Hosts: Adrian Stone, Senior Security Program Manager Lead Jerry Bryant, Senior Security Communications Manager Lead Website: TechNet/security Chat Topic: January 2010 Out-of-Band Security Bulletin Q: I understand the severity for workstaitons. Is the severity lower for servers in terms of this vulnerability, since most servers (except Terminal Servers) do not use IE? A: DEP is a useful Defense-in-Depth measure to make attacks more difficult. In fact, we have not yet seen any real-world attacks that successfully bypass DEP. We have heard of researchers investigating in this area and we believe that private proof-of-concept code to bypass DEP does exist. However, currently, DEP will protect you from all active attacks. It is not easily bypassed for code execution. An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker’s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. Q: Any issues with IE add-ons (Java, ActiveX, Adobe..)? http://support.microsoft.com/default.aspx?scid=kb;EN-US;912923. there is more detail on DEP and its capabilities at the following KB article: http://support.microsoft.com/kb/875352.
Date: Thursday, January 21, 2010
A: By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration http://go.microsoft.com/fwlink/?LinkId=92039. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.
Q: What are the similar issues with this patch to MS09-072 which this is replacing?
A: IE updates are cumulative. This means that all previous IE updates are rolled up and included in the latest IE update. Users should install the latest version of the IE update (now MS10-002) and will automatically get all the previous security updates released for IE.
Q: If we are up to date with virus definitions, are we protected until we get this update installed
A: While it is always best to keep virus definitions up to date for protection from malware and virus, this patch addresses vulnerabilities in the browser which aren’t necessarily detectable by antivirus software.
Q: Will Internet Explorer be update by Windows Update? Why?
A: Security updates are released via Windows Update. Windows Update is designed to allow users who have the automatic update functionality turned on to automatically receive updates. We recommend that users turn on automatic update in order to automatically receive security updates.
Q: Will the updates require a reboot?
A: Yes, the update will require a reboot. We document restart requirements in the security bulletins as well.
Q: When will this patch be available for WSUS? Where can we check to see if new updates are availble for WSUS?
A: We provide this information in KB Article 894199 – Description of Software Update Services and Windows Server Update Services changes in content for 2010. The KB article that applies to bulletins released in 2009 is KB 979198, Description of Software Update Services and Windows Server Update Services changes in content for 20009.
Q: Are you seeing websites using this exploit at this point in drive-by attacks currently?
A: We are aware that there is active exploit of this vulnerability and as such we recommend that all users install the security update.
Q: This was previously discussed in an earlier posting on the MS security blog; however, no other references were made to this exploit being that wide spread at this time
A: We have seen a limited increase in the pickup of the exploit and as such we recommend that users install the update.
Q: I have heard reports that DEP is easily bypassed in XP. IF this is the case is it worth trying to enable DEP on workstations.
Q: Does the current security updates also cover those DEP bypass in IE7 and IE8?
A: The security update addresses the root cause of the vulnerability in mshtml.dll and does not address the defense-in-depth DEP mitigation. However, DEP currently protects against all known active attacks.
Q: Since the MS010-002 patch was added to January Bulletin is the patch really considered a “zero-day” or – emergency patch
A: This is an out-of-band update that would have been released the 2nd Tuesday in February. However, due to the escalating threat landscape Microsoft determined it best to protect users by releasing the security update earlier.
Q: does CVE-2010-0246 affect IE 7 and 8, or just 8?
A: It affects IE 6,7, and 8.
Q: config: Windows XP, SP2, DEP is disabled. IE 8 installed, but no DEP. Is this config as vulnerable to the known attacks as IE 6?
A: The known attacks very specifically target IE 6 and will not work on IE 7 or IE 8 on Windows XP. However, it is not a huge leap to modify the attacks to work on IE 7 or IE 8 on Windows XP SP2 without DEP or ASLR. That being said, the current known attacks only work on IE 6. See our SRD blog write up for details.
Q: Is there an executable to run from any patch management system? All available documentation at this point has no clear links visible
A: Yes. Bulletin MS10-002 includes direct download links to the various Security Update packages. These are also included through all of Microsoft’s automatic update technologies.
Q: Do the current fixits to enable DEP for older IE warn users if hardware DEP is not available on the CPU
A: the Fixits do not provide a warning if DEP is not available in the CPU. If DEP is not available then the fixit just fails. KB 978207 has directions on how to determine if the system is DEP capable
Q: It is possible to make this cumulative update mandatory by WSUS.
A: Yes. To speed this along you could set a deadline on the package in your approval that is expired and it will be triggered right away.
Q: Has this update been tested on Citrix Servers? Has any testing been done with XP Embedded?
A: We test a wide range Microsoft and 3rd party products, focusing on common user and enterprise scenarios to provide a high quality update.
Q: Just to confirm – does a user need to respond or perform any input to activate the exploit
A: A user would have to click a link to visit a website but unfortunately, simply browsing to a malicious website is enough for an attacker to trigger the vulnerability.
Q: Symantec has posted this zero day attack (Hydraq) on their site. Is this attack addressed by your security update? Hydraq is a targeted attack that is also currently referred to as Aurora, Google Attacks, and the Microsoft IE Vulnerability (advisory number 979352). Through the exploitation of a vulnerability, it attempts to install a trojan on a specific computer that steals information from that machine.
A: This security update addresses the vulnerability first described in Microsoft Security Advisory 979352.So yes, the update does protect against all known attacks.
Q: Windows 2003 SP2 with IE 6 was listed as moderate in the advanced security bulletin.
A: windows 2003 enables the enhanced security configuration by default which disables scripting in the internet zone. Without script, this vulnerability cannot be exploited. if you have disabled the enhanced security configuration, it would be a critical class vulnerability. If you have not changed the default settings, it would be a non-issue.
Q: Windows update is enabled on my machine. I just did a check for updates, and nothing was identified by Windows Update. Why? I’m running Win 7 and IE8 right now. Thanks.
A: There may be a few reasons that have to do with where the system is located. If you are behind a corporate firewall, there could be some administrative controls in place to manage update deployment. If you are at home, the delay could be due to ISP caching and/or server latency.
Q: so are the other vulnerabilities that were going to be updated in February critical in nature and what specific issue caused this out of cycle patch?
A: there are multiple vulnerabilities being addressed in this update which are critical class vulnerabilities. The specific issue that required an out of band release is covered in (CVE-2010-0249) in the security bulletin.
Q: Am I correct in thinking this is more client-side? I have web servers that function as server entities i.e. no user activity such as web browsing or opening files, the criticality of this is far lower than when we’re talking about end user systems? The reason I ask is of course downtime.
A: How could an attacker exploit the vulnerability?
Q: Has a Network Inspection System (NIS) signature been released for Forefront Threat Management Gateway (TMG) 2010?
A: No, this threat unfortunately is not conducive to network inspection based detection.
Q: How do i get kb978207 to my Wsus server. I go to the update catalog and cannot find this kb.
A: This is a temporary condition that is likely a staging delay. Once the package has propagated across the Web, it should be available through a standard WSUS sync.
Q: Outside of preventing the security risk, will this remediation change any functionally of IE 6, 7, or 8.
A: no This update does not change any functionality of IE 6, 7, or 8.
Q: what´s exact patch does in CVE-2010-2027 ( URL Validation Vulnerability ) and what´s the impact in security zones ( it´s a cross.domain issue ??)
A: CVE-2010-2027 addresses vulnerability in the way IE deals with URL validation. In certain circumstances, this issue can result in RCE and is not related to any cross domain issues.
Q: if i dont get update tools to apply patch, what other method can use to deploy
A: You can configure your systems to use Microsoft’s automatic updating technologies, such as Windows Update, or Microsoft Update. You can certainly download the update and kick it off on client systems with a logon or start up script as well. Also remember that WSUS is a free deployment product that you are encouraged to evaluate, as this will give you greater flexibility.
Q: Is this really enough that I disable the NTVDM subsytem?
A: Yes the exploit of this vulnerability is only possible due to functionality available in NTVDM. Disabling NTVDM will remove the attack vector. please note that disabling NTVDM will also not allow 16 bit applications from running such as MSDOS.
Q: While corporations are getting the patch distributed to their clients throughout the networks do you guys work with antivirus vendors
A: Yes, we released detection guidance to all 52 of our anti-virus MAPP partners yesterday.
Q: If a PC with IE6 is patched with MS10-002 and is updated to IE7, is it fair to assume it will need to be reapplied again?
A: Users who have a updated version of IE6, and then install IE7, will be offered the update again.
Q: IE Security Zone question, if *.microsoft.com is in trusted sites, can social.technet.microsoft.com be added to the restricted sites zone, and which zone will be used?
A: Adding a site to the restricted zone will take precedence over the trusted sites. So, in your example adding *.microsoft.com to the trusted sites and putting social.technet.microsoft.com in the restricted sites will result in social.technet.microsoft. com being run in the restricted zone.
Q: Will we experience failures on the hardware that can’t support the feature or will it just ignore the settings… Can we force DEP to be used via group policy?
A: If hardware does not support DEP, nothing bad will happen if you attempt to enable it in the software, that setting will just be ignored. You can force DEP to be used via group policy. There is a guidance on how to do so on the SRD blog.
Q: is it my understanding that this type of vulnerability is difficult to detect using Virus Scanners?
A: Unfortunately yes. These kind of script-based vulnerabilities are easy to obfuscate to bypass anti-virus detection.
Q: I have machines that use software that can only use IE6. Is there a fix out there?
A: Yes the security update released today does provide an update for IE6. We recommend that users who can upgrade to IE8 do so.
Q: Could a remote code exploit which allows execution within the privileges of the user be leveraged to then use a local privilege escalation vulnerability?
A: Sure, an attacker could conceivably first exploit the IE vulnerability to get code executing as a user and then later exploit the NTVDM local elevation of privilege to get code running in ring0. It is not uncommon to see multiple exploits used in attacks.
Q: Is the Patch 978207 tested on virtual machines? In my case the patch runs fine on real hardware but in VMware the IE 7 crash after start and Outlook 2003 comes not up after update
A: The test cases for IE patches include testing in virtual environments. If you feel that you’ve encountered an issue with a specific configuration you have please contact our support resources at support.microsoft.com.
A: We certainly have tested this security update with java, ActiveX, and adobe. It did not introduce any issues.
Q: Why is the patch not released in February? Because now we approved the regular patches of January which requires a reboot and with the new security patch we have to reboot servers again
A: This Internet Explorer security update was planned for release in February but due to the attacks discussed in Security Advisory 979352 and the escalating threat landscape, we determined the best way to protect customers was to release an update out of cycle.
Q: hello if i m not using IE in my servers , am i vulnerable to this security hole
A: This vulnerability requires that a user be logged on and visiting a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used infrequently, is less at risk to this vulnerability.
Q: Within Outlook 2003/2003, with html preview pane enabled, is the exploit possible, or must the page be opened in the IE browser?
A: Outlook displays email in the Restricted Sites Zone which disables scripting. The vulnerability cannot be exploited without script. So Outlook is not an attack vector.
Q: We have several users who still use IE6 to access OWA. Is there any risk in compromising exchange using IE6?
A: No, this is a client-side only vulnerability. A client connecting to a server could not compromise the server using this vulnerability.
Q: could an attack be mounted using html emebbed in an email (assuming the use of a web based email service)
A: By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
Q: Is there any local code that this exploit leaves on the local system? And will the January 2010 Windows Malicious Software Removal Tool detect and remove it?
A: The known malware associated with the current targeted attacks is the Elecom family, and this is not part of the current MSRT detection capabilities
Q: Where are the whitelisted sites stored for the IE ESC on Windows Server 2003 so they can be audited/reviewed?
A: By default, Enhanced Security Configuration runs all INTRANET and INTERNET zone websites with HIGH security settings. More detailed information covering the various scenarios supported by Enhanced Security configuration can be found here: http://support.microsoft.com/kb/815141.
Q: Will current AV definitions from Symantec protect workstations from this exploit?
A: AV definitions do not protect against exploits, they protect against malware that is dropped by an exploit. This said you will need to check with Symantec on their capabilities.
Q: Is there a command line tool to check that IE specifically is protected with DEP?
Control Panel applet and command line tools only talk about Windows applications and services: is IE considered to be part of this?
A: 912923 How to determine that hardware DEP is available and configured on your computer
Q: How can I download the update for manual redistribution? The MS10-002 Bulletin page states the following: “For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.” This makes it sound like Windows update is the only option to obtain the update.
A: Customers are able to use the Windows Server Update Services to deploy the latest Microsoft product updates to computers running Windows operating systems.
Hosts: Adrian Stone, Senior Security Program Manager Lead
Jerry Bryant, Senior Security Communications Manager Lead
Chat Topic: January 2010 Out-of-Band Security Bulletin
Q: I understand the severity for workstaitons. Is the severity lower for servers in terms of this vulnerability, since most servers (except Terminal Servers) do not use IE?
A: DEP is a useful Defense-in-Depth measure to make attacks more difficult. In fact, we have not yet seen any real-world attacks that successfully bypass DEP. We have heard of researchers investigating in this area and we believe that private proof-of-concept code to bypass DEP does exist. However, currently, DEP will protect you from all active attacks. It is not easily bypassed for code execution.
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker’s Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
Q: Any issues with IE add-ons (Java, ActiveX, Adobe..)?
http://support.microsoft.com/default.aspx?scid=kb;EN-US;912923. there is more detail on DEP and its capabilities at the following KB article: http://support.microsoft.com/kb/875352.