Inside MSRC: Debunking Excel exploits
Microsoft's Christopher Budd puts the magnifying glass to Microsoft's July bulletinsand says one alleged Excel exploit isn't what it seems.
With seven bulletins, the July 2006 Microsoft monthly security bulletin release is smaller than last month's. In addition to being a smaller release, it is generally a simpler release from the standpoint of testing: This month's updates do not contain any non-security changes, like the Microsoft Exchange bulletin, MS06-029, or the Microsoft Internet Explorer bulletin, MS06-021, issued last month.
Overall, for this month you can best think of the updates as falling into three broad categories:
- Three updates for Microsoft Office system applications
- Two updates for networking components in Microsoft Windows
- Two updates for systems running Internet Information Services (IIS)
 |
||||
|
|
|||
|
||||
Change to a June update
However, before talking about the July release, I wanted to provide some follow-up information regarding an update released in June, MS06-025. After its initial release, some issues were identified by our product support service teams working with customers.
We found that some users who required the use of legacy dial-up connections that use a terminal window, dial-up scripting, or used scripts to change device configuration parameters were experiencing some issues. We updated the Microsoft Knowledge Base article associated with MS06-025, 911280, to let customers know about this issue and the circumstances in which they might encounter this issue. On June 27, we released an updated version of MS06-025 that addressed the issues that had been identified.
One question we have received from customers is whether they need to apply the updated version of MS06-025. First, it's important to note that the re-released update contains no new security changes. Customers who have applied MS06-025 and not experienced any of the outlined issues do not need to apply this updated version. Only customers who either applied MS06-025 and encountered the known issues or have not yet applied MS06-025 need to apply the updated version. In fact, if you are using Windows Server Update Services (WSUS) or the Microsoft Baseline Security Analyzer (MBSA), these will not offer the new version of MS06-025 to systems that already have MS06-025 installed.
Updates for Office
With that said, let's discuss this month's updates. MS06-037 is the one we encourage people to look at first. This update addresses an issue we discussed in Microsoft Security Advisory 912365, titled "Vulnerability in Excel Could Allow Remote Code Execution," which we released on June 21, 2006. Because the vulnerability addressed by MS06-037 was subject to limited attacks at the time of the release of the bulletin, we encourage customers to prioritize this security update aggressively.
MS06-038 addresses two vulnerabilities, one of which was also publicly disclosed and exploited on an even more limited basis.
Finally, unlike MS06-037 and MS06-038, none of the vulnerabilities addressed by MS06-039 were publicly disclosed or exploited at the time of bulletin release.
It's important to note that these three Office updates are rated as critical for Office 2000 family products, they are rated as important for Office XP and Office 2003 family products. This is because Office XP and Office 2003 family products raise a security dialog box that an end-user must acknowledge before the Office file is opened, making any attempts to exploit this with malformed Office files more difficult.
Clarity on additional issues
Beyond reviewing the latest bulletins we are releasing for Office, I wanted to clarify a couple recent items of interest that might cause some confusion this month.
First, on June 20, 2006, there was a public posting of a proof-of-concept PERL script that claimed to demonstrate a vulnerability in Excel's processing of long links. We started an investigation as soon as we learned of this and posted information on our weblog about the issue. We learned it's not an issue in Excel, but rather with a Windows component called hlink.dll. That issue is still under investigation at this time and none of this month's bulletins apply to that issue.
Also, a public posting by a security researcher about how Microsoft Excel handles embedded vulnerable ActiveX controls may have caused some confusion. The posting discussed how it's possible to embed a vulnerable ActiveX control in an Excel spreadsheet and use that as a method to exploit the vulnerability in the ActiveX control.
The important thing to understand is that there is no vulnerability in Excel in this instance: The posting actually details a way to exploit vulnerabilities in certain ActiveX controls, not in Excel. Excel honors the so-called "killbit" function that prevents ActiveX controls from loading. Any time we ship a security update for an ActiveX Control, we set that "killbit" to prevent the old, vulnerable control from being usable. You can read more about killbits in Microsoft Knowledge Base article 240797.
Windows networking, IIS updates
Next, to help with your risk assessment process, let's discuss some details about the scope of the vulnerability addressed by MS06-036. This update is rated critical and addresses a vulnerability in the DHCP client. The vulnerability is exposed when the DHCP client has sent out a DHCP request and is waiting for a response from a DHCP server. This means that attempting to exploit the vulnerability requires very precise timing and the ability to generate DHCP server packets. Also, since most networks do not forward DHCP packets across subnets, attempts to exploit the vulnerability would be contained within the local subnet.
Speaking of networking, you'll want to note that the two vulnerabilities addressed in MS06-035 are related to how the server service handles Server Message Block (SMB) packets. This means that blocking Port 445 and Port 139 at your network perimeter will block attempts to exploit these vulnerabilities. This is a best practice we strongly recommend; if you don't currently block these ports, you should consider implementing that practice in addition to deploying these security updates.
MS06-034 is rated important and is the more serious of the two bulletins that apply to systems running IIS. One thing to note with this update is that it is a vulnerability that occurs when Active Server Pages (ASP) are processed. This means that any attempt to exploit the vulnerability would require placing a specially formed ASP page on the system to be processed. Any restrictions on the ability to place ASP pages on your IIS system work against attempts to exploit this vulnerability, so you can factor them into your risk assessment for this issue.
Legacy OS support ends
In closing, I would like to note that with the July Microsoft monthly security bulletin release our public support for security updates for Windows 98, Windows 98 Second Edition and Windows Millennium Edition stops. We provided additional support for critical security updates for these versions through Windows Update to allow customers additional time to migrate off them. With this expiration, we will no longer offer security updates for these versions of Windows. We encourage anyone who is still using these versions to upgrade to a version of Windows that we are still publicly supporting for security updates. Microsoft offers more information on its product support policies at the Microsoft Support Lifecycle Web site.
Also, on Wednesday, July 12, 2006, at 2:00 p.m. EDT, we'll host our live webcast, where we will talk about this month's release and answer your questions. We hope you'll join us.
Finally, mark your calendar for Tuesday, Aug. 8, 2006, for our August Microsoft monthly security bulletin release.
