi/archive/2008/05/13/file-block-and-ms08-026.aspx

 

I want to invite you to join us for the monthly webcast that starts tomorrow (Wednesday, May 14th) at 11:00 AM PST.  We’ll be discussing today’s release and answering your questions on the air. Click here to register for the May Security Bulletin Webcast.  We look forward to hearing from you tomorrow.

 

Thanks!

   Tami

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

 

May 2008 Advance Notification

Thu, 05/08/2008 - 16:51

Hello, Bill here.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, May 13, 2008 around 10 a.m. Pacific Standard Time.

It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release:

 

·        Three Microsoft Security Bulletins rated Critical and one that is rated as Moderate. These updates may require a restart and will be detectable using the newly released version of the Microsoft Baseline Security Analyzer.

 

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

 

Finally, we are planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.

 

As always, we’ll be holding the May edition of the monthly security bulletin webcast on Wednesday, May 14, 2008 at 11 a.m., Pacific Standard Time.  We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well.

 

You can register for the webcast here:

 

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032357221&Culture=en-US

 

Thanks,

 

Bill Sisk

 

Questions about Web Server Attacks

Sat, 04/26/2008 - 04:44

Hi there this is Bill Sisk.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

There have been conflicting public reports describing a recent rash of web server attacks. I want to bring some clarification about the reports and point you to the IIS blog for additional information.

To begin with, our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server. We have also determined that these attacks are in no way related to Microsoft Security Advisory (951306). 

The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database.  To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here.  Our counterparts over on the IIS blog have written a post with a wealth of information for web developers and IT Professionals can take to minimize their exposure to these types of attacks by minimizing the attack surface area in their code and server configurations. Additional information can be found here: http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx

I hope this helps to answer any questions

Bill

*This posting is provided "AS IS" with no warranties, and confers no rights.*

MSRC Blog: Microsoft Security Advisory 951306

Fri, 04/18/2008 - 01:38

Hello, Bill here,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

I wanted to let you know that we have just posted Microsoft Security Advisory (951306).

This advisory contains information regarding a new public report of a vulnerability within Microsoft Windows which allows for privilege escalation from authenticated user to LocalSystem. Our investigation has shown that this vulnerability affects Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

At this time, we are not aware of attacks attempting to use the reported vulnerability, but we will continue to track this issue.  The advisory contains several workarounds that customers can use to help protect themselves. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release.

We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.

In the meantime, we encourage customers to review the advisory and implement the workarounds.

Bill Sisk

*This posting is provided "AS IS" with no warranties, and confers no rights.*

April 2008 Monthly Release

Tue, 04/08/2008 - 16:47

April 2008 Monthly Bulletin Release<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

I'm Simon, Release Manager in the MSRC.  The April 2008 release contains 8 new bulletins, 5 of which have maximum severities of "Critical".

MS08-018            Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183)

MS08-019            Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032)

MS08-020            Vulnerability in DNS Client Could Allow Spoofing (945553)

MS08-021            Vulnerabilities in GDI Could Allow Remote Code Execution (948590)

MS08-022            Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)

MS08-023            Security Update of ActiveX Kill Bits (948881)

MS08-024            Cumulative Security Update for Internet Explorer (947864)

MS08-025            Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)

 

I’d also like to tell you about an improvement we’re introducing to the bulletins this month.

Back in December, you might have noticed a change in the IE bulletins.  We had been looking at moving the File Specifications lists out of the bulletins and into their associated bulletin Knowledge Base (KB) article.  We decided to pilot this with the IE bulletin because it has typically the largest file manifest.  We’ve successfully piloted this with two IE releases, and now it’s time to roll this change out to the rest of our bulletins.

By moving the file manifest out of the bulletins and into the KBs, this significantly reduces the size of the bulletins which will improve the rendering time when you open a bulletin.  Also, the KB tends to be more of a repository of specific package deployment details, and as such, the file manifests are better located there in order to serve those looking for reference-level material on the bulletins.  For bulletins which contain multiple distinct package KBs (such as Office), each KB will contain only the file manifest that directly relates to the associated package.

We hope that you find this improves both rendering performance and readability.

Please join us for the regular monthly security bulletin webcast, Wednesday April 9 11:00 AM PDT (GMT -7). We'll have an overview of the April bulletins, and you'll have the opportunity to ask us questions around the release.

Cheers,

Simon

*This posting is provided "AS IS" with no warranties, and confers no rights.*

April 2008 Advance Notification

Thu, 04/03/2008 - 16:57

Hello, Bill here.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, April 8, 2008 around 10 a.m. Pacific Standard Time.

It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release:

 

·        Five Microsoft Security Bulletins rated Critical and three that are rated as Important. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

 

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

 

Finally, we are planning to release five high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as three high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS).

 

As always, we’ll be holding the April edition of the monthly security bulletin webcast on Wednesday, April 9, 2008 at 11 a.m., Pacific Standard Time.  We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well.

 

You can register for the webcast here:

 

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032357219&Culture=en-US

 

Thanks,

 

Bill Sisk

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

UPDATE: MSRC Blog: Microsoft Security Advisory (950627)

Mon, 03/24/2008 - 23:27

Hi there,

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

This is Mike of the MSRC,

 

The case of the MDB attack vector

 

The MSRC on Friday afternoon posted an advisory about limited, targeted attacks using JET database files, commonly referenced as file type MDB.  Many of you probably remember that MDB files are on the unsafe file type list (http://support.microsoft.com/kb/925330), and are blocked from being opened by Outlook, are commonly removed from incoming email by Exchange, and trigger scary prompts similar to EXEs when clicked on with IE.  So why the hubbub?

 

First – let me describe the attacks we’ve seen:

We have seen two malicious JET database files sent in by anti-virus companies.  These files make it clear that some attackers have figured out a way to workaround the mitigations built into Outlook. 

 

These new attacks, discussed in Friday’s security advisory, use the exact same vulnerability as was posted in a November 2007 full-disclosure posting by cocoruder.  In fact, very little was changed about the file compared to cocoruder’s POC file which launched calc.exe.  It uses the same column number overflow.  Even as far back as March 2005, HexView posted a similar vulnerability in msjet40.dll column handling.  You’ll notice that both the HexView and the cocoruder posting mention that they first submitted their samples to the MSRC, but the MSRC replied back that they would not address the issues via a security bulletin because any attempt to attack customers using these issues was heavily mitigated by the blocking mentioned earlier in this post.

 

So how is this new JET database file attack different than the previous JET database file issues? 

Everything changed with the discovery of this new attack vector that allowed an attacker to load an MDB file via opening a Microsoft Word document.  The previous guidance does not work against this new attack.  The attack sequence is not the dangerous multi-step process of requiring a customer to first change their Outlook and Exchange settings from the secure default of blocking MDB files and then opening the MDB file.  Instead, it could occur by having a customer save two DOC files to the hard drive and opening one of them.  So that’s why we alerted customers to these attacks and are re-investigating JET parsing flaws – this is a new attack vector discovered that we didn’t know about previously.

 

So now what are we going to do about JET database files?  

Well, a lot of this is still under investigation as part of the SSIRP process.  We’re investigating if we can ship a security update that prevents Word documents from loading MDB files without prompting.  This would block this new vector and would be a great solution if we can find a way to make it work without affecting custom applications.  Also, we already have a new version of msjet40.dll that fixes the known attacks.  In fact, we have already shipped it in Windows Server 2003 SP2, Windows Vista, and it is included in beta versions of Windows XP SP3. We’re investigating what it would take to release those fixes as part of the security update as a defense-in-depth change. 

 

Even after we determine a fix plan for these issues, JET database files (filetype MDB) will remain on the unsafe filetype list because they can run code by design.  MDB files opened by Access can run arbitrary VBA script code specified in the MDB file – that’s why they’re marked as unsafe and blocked by Outlook, Exchange, etc.  So even if we tried to, we could not secure this file format – it will always present attackers an opportunity to run code.  We currently do not plan to turn off the VBA functionality present as part of opening an MDB files as many customers use that feature in their applications and wouldn’t apply the security update anyway.  So we will continue to recommend that you never, ever open MDB files received unexpectedly.

 

So what should customers do in the meantime? 

Well, first, I recommend you read the security advisory. There’s some solid guidance in there, for example, enterprise administrators can block JET files, even those renamed from MDB, at the gateway.  We’ve even shared samples with folks in the MSRA. For end-users, we will continue to recommend that you never, ever open attachments received unexpectedly.  Finally, I’d recommend that you continue to monitor this blog and the MSRC blog as we’ll update you on the results of our investigation through each of those.

 

Mike Reavey

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

MSRC Blog: Microsoft Security Advisory (950627)

Fri, 03/21/2008 - 23:50
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Hello, Bill here,

 

I wanted to let you know that we have just posted Microsoft Security Advisory (950627).

 

This advisory contains information about a very limited, targeted attack exploiting a vulnerability in Microsoft Jet Database Engine. Our initial investigation has shown that this vulnerability affects customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007 and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1.

 

Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.

 

We’ve activated our Software Security Incident Response Process (SSIRP) to investigate the vulnerability and have identified steps customers can take to protect themselves in the workaround section. As part of our SSIRP process, we currently have teams working to develop an update of appropriate quality for release in our regularly scheduled bulletin process or as an out-of-band update, depending on customer impact. In the meantime, we encourage customers to review the advisory and implement the workarounds.

 

While the attack appears to be targeted, and not widespread, we are monitoring the issue and are working with our MSRA partners to help protect customers. We will update the Advisory and this blog as new information becomes available.

 

Bill Sisk

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

 

Update: March 2008 Monthly Release

Fri, 03/14/2008 - 05:55

Bill here. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 

I wanted to let you know that we have updated bulletin MS08-014 to provide additional information on a newly identified issue that causes Microsoft Excel 2003 calculations to return an incorrect result when a Real Time Data source is used.  The issue affects a specific scenario and may not affect you. Please see the bulletin for additional details.

 

Our teams are testing a fix and will release it once it meets our quality bar for broad distribution.

 

Cheers,

 

Bill Sisk

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

March 2008 Monthly Release

Tue, 03/11/2008 - 16:14

Wow! It is already the 2nd Tuesday of the month, and with it comes the announcement of some new bulletins! This is Tami Gallupe, MSRC Release Manager, and I just wanted to let you know that we just posted our March 2008 Bulletins. We released four bulletins today, all are for Office and all have a maximum severity rating of Critical.  Here is a quick list of what we released:<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 

MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution. Note that this Excel bulletin addresses the issue highlighted in Microsoft Security Advisory (947563).

MS08-015: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution

MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution

 

Our team also plans to post some additional in-depth technical information about today’s release on the Security Vulnerability Research & Defense  blog. It will be available this afternoon, and I think it will be worthwhile to stop by and check it out.

 

As always, the webcast is one of my favorite events, and I want to make sure you are aware that it starts tomorrow at 11:00 AM PST.  We’ll be talking about today’s release and answering your questions on the air. Click here to register. We look forward to hearing from you tomorrow.

 

Thanks!

   Tami

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

March 2008 Advance Notification

Thu, 03/06/2008 - 16:48

Hello, Bill here.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, March 11, 2008 around 10 a.m. Pacific Standard Time.

It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release:

 

·        Four Microsoft Security Bulletins rated Critical. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

 

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

 

Finally, we are planning to release three high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as two high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS).

 

As always, we’ll be holding the March edition of the monthly security bulletin webcast on Wednesday, March 12, 2008 at 11 a.m., Pacific Standard Time.  We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well.

 

You can register for the webcast here:

 

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032357217&Culture=en-US

Thanks,

 

Bill Sisk

*This posting is provided "AS IS" with no warranties, and confers no rights.*