Tuesday, January 09, 2007

Microsoft Patch Release initial analysis

Microsoft just released their patches; I have to say it’s a pretty lackluster offering. 3 Office bugs and one VML bug.

The break down for critical vulnerabilities is pretty easy: one in excel, one in outlook and one in VML (aka. Internet Explorer).

Excel is not a surprise as the summer and fall saw active targeted 0day exploitation against certain targets. Being that this is a client side vulnerability and malicious attacker wouldn’t have to many opportunities for a retry as unsuccessful exploitation will crash the application. This is important to patch as it will be hard for IPS vendors to guard against this. The Excel file format is so complex the best most vendors can do is add signatures for any proof of concept that arises or their customers will be swimming in false positives. This means all an attacker needs to do is write a new and slightly differing version of the exploit and it should bypass most inline protection tools.

The Outlook bug is exceptionally bad. If you just receive the e-mail, you are owned (even before you open the e-mail or see it in the preview pane). No user interaction is required; this one is also in the category of “patch as soon as possible”. A worm could use this propagate and could result in clogging corporate email servers. Servers who succumb to a spike in email delivery could cause more or a problem than successful exploitation of the end user.

Windows did not escape this month without a fix. This one is in the well worn VML library. This vector is exploitable via a webpage and email. Standard obfuscation methods for web based attacks like a variety of different encoding methods apply. Inline security tools would be hard pressed to detect 100% of VML exploit variants. A similar vulnerability was discovered last year being exploited in the wild.

Active exploitation of all these vulnerabilities will likely include botnet/rootkit malware.

No comments: