Bulletin severity for October bulletins

Bulletin severity is an interesting topic to many blog readers.  We often hear that you think a bulletin should be rated higher or lower.  Sometimes we even hear one person suggesting a higher rating and another suggesting a lower rating for the same issue.  J  This post is not to advocate for or against the MSRC rating system but we’d just like you to understand what we were thinking for each bulletin.  Our official bug bar is not posted but we pointed to a close approximation of it last month in this blog post (http://blogs.technet.com/swi/archive/2008/09/09/ms08-055-microsoft-security-response-process-behind-the-scenes.aspx).  Direct link is http://msdn.microsoft.com/en-us/library/cc307404.aspx if you want to follow along.

MS08-057 fixes several Excel vulnerabilities reachable by opening a malformed Excel spreadsheet. This vulnerability is rated Critical for users of Office 2000 because some configurations of Office 2000 do not prompt before opening an XLS file offered via a website.  It is rated Important on the other affected platforms where Excel does display the Open/Save dialog prompt before opening.  This user interaction (clicking through the prompt) lowers the code execution vulnerability from Critical to Important.

MS08-058 addresses six separate CVE’s in Internet Explorer.  They can be lumped together into three different buckets.

The first three IE issues each allow cross-domain script execution.  On Windows 2000, a webpage that can execute script in the local machine zone can run arbitrary code.  So that’s a Critical “Remote Code Execution” class vulnerability on Windows 2000.  All other platforms have a feature called “Local Machine Zone Lockdown”.  With LMZ-L enabled, attackers can no longer run script in the local machine zone so there is no direct remote code execution opportunity.  Instead, the risk is Information Disclosure as malicious.com can trick you into posting website cookies for another domain.  Windows Server 2003 and 2008 have both the local machine zone lockdown feature and have enabled the Enhanced Security Configuration by default.  ESC disables scripting.  Without script, cross-domain scripting is not relevant.  If users disabled ESC, this would be an information disclosure threat.  However, because the attack surface is not exposed by default, we drop it down two ratings from “Important” to “Low”.  Each of these three issues are different vulnerabilities.  With CVE-2008-2947, an attacker can force script to execute in the wrong domain context by playing tricks with the location object.  CVE-2008-3472 and CVE-2008-3473 confuse IE into executing script from a different zone through mouse and focus trickery.

The next vulnerability in the list, CVE-2008-3474, is also a cross domain vulnerability but you probably noticed that this is not rated as a Remote Code Execution Critical vulnerability on Windows 2000. This is a case of malicious.com being allowed to make requests via MSXML from other zones. However, in this case, malicious.com cannot trigger the vulnerability without some help. In fact, to trigger this vulnerability, a victim page must host the malicious page in a frame. The “Important” rating we gave it might be a little bit of a stretch but the advertising hosting model of untrusted content being hosted on trusted pages tipped us over to rating this one Important. Again, the Enhanced Security Configuration on Windows Server 2003 and 2008 mitigates this threat so it is rated two notches lower on those platforms.

Finally, the last two CVE’s are straight memory corruption issues.  CVE-2008-3475 fixes an issue where a pointer is uninitialized and then used.  CVE-2008-3476 addresses a case of script methods being called out of order in an unexpected manner.   Neither of the issues affects Windows Vista but on Windows 2000 and Windows XP they could result in code execution, “drive-by” class vulnerabilities.  Scripting is disabled by default on Windows Server 2003 and 2008 so the memory corruption issues that require scripting on those platforms drop down two severity notches to “Moderate”.

MS08-059 addresses a vulnerability in the Host Integration Server RPC service.  One of our team members wrote a great blog post about it [here].

MS08-060 addresses a remote code execution vulnerability on Windows 2000 domain controllers.  We have rated the bulletin Critical.

MS08-061 fixes three different win32k.sys (kernel-mode) vulnerabilities involving privilege escalation from an unprivileged local user to ring 0.  Fermin wrote more detail about it [here].

MS08-062 addresses a vulnerability for which we have seen targeted attacks so we’re very happy to be getting it fixed.  This fixes an issue with the Internet Printing Service, an IIS ISAPI filter that requires authentication in order to reach.  Remote authenticated code execution vulnerabilities rate Important according to the bug bar.

MS08-063 is remote code execution vulnerability reachable over SMB.  However, an attacker cannot reach the vulnerable code using the null session share so the attacker must be authenticated to exploit this vulnerability.  (or the Guest account must be enabled)  Again, we rate remote authenticated code execution vulnerabilities as “Important”.

MS08-064 addresses a vulnerability that could allow a local attacker who has logged onto a system to potentially execute code in ring 0.  Local elevation of privilege vulnerabilities are rated Important.

MS08-065 is rated Important and two team members wrote a blog post that explains it in more detail.  You can read that [here].

MS08-066 is another local elevation of privilege vulnerability.  It allows a 16-byte memory overwrite to an arbitrary location to local attackers so this one is rated Important.  Fermin wrote more about this vulnerability [here].

Finally, we also released a security advisory with killbits for several controls.  Releasing killbits via security advisory is something relatively new from Microsoft.  There are two scenarios where we will release a killbit via security advisory instead of a security bulletin.  First, when a Microsoft  control has already been fixed with a previous security bulletin, we will follow on later with a killbit package.  The other scenario is when we issue killbits for 3rd party products.

Thanks for reading and we hope this gave you a better understanding of the Microsoft bulletin rating system.  Please email us with any questions.  Thanks!

Update 10/16/2008 – Fixed formatting.  Thanks Frank for pointing it out!

– Jonathan Ness, SVRD Blogger

*Postings are provided “AS IS” with no warranties, and confers no rights.*