Ayer día 12 se publicaron los parches del mes de Microsoft, correspondientes al ciclo de actualización mensual del fabricante.
Hay muchas fuentes para consultar resúmenes de estos parches, lo que siempre facilita las cosas al usuario/administrador de plataformas Windows. En mi caso, suelo optar por los boletines de eEye, con lo que os invito a echar un ojo al de este mes.
Esquemáticamente (véanse los comentarios para más detalles) la ensalada de parches la componen este mes:
Con carácter crítico
* MS07-031 – Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution
* MS07-033 – Cumulative Security Update for Internet Explorer
* MS07-034 – Cumulative Security Update for Outlook Express and Windows Mail
* MS07-035 – Vulnerability in Win32 API Could Allow Remote Code Execution
Con carácter importante
* MS07-030 – Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution
Con carácter leve
* MS07-032 – Vulnerability in Windows Vista Could Allow Information Disclosure
En los comentarios os dejo el detalle de cada boletín :)
FUENTE: http://www.eeye.com/research/html/newsletters/alert/pub/AL20070612.html?sb=kcmmmuakmnvwbauvwknc
Bulletin Summary
MS07-030
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051)
http://www.microsoft.com/technet/security/bulletin/MS07-030.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
Description
This patch fixes two vulnerabilities within Microsoft Visio 2002/2003 which could allow a remote attacker to execute arbitrary code as the logged in user.
* CVE-2007-0934 – Version Number Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Microsoft Visio handles a specially crafted version number in a Visio (.VSD, VSS, or .VST) file. An attacker could exploit this vulnerability when Visio does not correctly validate the version number field when processing the contents of a file.
* CVE-2007-0936 – Visio Document Packaging Vulnerability
A remote code execution vulnerability exists in Microsoft Visio as a result of the way it incorrectly handles the parsing of packed objects within the Visio file format. An attacker could exploit this vulnerability by constructing a malicious Visio (.VSD, VSS, or .VST) file that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted Visio attachment included in an e-mail message.
The exploitation of these vulnerabilities requires user interaction by opening a malicious Visio file. This file could be delivered any number of ways including e-mail or a website. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.
Recommendations
Although exploit code for these vulnerabilities has not been released, eEye Research suggests that vulnerable hosts be patched for these vulnerabilities as soon as possible.
MS07-031
Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840)
http://www.microsoft.com/technet/security/bulletin/MS07-031.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Windows Secure Channel (Schannel) which may allow for a remote attacker to potentially execute arbitrary code as the logged in user.
* CVE-2007-2218 – Vulnerability in the Windows Schannel Security Package
A remote code execution vulnerability exists in the way that Windows Schannel on a client machine validates server-sent digital signatures. An attacker could host a specially crafted Web site that is designed to exploit these vulnerabilities through an Internet Web browser and then convince a user to view the Web site. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker’s Web site.
The exploitation of this vulnerability requires user interaction by viewing a malicious website. This website could then utilize this vulnerability to execute arbitrary code on Windows XP hosts, a denial of service on 2000 hosts, or an automatic restart on a 2003 host.
Recommendations
Patch Prioritization: Second Highest Impact
Although exploit code for these vulnerabilities has not been released, eEye Research suggests that vulnerable hosts be patched for these vulnerabilities as soon as possible.
MS07-032
Vulnerability in Windows Vista Could Allow Information Disclosure (931213)
http://www.microsoft.com/technet/security/bulletin/MS07-032.mspx
Microsoft Severity Rating: Low
eEye Severity Rating: Low
Description
This patch fixes one vulnerability within Windows Vista which could allow for a logged in attacker to gather certain information that would allow him or her to gain valid logon credentials for another account with potentially higher credentials.
* CVE-2007-2229 – Permissive User Information Store ACLs Information Disclosure Vulnerability
There is an information disclosure vulnerability in Windows Vista that could allow non-privileged users to access local user information data stores including administrative passwords contained within the registry and local file system. The vulnerability could allow a local attacker to have access to user account data that could then be used in an attempt to gain full access to the affected system.
The exploitation of this vulnerability requires that an attacker must logon to the target host with some form of credentials in order to gather the information disclosed from this vulnerability.
This vulnerability only affects Microsoft Vista.
Recommendations
Patch Prioritization: Least Impact
Although exploit code for these vulnerabilities has not been released, eEye Research suggests that vulnerable hosts be patched for these vulnerabilities as soon as possible. However, by requiring a certain level of access to launch this attack, this vulnerability is ranked as the least severe for June.
MS07-033
Cumulative Security Update for Internet Explorer (933566)
http://www.microsoft.com/technet/security/bulletin/MS07-033.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes six vulnerabilities within Internet Explorer. Five of the vulnerabilities allow for remote code execution as the logged in user, while the other vulnerability allows an attacker to spoof a website.
* CVE-2007-0218 – COM Object Instantiation Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* CVE-2007-1750 – CSS Tag Memory Corruption Vulnerability
A remote code execution vulnerability exists in Internet Explorer due to improper handling of a CSS tag. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* CVE-2007-3027 – Language Pack Installation Vulnerability
A remote code execution vulnerability exists in Internet Explorer in the way that it handles language pack installation. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* CVE-2007-1751 – Uninitialized Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or that has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* CVE-2007-1499 – Navigation Cancel Page Spoofing Vulnerability
A spoofing vulnerability exists in Internet Explorer that could allow an attacker to display spoofed content in the Navigation canceled page. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* CVE-2007-2222 – Speech Control Memory Corruption Vulnerability
A remote code execution vulnerability exists in a component of Microsoft Speech API 4. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
The exploitation of these vulnerabilities requires user interaction by visiting a website or following a hyperlink. For some vulnerabilities, execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible.
Recommendations
Patch Prioritization: Highest Impact
For temporary mitigation from exploitation against CVE-2007-2222, administrators can kill bit the CLSIDs
(4E3D9D1F-0C63-11D1-8BFB-0060081841DE; EEE78591-FE22-11D0-8BEF-0060081841DE) for this ActiveX to disallow any exploitation attempts against this component.
For temporary mitigation from exploitation against CVE-2007-3027, administrators can prevent language pack installations by setting the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\W2KLpk = 0 (DWORD)
Although these mitigation strategies do work for these two vulnerabilities, eEye Research suggests that vulnerable hosts be patched for all of the vulnerabilities included in MS07-033 as soon as possible.
MS07-034
Cumulative Security Update for Outlook Express and Windows Mail (929123)
http://www.microsoft.com/technet/security/bulletin/MS07-034.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes four vulnerabilities within Windows Mail/Outlook Express. One of the vulnerabilities allows for a remote attacker to execute code under the context of the logged in user, while the other three vulnerabilities allow for information disclosure which may foster further exploitation.
* CVE-2006-2111 – URL Redirect Cross Domain Information Disclosure Vulnerability
An information disclosure vulnerability exists in Windows because the MHTML protocol handler incorrectly interprets the MHTML URL redirections that could potentially bypass Internet Explorer domain restrictions. An attacker could exploit the vulnerability by constructing a specially crafted Web page. If the user viewed the Web page using Internet Explorer, the vulnerability could potentially allow information disclosure. An attacker who successfully exploited this vulnerability could read data from another Internet Explorer domain.
* CVE-2007-1658 – Windows Mail UNC Navigation Request Remote Code Execution Vulnerability
A remote code execution vulnerability results from the way local or UNC navigation requests are handled in Windows Mail. An attacker could exploit the vulnerability by constructing a specially crafted e-mail message that could potentially allow execution of code from a local file or UNC path if a user clicked on a link in the e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* CVE-2007-2225 – URL Parsing Cross Domain Information Disclosure Vulnerability
An information disclosure vulnerability exists in Windows because the MHTML protocol handler incorrectly interprets HTTP headers when returning MHTML content. An attacker could exploit the vulnerability by constructing a specially crafted Web page. If the user viewed the Web page using Internet Explorer, the vulnerability could potentially allow information disclosure. An attacker who successfully exploited this vulnerability could read data from another Internet Explorer domain.
* CVE-2007-2227 – Content Disposition Parsing Cross Domain Information Disclosure Vulnerability
An information disclosure vulnerability exists in the way MHTML protocol handler passes Content-Disposition notifications back to Internet Explorer. The vulnerability could allow an attacker to bypass the file download dialog box in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page. If the user viewed the Web page using Internet Explorer, the vulnerability could potentially allow information disclosure. An attacker who successfully exploited this vulnerability could read data from another Internet Explorer domain.
The exploitation of these vulnerabilities requires user interaction by opening a malicious email or viewing a malicious website.
Recommendations
There is no easy form of mitigation to protect against all the patched vulnerabilities. Therefore, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.
MS07-035
Vulnerability in Win32 API Could Allow Remote Code Execution (935839)
http://www.microsoft.com/technet/security/bulletin/MS07-035.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within the Win32 API which could allow for a remote attacker to execute arbitrary code under the context of the application which is using Win32 incorrectly.
* CVE-2007-2219 – Win32 API Vulnerability
A remote code execution vulnerability exists in the way that the Win32 API validates parameters. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
The most remote vector for exploiting this vulnerability requires user interaction by visiting a website or following a hyperlink. Execution of arbitrary code is possible, but will only execute the code under the rights of the logged in user. If the logged in user is an Administrator, complete control of the system is possible. There is no way to exploit this vulnerability without requiring some sort of user interaction or interactive logon credentials.
Recommendations
There is no easy form of mitigation to protect against all of the patched vulnerabilities. Therefore, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible.
Hola,
Sería interesante (para darle un poco de «vidilla» a esto de las vulnerabilidades, ante los ojos de personas menos avezadas) agregar una IMAGEN del google en el navegador con el plugin gratuito de LinkScanner (como sabes, de la empresa Exploit Prevention Labs) resaltando el cuadro rojo con algun exploit en concreto (aunque sea del año pasado, pero en uso activo).
Por ejemplo, si ahora mismo (14 de junio, 14h50) en google «top wallpapers» consegurás como PRIMER resultado un sitio web con un exploit (MDAC ActiveX, CVE-2006-0003, que se resuelve con el parche Microsoft del año pasado MS06-014).
El que pincha en ese sitio tiene regalito [casi] seguro.
«Creo» que así se vería mejor para que sirve parchear el S.O.
Por cierto, gracias por darnos a conocer el LinkScanner ;-)