Microsoft pushes patches while fighting a new Internet Explorer vulnerability
by Steve Ragan - Mar 11 2010, 19:20For the first time in almost two years, Microsoft didn’t include a patch rated critical in their monthly security updates. The two that were released Tuesday, both rated important, were overshadowed by an Internet Explorer vulnerability that is being exploited online, and recently had exploit code published.
Patches:
On Tuesday, Microsoft released two bulletins that addressed eight vulnerabilities in Windows Movie Maker and Microsoft Producer 2003, as well as Excel.
The Windows Movie Maker and Producer 2003 vulnerabilities deal with a malicious Movie Maker or Microsoft Producer project file that grants system control to an attacker once opened. Windows Live Movie Maker (Vista and Windows 7) is not vulnerable, Microsoft said.
“The Movie Maker bug is interesting,” said Sheldon Malm, senior director, security strategy at Rapid7. “We’ll see working exploit code for sure, although the distribution and use of Movie Maker within enterprise environments makes it less urgent overall.”
Malm explained that the vulnerabilities are client-side, affecting Movie Maker on XP, Vista, and Windows 7, so the most likely attack scenarios will be Web-based.
“With Cisco’s announcement, targeting support for Rich Internet Media, the Movie Maker exposure becomes more critical as time goes on. If the future of the Internet fits Cisco’s description, which seems likely, this one could be latent for some time and crop up in the future if left unpatched. We expect the real risk of this vulnerability to be significantly higher a year from now than it is today as a result.”
Like the previous bulletin, Excel’s vulnerability needs a malicious Excel file, and requires the user open it.
“All eyes will be on the Excel/Office/SharePoint update this month, with 7 vulnerabilities patched; 2 of them rated 2 on Microsoft’s Exploitability Index and 5 rated 1 – Microsoft’s highest exploitability rating. It replaces MS09-067 from November of last year, which had 8 vulnerabilities addressed. That’s a lot of activity on Excel over the last 5 months,” added Malm.
“We expect a decent amount of exploit traffic on the Excel/Office/SharePoint issue, and customers should not overlook the fact that Excel Services are part of the SharePoint Server 2007 default configuration.”
More Internet Explorer issues:
On the same day that Microsoft pushed patches, they also announced a new wave of attacks aimed at Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8, due to security enhancements, is not impacted by the vulnerability, the software giant said.
Microsoft says the vulnerability is related to an invalid pointer reference used within Internet Explorer.
“It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution,” the official explanation reads.
While attacks are moving about online, a McAfee post provided the clues needed to allow a security researcher, Moshe Ben Abu, to develop and publish working exploit code. [Details]
The code has since been added to Metasploit, and according to an interview with ZDNet, HD Moore said that, “[it’s] 50% reliable on XP SP2/SP3 with IE7 (no DEP). A little better with IE6.”
For more information on the Internet Explorer 6 and 7 vulnerability, head here.
Comment on this Story