Security Research & Defense

MS08-049 : When kind of authentication is needed?

Wednesday, August 13, 2008

MS08-049 is an update for the Windows Event System service to correct an authenticated elevation-of-privilege vulnerability. We received a question via email yesterday about the type of authentication needed to exploit CVE-2008-1456. Our security bulletin was a little ambiguous with one reference to “logon credentials” and another to “domain credentials”. The email question was from an IT security manager who wondered whether his hardened servers could be compromised remotely.

• COM
• Mitigations
• Rating
• Security Bulletin

MS08-041 : The Microsoft Access Snapshot Viewer ActiveX control

Tuesday, August 12, 2008

MS08-041 fixes a vulnerability in the Microsoft Access Snapshot Viewer ActiveX control. It’s an interesting vulnerability so we wanted to go into more detail about platforms at reduced risk and also more about the servicing strategy for this vulnerability. Windows Vista at reduced risk? We first heard about this vulnerability from customers sending in reports of active attacks.

• ActiveX
• Attack
• Classid
• Clsid
• Internet Explorer (IE)
• Killbit
• Mitigations
• Phoenix bit
• Timing attack
• Workarounds

MS08-042 : Understanding and detecting a specific Word vulnerability

Tuesday, August 12, 2008

A few weeks ago we posted a blog entry titled “How to parse the .doc file format”. Today’s blog post will show you how to use that information to check whether a .doc file is specially crafted to exploit MS08-042, one of the vulnerabilities addressed by today’s security updates. This particular vulnerability is being exploited out in the real world so we believe the benefits of releasing more information about it to help the defenders outweighs the risk of attackers learning more about the already-public vulnerability.

• Detection
• Microsoft Office
• Tools

MS08-043 : How to prevent this information disclosure vulnerability

Tuesday, August 12, 2008

In this month’s update for Excel we addressed an interesting CVE (CVE-2008-3003) – the first vulnerability to affect the new Open XML file format (but it doesn’t result in code execution). This is an information disclosure vulnerability that can arise when a user makes a data connection from Excel to a remote data source and checks a checkbox to have Excel NOT save the password used in that connection to the file.

• Detection
• Microsoft Office
• Mitigations
• Open XML
• Workarounds

MS08-050 : Locking an ActiveX control to specific applications.

Tuesday, August 12, 2008

MS08-050 concerns an ActiveX control that can be maliciously scripted to leak out personal information such as email addresses. There appeared to be no need for the control to have this behaviour so giving it a Kill-Bit seemed the correct approach to take. During the extensive testing that each security update undergoes, however, it became apparent that the Kill-Bit wasn’t ideal as it partially broke the Remote Assistance application.

• ActiveX
• COM
• Internet Explorer (IE)
• Killbit
• Phoenix bit
• Safe for initialization
• Safe for scripting

How to parse the .doc file format

Friday, July 18, 2008

This past February, Microsoft publicly released the Office binary file formats specification. These describe how to parse Word, Excel, and PowerPoint files to review or extract the content. Because they describe the structure of these file formats in detail, we think the file format specification will be particularly interesting to ISVs who write detection logic for malware scanners (such as Anti-Virus software).

• Detection
• Microsoft Office

MS08-037 : More entropy for the DNS resolver

Tuesday, July 08, 2008

We released security bulletin MS08-020 two months ago to improve the DNS transaction ID entropy. You can read more about the MS08-020 algorithm change in this blog entry. Increasing the entropy makes it more difficult for attackers to spoof DNS replies. Today, we released MS08-037 to further increase the difficulty of spoofing DNS transactions.

• DNS
• Network protocol
• Spoofing

MS08-039: Which users are vulnerable to the OWA XSS vulnerability?

Tuesday, July 08, 2008

Today we released MS08-039 which addressed several XSS vulnerabilities in Microsoft Exchange’s Outlook Web Access component. While this is an update to be applied to the Exchange server, the clients who use OWA are the computers potentially at risk. We’d like to explain a little more about the vulnerability so that you can determine whether you or your organization are at risk.

• OWA
• XSS

MS08-040: How to spot MTF files crossing network boundary

Tuesday, July 08, 2008

Today we released MS08-040 to patch several vulnerabilities in the SQL Server Database Engine; one of them involves the SQL Server backup file format. The format is also known as MTF (Microsoft Tape Format). The vulnerability requires an attacker to be able to force the SQL Server to load a malicious MTF file from the local drive or from the network.

The IE8 XSS Filter

Wednesday, July 02, 2008

Hello, our team and IE have recently collaborated on a new IE8 feature that was announced today – the XSS Filter. Check it out here: http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx This effort demonstrates our commitment to helping our product teams benefit from the knowledge we have gained while defending our products from attack. Stay tuned to our blog for more stories like this in weeks to come…

• Internet Explorer (IE)
• XSS Filter