Inside MSRC: Public vulnerability disclosures on the rise

Since the September 2006 Inside MSRC column, we've seen increased activity around irresponsibly, publicly disclosed vulnerabilities. At the end of September, we released MS06-055 as an out-of-band release to help protect customers against attempts to exploit a vulnerability in Vector Markup Language (VML). We also released four Microsoft security advisories with information about steps customers could take to protect themselves against irresponsible publicly disclosed vulnerabilities.

About this column: As part of a special partnership with SearchSecurity.com, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.

Lifecycle: Windows XP SP1
Before discussing the October 2006 release or the activity we saw after the September 2006 release, I want to call your attention to the Microsoft Support Lifecycle (MSL) deadline for Windows XP Service Pack 1 (SP1) this month.

As I mentioned at the start of the September 2006 column, the October 2006 monthly bulletin marks the last release for Windows XP SP1. This means that the updates we've provided this month are the last ones we will be providing for Windows XP SP1 through our standard monthly security release process.

We go to great lengths to provide clear deadlines and advanced warning about MSL deadlines through our MSL Web site at http://www.microsoft.com/lifecycle. It's our hope that by doing so we're able to help you plan your upgrade cycles effectively, so most -- if not all -- of you are now on Windows XP SP2. However, if you are still on Windows XP SP1, we strongly urge that you move immediately to the publicly supported service pack for Windows XP, which is SP2.

MS06-055
On Sept. 19, 2006, we became aware of new public reports of a vulnerability in the Microsoft Windows implementation of the Vector Markup Language. At that time, we were also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. We invoked our Software Security Incident Response Process (SSIRP) and released Microsoft Security Advisory 925568, which provided information on the issue and steps customers could take to protect themselves. At that time we also announced that we were working on a security update for the issue slated for release as part of the October 2006 monthly security bulletin release.

After releasing the security advisory, we continued to monitor the situation and became aware of a public attack utilizing the vulnerability. While our monitoring of attack data continued to indicate that the attacks and customer impact were limited, because testing of the update was completed earlier than anticipated, we released an out-of-cycle update one week later on Sept. 26, 2006, as Microsoft security bulletin MS06-055.

To help address customer questions and concerns, we held a special edition of our security bulletin webcast on Sept. 27, 2006. If you did not catch the webcast when it was aired, you can listen to it on demand at the link above.

We strongly encourage customers to deploy MS06-055 as soon as possible. Note: If customers have deployed the workaround titled "Modify the Access Control List on Vgx.dll to be more restrictive" from the security advisory, the security updates provided with MS06-055 may not install correctly. Customers who have deployed that workaround should see the "Workarounds for VML Buffer Overrun Vulnerability – CVE-2006-4868" section of MS06-055 for instructions on how to revert this workaround before applying the security update.

MS06-058 and MS06-060
In September we released two security advisories related to limited "zero-day" attacks against Microsoft Office. Security advisory 925984 discussed limited attacks against Microsoft PowerPoint, and security advisory 925059 discussed limited attacks against Microsoft Word 2000.

In the October 2006 release, we are releasing security updates that address both of these issues.

MS06-060 addresses the vulnerability discussed in security advisory 925059, and MS06-058 addresses the vulnerability discussed in Microsoft Office Security Advisory 925984.

Although the attacks in both cases were limited in scope, we recommend customers deploy these updates right away. Note: While security sdvisory 925059 applied only to Microsoft Word 2000, the security bulletin MS06-060 applies to all currently supported versions of Microsoft Word, including Microsoft Office for Mac.

MS06-057
On Sept. 28, 2006, we became aware of new public reports of a vulnerability in the Microsoft WebViewFolderIcon ActiveX Control (Web View). We released Microsoft Security Advisory 926043 as part of our Software Security Incident Response Process.

Microsoft security bulletin MS06-057 addresses the vulnerability discussed in security advisory 926043.

While this is a vulnerability in an ActiveX Control, unlike MS06-056, this security update does not address the vulnerability by setting the "kill bit" on the Microsoft WebViewFolderIcon ActiveX Control. In this case, the vulnerability is addressed by correcting the parameter validation in the WebViewFolderIcon ActiveX object.

Our investigation into Web sites attempting to exploit this vulnerability showed that, in most cases, attempts to install malicious software by exploiting the vulnerability failed. This was due to specific technical factors related to the vulnerability. However, we encourage customers to deploy this update as soon as possible.

MS06-061 MS06-061 is a critical bulletin that affects Microsoft XML Core Services, which is designed to allow multiple versions of the component to reside on a system in different locations, providing support for specific applications. This means that your system may require more than one of the security updates provided with MS06-061, depending on your system.

Specifically, MS06-061 provides updates for the following versions of Microsoft XML Core Services:

• Microsoft XML Core Services 3.0
• Microsoft XML Core Services 4.0
• Microsoft XML Core Services 5.0
• Microsoft XML Core Services 6.0

Any and all of these versions that are on your system should be updated with the security updates provided with MS06-061.

In addition, the security updates for MS06-061 set the "kill bits" for Microsoft XML Parser 2.6. Customers still using Microsoft XML Parser 2.6 should update to the latest version, Microsoft XML Core Services 6.0.

Fortunately, however, our detection tools will correctly identify for you what updates provided with MS06-061 apply to your systems; the deployment tools will also install the correct updates for you.

As always, we will be doing our regularly scheduled webcast to review these bulletins and answer your questions live on the air. This month's webcast will be on Wednesday, Oct. 11, 2006, at 2:00 p.m. EDT. You can register for the live event at: http://msevents.microsoft.com/cui/webcasteventdetails.aspx?eventid=1032308775&eventcategory=4&culture=en-us&countrycode=us

Note: If you can't make the live broadcast, the webcast will also be available on demand; simply go to the same location to register.

Finally, the November 2006 monthly security bulletin is scheduled for Tuesday Nov. 14, 2006. And, once again, I will be joining you here at SearchSecurity.com with another edition of Inside MSRC to help you understand some of the highlights and share information to help you with your testing and deployment of the November security updates.