MS08-055: Microsoft security response process, behind the scenes

One of our blogging goals is to give you a peek “behind the scenes” into our security response process. We thought you might be interested in the story behind MS08-055, this month’s OneNote bulletin.

In March, a security researcher sent in a report of an information disclosure vulnerability that affected OneNote 2007, a part of Office 2007. He had come up with a clever way of abusing the onenote:// protocol handler to expose OneNote notebook contents. The Office team built a security update to address the vulnerability and the MSRC started building a security bulletin to address the information disclosure vulnerability. We typically rate Information disclosure vulnerabilities as ‘Important’ severity.  (link to example bug bar)

When we dug into the vulnerability during our ‘hacking-for-variations’ investigation, we found that OneNote used mso.dll to process parameters passed in via the protocol handler. More investigation turned up a buffer overrun vulnerability in mso.dll that could be triggered by passing arguments to the onenote:// protocol handler. Now the case’s severity rating was bumped up from Important to Critical with the effect being changed from Information Disclosure up to Remote Code Execution.

Unfortunately, the vulnerable MSO.dll is used by almost all versions of Office and some developer tools for shared Office functionality. So to address this vulnerability, we are now shipping a security bulletin with aggregate severity of Critical to all computers that have OneNote 2007 installed (external report) and also all computers that have Office 10, 11, or 12 (due to the internal find). In our testing, we have not been able to hit the mso.dll issue through any vector except the onenote:// protocol handler. If you unregister the protocol handler (described in the bulletin), you should be safe from this vulnerability until you are able to apply the security update. But please do apply the security update, even if you are not using OneNote 2007.

– Jonathan Ness, SVRD Blogger

*Postings are provided “AS IS” with no warranties, and confers no rights.*