Microsoft has issued patches for seven critical flaws in Excel, Windows Active Directory and the .Net Framework.
Those seven vulnerabilities cover the worst-hit applications. The July 10 Patch Tuesday saw a total of 11 vulnerabilities fixed in six security bulletins.
Analysts were warning about the critical .Net flaw ahead of the bulletin release, given the frameworks core role in supplying code to a vast array of Windows applications, such as in pre-coded user interfaces, data access components, database connectivity, cryptography, Web application development, algorithms and network communications modules.
Indeed, Web application security experts said, a critical .Net bug has the potential to affect pretty much all applications on all of Microsofts actively supported platforms.
As it turns out, the security patch for the critical .Net vulnerability resolves three privately reported vulnerabilities. Two of those flaws could allow remote code execution on client systems with .Net Framework installed, and one could allow information disclosure on Web servers running ASP.NET.
Dave Marcus, security research and communications manager at McAfee Avert Labs, said that the .Net bugs are easily exploitable, making them high-priority patches. “The vulnerabilities in the .Net Framework could be exploited through malicious Web sites,” he said in a statement. “Simply visiting such a Web site would result in malicious code being installed on the victims computer.”
The .Net vulnerabilities include a PE (Portable Executable) Loader flaw (CVE-2007-0041). The PE format is a format for executables, object code and DLLS thats used in 32-bit and 64-bit Windows operating systems. Its called “portable” because the format can be ported across all 32-bit and 64-bit Windows operating systems.
The format is a data structure that serves to encapsulate information needed by a Windows operating system loader to managed wrapped executable code, including dynamic library references for linking, API export and import tables, and more. PE is also the standard executable format in EFI (Extensible Firmware Interface) environments.
A remote attacker who manages to exploit the vulnerability in .Nets PE Loader could change the system with the permissions of a logged-on user. If a user is logged in with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
One mitigating factor for the .Net PE Loader flaw is that user interaction is required; a Web-based attacker has to host a site with a malicious page and lure a victim onto it in order to exploit the vulnerability.
Another mitigating factor can be limited user rights. Users running with restricted rights give attackers less ability to tamper with a system. Also, by default, supported versions of Outlook and Outlook Express open HTML e-mail in a restricted sites zone. That zone prevents Active Scripting and ActiveX controls from being used when reading HTML e-mail. But if a user clicks on a link within the e-mail, all bets are off; theyre still potentially vulnerable to a Web-based attack. Internet Explorer on Windows Server 2003 also runs in a restricted mode known as Enhanced Security Configuration. That mode sets the security level for the Internet zone to High.
The second .Net flaw is a null byte termination vulnerability (CVE-2007-0042) that can lead to information disclosure. A successful attacker could use the flaw to bypass the security features of an ASP.NET Web site, after which he or she could download the contents of any Web page. A mitigating factor in this case is that Web applications developed with ASP.NET that restrict all untrusted input variables, including null bytes, to a range of expected values or characters would not be affected.
Microsoft says that a workaround for this bug would be for developers to compare Internet accessible values such as query strings, cookies, or form variables against a list of allowed values and reject any other values that fall outside of this range.
Excel Flaws
The third critical vulnerability in .Net lies within the frameworks JIT (Just In Time) Compiler (CVE-2007-0043). This too is a remote code execution flaw wherein a successful attacker can take over a target system and then install programs; view, change or delete data; or create new accounts with full user rights. Again, users running with reduced rights could be less impacted than those running as administrators.
The mitigating factors for the JIT bug are the same as those for the PE Loader flaw. Microsoft has extensive workaround instructions—check the MS07-040 bulletin site to get them.
For its part, Excels suffering from three critical vulnerabilities addressed in a second security bulletin. All three are remotely exploitable and can set vulnerable systems up for getting walloped by a Trojan horse, said McAfees Marcus.
“Vulnerabilities in Office applications have been a favorite attack method among cybercrooks,” he said in a statement. “Trojan horse attacks often use rigged Office files that exploit vulnerabilities in the productivity applications.”
One of Excels flaws is a remotely exploitable calculation error vulnerability (CVE-2007-1756) that could let attackers send a malformed Excel file as an e-mail attachment or host a maliciously crafted Excel file on a compromised or malicious site.
The second and third Excel vulnerabilities, also remotely exploitable, are both Worksheet Memory Corruption flaws (CVE-2007-3029 and CVE-2007-3030). These flaws also entail malicious files being hosted on Web sites or sent via e-mail attachments. For mitigating factors and workarounds, see Microsofts Security Bulletin MS07-036.
Microsofts final critical security bulletin, MS07-039, covers a vulnerability in Windows Active Directory that could lead to system hijacking.
Active Directory, a Microsoft implementation of LDAP directory services, is used primarily in Windows environments. Its main purpose is central authentication and authorization services for Windows-based computers. Administrators also use it to assign policies, deploy software, and apply critical updates to entire organizations. Active Directory stores information and settings relating to an organization in a central, organized, accessible database. Active Directory networks can range in size from a few hundred objects on up to millions of objects.
“Active Directory is widely used as a directory service by businesses,” McAfees Marcus said. “One of the vulnerabilities addressed today could expose Windows 2000 users to worm-type attacks since it could be exploited over the Internet by an anonymous attacker.”
Microsoft says that DoS (denial of service) is the likeliest outcome of this vulnerability, but remote code execution is still possible. The possibility of system takeover is threatened by a flaw in the way that Active Directory validates an LDAP request. An attacker who successfully exploited the bug could take complete control of an affected system.
The DoS vulnerability in Active Directory is caused by the way AD validates a client-sent LDAP request. An attacker could exploit the vulnerability by sending a specially crafted LDAP request to a server running Active Directory. For mitigating factors and workarounds, check MS07-039.
In addition to its three critical security bulletins, Microsoft also put out two important security bulletins.
One of those important bulletins, MS07-037, concerns a vulnerability in Microsoft Office Publisher that could allow for system takeover. A successful exploit would involve a user viewing a specially crafted Office Publisher file.
The second important security bulletin, MS07-041, involves a vulnerability in IIS (Internet Information Services) 5.1 on Windows XP Professional SP2 that could allow for system takeover. An attacker would need to send maliciously crafted URL requests to a Web page hosted by IIS.
Finally, Microsoft put out a patch for a flaw it labeled moderate in Windows Vista Firewall. The flaw, which could allow incoming unsolicited network traffic to access a network interface, could give an attacker information about the affected host.
For instructions on getting the updates and versions affected, check the July 2007 bulletin summary page.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.