richard chen 陳政鋒 (net+, sec+, mcse2003+security, cissp) 資深技術支援工程師...
TRANSCRIPT
Richard Chen 陳政鋒(Net+, Sec+, MCSE2003+Security, CISSP)
資深技術支援工程師台灣微軟技術支援處
五月份資訊安全公告 May 10, 2007
• Security Bulletins7 New Critical updates
• Non-Security Releases4 Non-security updates
• Detection and Deployment• Other Information
Windows Malicious Software Removal ToolLifeCycle Information
• References
What Will We cover?
Questions and Answers
• Submit text questions using the
“Ask a Question” button
Hot issue updates
• Svchost.exe high CPU (99%) when doing update scan
• Resolution: Try to install Windows Update Agent v3http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/Windows
UpdateAgent30-x86.exe
http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/Windows
UpdateAgent30-x64.exe
http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/Windows
UpdateAgent30-ia64.exe
• Further information can be found at http://blogs.technet.com/wsus/archive/2007/04/28/update-on.aspx
May 2007 Security Bulletins Overview
Bulletin Bulletin NumberNumber
Title Title Maximum Maximum Severity RatingSeverity Rating
Products AffectedProducts Affected
MS07-023MS07-023 Vulnerabilities in Microsoft Excel Could Vulnerabilities in Microsoft Excel Could
Allow Remote Code Execution (934233)Allow Remote Code Execution (934233)Critical All currently supported All currently supported
versions of Microsoft Excelversions of Microsoft Excel
MS07-024MS07-024 Vulnerabilities in Microsoft Word Could Vulnerabilities in Microsoft Word Could
Allow Remote Code Execution (934232)Allow Remote Code Execution (934232)Critical Microsoft Word 2000, 2002, Microsoft Word 2000, 2002,
20032003
MS07-025MS07-025 Vulnerability in Microsoft Office Could Vulnerability in Microsoft Office Could
Allow Remote Code Execution (934873)Allow Remote Code Execution (934873)Critical All currently supported All currently supported
versions of Microsoft Officeversions of Microsoft Office
MS07-026MS07-026 Vulnerabilities in Microsoft Exchange Vulnerabilities in Microsoft Exchange
Could Allow Remote Code Execution Could Allow Remote Code Execution
(931832)(931832)
Critical All current versions of All current versions of Microsoft ExchangeMicrosoft Exchange
MS07-027MS07-027 Cumulative Security Update for Internet Cumulative Security Update for Internet
Explorer (931768)Explorer (931768)Critical All current versions Internet All current versions Internet
Explorer on all currently Explorer on all currently supported versions of supported versions of Microsoft WindowsMicrosoft Windows
MS07-028MS07-028 Vulnerability in CAPICOM Could Allow Vulnerability in CAPICOM Could Allow
Remote Code Execution (931906)Remote Code Execution (931906)Critical CAPICOM, BizTalk ServerCAPICOM, BizTalk Server
MS07-029MS07-029 Vulnerability in RPC on Windows DNS Vulnerability in RPC on Windows DNS
Server Could Allow Remote Code Server Could Allow Remote Code
Execution (935966)Execution (935966)
Critical Windows 2000 (server), Windows 2000 (server), Windows Server 2003Windows Server 2003
May 2007 Security BulletinsSeverity Summary
Bulletin Number
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Excel 2007
MS07-023 Critical Important Important Important
Microsoft Word 2000
Microsoft Word 2002
Microsoft Word 2003
Microsoft Word 2007
Microsoft Word 2004 for Mac
MS07-024 Critical Important Important Not Affected Important
Microsoft Office 2000
Microsoft Office XP
Microsoft Office 2003
Microsoft Office 2007
Microsoft Office 004 for Mac
MS07-025 Critical Important Important Important Important
May 2007 Security BulletinsSeverity Summary (2)
Bulletin Number
IE5.01 SP4 IE6 SP1 Internet Explorer 6 & 7 for Windows Server 2003 SP1 & SP2
IE 6.0 for XPSP 2
IE 7.0 For XP SP2
IE 7.0 for Vista
MS07-027 Critical Critical Moderate Critical Critical Critical
Microsoft Exchange 2000 Server
Microsoft Exchange Server 2003 SP1& SP2
Microsoft Exchange Server 2007
MS06-026 Critical Critical Critical
CAPICOM BizTalk Server 2004
MS07-028 Critical Critical
Windows 2000 SP 4
Windows Server 2003 SP1 & SP2
MS07-029 Critical Critical
MS07-023 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233) – Critical
VulnerabilitiesVulnerabilities Three code execution vulnerabilities due to Excel’s handling of malformed data Three code execution vulnerabilities due to Excel’s handling of malformed data elementselements
Possible Attack Possible Attack VectorsVectors
• Attacker crafts specially formed Excel documentAttacker crafts specially formed Excel document• Attacker places Excel document on web page or includes in e-mail as attachmentAttacker places Excel document on web page or includes in e-mail as attachment• Attacker convinces user to visit Web site or view e-mail and open attachmentAttacker convinces user to visit Web site or view e-mail and open attachment
Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Excel 2002,Excel 2003 and Excel 2007: cannot be exploited automatically through e-Excel 2002,Excel 2003 and Excel 2007: cannot be exploited automatically through e-mail. User must open an attachment that is sent in e-mail.mail. User must open an attachment that is sent in e-mail.• Excel 2002, Excel 2003 and Excel 2007: cannot be exploited automatically through Excel 2002, Excel 2003 and Excel 2007: cannot be exploited automatically through Web page. User must click through trust decision dialog box.Web page. User must click through trust decision dialog box.
–Dialog box does not occur in Office 2000.Dialog box does not occur in Office 2000.–Dialog box can be added to Office 2000 by installing Office Document Open Dialog box can be added to Office 2000 by installing Office Document Open
Confirmation ToolConfirmation Tool• User must navigate to attacker’s site manually or through links in e-mail or IM. Access User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automated.to sites cannot be automated.•Excel 2007: issue affects handling of older Excel file format. File blocking can help Excel 2007: issue affects handling of older Excel file format. File blocking can help protectprotect
• http://technet2.microsoft.com/Office/en-us/library/fe3f431c-8d7a-45c8-954f-1268f3b533161033.mspx?mfr=true
MS07-023 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233) – Critical
Replaced Updates:
MS07-002MS07-002
Publicly Disclosed/
Known Exploits
• PD: NoPD: No• KE: NoKE: No
More Information KB: KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-024.mspx
MS07-024 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232) – Critical
VulnerabilitiesVulnerabilities Three code execution vulnerabilities due to Word’s handling of malformed data Three code execution vulnerabilities due to Word’s handling of malformed data elementselements
Possible Attack Possible Attack VectorsVectors
• Attacker crafts specially formed Word documentAttacker crafts specially formed Word document• Attacker places Word document on web page or includes in e-mail as attachmentAttacker places Word document on web page or includes in e-mail as attachment• Attacker convinces user to visit Web site or view e-mail and open attachmentAttacker convinces user to visit Web site or view e-mail and open attachment
Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Word 2002 or Word 2003: cannot be exploited automatically through e-mail. User Word 2002 or Word 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent in e-mail.must open an attachment that is sent in e-mail.• Word 2002 or Word 2003: cannot be exploited automatically through Web page. User Word 2002 or Word 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box.must click through trust decision dialog box.
–Dialog box does not occur in Office 2000.Dialog box does not occur in Office 2000.–Dialog box can be added to Office 2000 by installing Office Document Open Dialog box can be added to Office 2000 by installing Office Document Open
Confirmation ToolConfirmation Tool• User must navigate to attacker’s site manually or through links in e-mail or IM. User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automated.Access to sites cannot be automated.
MS07-024 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232) – Critical
Replaced Updates: MS07-014MS07-014
Publicly Disclosed/
Known Exploits
• CVE-2007-0870 is public disclosed and there are known exploits reported.CVE-2007-0870 is public disclosed and there are known exploits reported.• Others are not.Others are not.
More Information Addresses issue discussed in Microsoft Security Advisory 933052Addresses issue discussed in Microsoft Security Advisory 933052
http://www.microsoft.com/taiwan/technet/security/advisory/933052.mspx
KB: KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-024.mspx
MS07-025 – Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873) – Critical
VulnerabilityVulnerability One code execution vulnerability exists in the way Microsoft Office handles a One code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing objectspecially crafted drawing object
Possible Attack Possible Attack VectorsVectors
• Attacker crafts specially formed Office documentAttacker crafts specially formed Office document• Attacker places Office document on web page or includes in e-mail as Attacker places Office document on web page or includes in e-mail as
attachmentattachment• Attacker convinces user to visit Web site or view e-mail and open Attacker convinces user to visit Web site or view e-mail and open
attachmentattachment
Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Office XP or Office 2003: cannot be exploited automatically through e-mail. Office XP or Office 2003: cannot be exploited automatically through e-mail. User must open an attachment that is sent in e-mail.User must open an attachment that is sent in e-mail.• Office XP or Office 2003: cannot be exploited automatically through Web page. Office XP or Office 2003: cannot be exploited automatically through Web page. User must click through trust decision dialog box.User must click through trust decision dialog box.
–Dialog box does not occur in Office 2000.Dialog box does not occur in Office 2000.–Dialog box can be added to Office 2000 by installing Office Document Dialog box can be added to Office 2000 by installing Office Document
Open Confirmation ToolOpen Confirmation Tool• User must navigate to attacker’s site manually or through links in e-mail or IM. User must navigate to attacker’s site manually or through links in e-mail or IM. Access to sites cannot be automatedAccess to sites cannot be automated
MS07-025 – Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873) – Critical
Replaced Updates:
MS07-015MS07-015
Publicly Disclosed/
Known Exploits
• PD: NoPD: No• KE: NoKE: No
More Information http://www.microsoft.com/taiwan/technet/security/bulletin/ms04-025.mspx
MS07-026 – Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832) – Critical
VulnerabilitiesVulnerabilities One remote code execution , one information disclosure and two denial of One remote code execution , one information disclosure and two denial of service vulnerabilitiesservice vulnerabilities
Possible Attack Possible Attack VectorsVectors
• Attacker creates e-mail with specially formed e-mail messageAttacker creates e-mail with specially formed e-mail message• Attacker sends e-mail to Exchange ServerAttacker sends e-mail to Exchange Server
Impact of AttackImpact of Attack Run code in context of LocalSystemRun code in context of LocalSystem
Mitigating FactorsMitigating Factors NoneNone
Replaced Updates:
MS06-019MS06-019
MS06-029MS06-029
Publicly Disclosed/
Known Exploits
PD: NoPD: No
KE: NoKE: No
More Information KB: KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-026.mspx
MS07-027 – Cumulative Security Update for Internet Explorer (931768) – Critical
VulnerabilitiesVulnerabilities Five code execution vulnerabilitiesFive code execution vulnerabilities
Possible Attack Possible Attack VectorsVectors
• Attacker creates specially formed Web pageAttacker creates specially formed Web page• Attacker posts page on Web site or sends page as HTML e-mailAttacker posts page on Web site or sends page as HTML e-mail• Attacker convinces user to visit Web site or view e-mailAttacker convinces user to visit Web site or view e-mail
Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.navigate to attacker’s site manually or through links in e-mail or IM.•All supported versions of Outlook and Outlook Express open HTML e-mail All supported versions of Outlook and Outlook Express open HTML e-mail messages in the Restricted sites zone, which helps reduce attacks preventing messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e-Active Scripting and ActiveX controls from being used when reading HTML e-mail.mail.• Internet Explorer on Windows Server 2003 in Enhanced Security Configuration Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and e-mail vectors on select vulnerabilities.mitigates the browsing and e-mail vectors on select vulnerabilities.
MS07-027 – Cumulative Security Update for Internet Explorer (931768) – Critical
Replaced Updates:
MS07-016MS07-016
Publicly Disclosed/
Known Exploits
• PD: PD: CVE-2007-0942 COM 物件例項記憶體損毀弱點 , others are not.• KE: NoKE: No
More Information • Sets killbit for the ActiveX control LaunchApp Software available from Acer Sets killbit for the ActiveX control LaunchApp Software available from Acer IncorporatedIncorporated
• See See http://global.acer.com/support/patch20070101.htm for more for more informationinformation
• Sets killbit for an ActiveX control developed by Research In Motion (RIM)Sets killbit for an ActiveX control developed by Research In Motion (RIM)• See See http://na.blackberry.com/eng/ataglance/security/news.jsp for more for more
informationinformation
KB: KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-027.mspx
MS07-028 – Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)) – Critical
VulnerabilityVulnerability A code execution vulnerability in Cryptographic API Component Object Model A code execution vulnerability in Cryptographic API Component Object Model (CAPICOM) due to input handling in the ActiveX control(CAPICOM) due to input handling in the ActiveX control
Possible Attack Possible Attack VectorsVectors
• Attacker creates specially formed Web pageAttacker creates specially formed Web page• Attacker posts page on Web site or sends page as HTML e-mailAttacker posts page on Web site or sends page as HTML e-mail• Attacker convinces user to visit Web site or view e-mailAttacker convinces user to visit Web site or view e-mail
Impact of AttackImpact of Attack Run code in context of logged on userRun code in context of logged on user
Mitigating FactorsMitigating Factors • Limits on user’s account limits attacker’s codeLimits on user’s account limits attacker’s code• Vulnerability cannot be exploited automatically through browsing. User must Vulnerability cannot be exploited automatically through browsing. User must navigate to attacker’s site manually or through links in e-mail or IM.navigate to attacker’s site manually or through links in e-mail or IM.•All supported versions of Outlook and Outlook Express open HTML e-mail All supported versions of Outlook and Outlook Express open HTML e-mail messages in the Restricted sites zone, which helps reduce attacks preventing messages in the Restricted sites zone, which helps reduce attacks preventing Active Scripting and ActiveX controls from being used when reading HTML e-Active Scripting and ActiveX controls from being used when reading HTML e-mail.mail.• Internet Explorer on Windows Server 2003 in Enhanced Security Configuration Internet Explorer on Windows Server 2003 in Enhanced Security Configuration mitigates the browsing and e-mail vectors on select vulnerabilities.mitigates the browsing and e-mail vectors on select vulnerabilities.•ActiveX control is not on IE 7 ActiveX opt-in list: user must explicitly approve ActiveX control is not on IE 7 ActiveX opt-in list: user must explicitly approve first-time running of controlfirst-time running of control
MS07-028 – Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)) – Critical
Replaced Updates:
NoneNone
Publicly Disclosed/
Known Exploits
• PD: NoPD: No• KE: NoKE: No
More Information What is CAPICOM?What is CAPICOM?
http://msdn2.microsoft.com/en-us/library/ms995332.aspx
KB: KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-027.mspx
MS07-029 Situation Overview
• First obtained partial information of limited attacks on April 6, 2007
• Investigation yielded information about new vulnerability on April
11, 2007
• Workarounds identified and Security Advisory 935964 released on
April 12, 2007
• Information released to Microsoft Security Alliance (MSRA)
partners to help provide broader protections
• Ongoing monitoring indicated attacks remained limited
MS07-029 – Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution (935966) – Critical
Vulnerability Code execution vulnerability in RPC management of DNS Server service
Possible Attack Vectors
• Attacker creates specially formed network packet• Attacker sends packet to vulnerable system
Impact of Attack Run code in LocalSystem context
Workarounds • Block TCP/UDP 139/445 and all ports above 1024• Add RpcProtocol key =1 under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Replaced Updates: • None
Publicly Disclosed/
Known Exploits
• PD: Yes• KE: Yes
More Information • Addresses issue discussed in Microsoft Security Advisory 935964http://www.microsoft.com/taiwan/technet/security/advisory/935964.mspx
• Security update will not undo any workarounds put in place: must be rolled back manually
KB: http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-029.mspx
Detection and Deployment
WU/SUS/AU Office Update & SMS Microsoft Office Inventory Tool for Updates
MBSA 1.2 & SMS Security Update Inventory Tool
Enterprise Scan Tool & SMS Security Update Scan Tools
MU/WSUS/AU, SMS 2003 ITMU, & MBSA 2.0
MS07-023 NA Yes (except 2007) Yes (local except 2007)
No Yes (except 2000)
MS07-024 NA Yes Yes (local) No Yes (except 2000)
MS07-025 NA Yes (except 2007) Yes (local except 2007)
No Yes (except 2000)
MS07-026 NA NA Yes (except 2007) No Yes
MS07-027 Yes NA Yes (except Vista) No Yes
MS07-028 Yes NA No Yes Yes
MS07-029 Yes NA Yes No Yes
Detection and Deployment Support in Windows Vista
• SupportedWindows Update
Microsoft Update
MBSA 2.1 (beta, remote only)
MBSA 2.0.1 (remote only)
WSUS
SMS 2003 with ITMU V3
• Not Supported
Software update Services
MBSA 1.2.1
SMS Security Update
Inventory Tool
SMS 2003 with ITMU
earlier than V3
Other Update Information
Bulletin Restart Hotpatching Uninstall Replaces
MS07-023MS07-023 No NANA Yes (Except 2000)Yes (Except 2000) MS07-002MS07-002
MS07-024MS07-024 No NANA Yes (Except 2000)Yes (Except 2000) MS07-014MS07-014
MS07-025MS07-025 No NANA Yes (Except 2000)Yes (Except 2000) MS07-015MS07-015
MS07-026MS07-026 No NANA YesYes MS06-019, MS06-019, MS06-029MS06-029
MS07-027MS07-027 Yes NANA YesYes MS07-016MS07-016
MS07-028MS07-028 No NANA YesYes NANA
MS07-029MS07-029 Yes NoNo YesYes NANA
May 2007 Non-Security Updates
NUMBERNUMBER TITLETITLE DistributionDistribution
930916 Update for Windows XP (KB930916) WU, MU
934708 Update for Outlook 2003 Junk Email Filter (KB934708) MU
934655 Update for Outlook 2007 Junk Email Filter (KB934655) MU
933669 Update for PowerPoint 2003 (KB933669) MU
934173 Update for Word 2007 (KB934173) MU
25
Windows Malicious Software Removal Tool
• Adds the ability to remove:– Win32/Renos
• Available as priority update through Windows Update or Microsoft Update for Windows XP users
Offered through WSUS; not offered through SUS 1.0Also available as a download atwww.microsoft.com/malwareremove
26
Lifecycle Support Information
• April 2007
– Windows Server 2003 RTM (SP0)
• July 10, 2007
– Software Update Services 1.0
– SQL Server 2000 Service Pack 3a
– SQL Server 2005 RTM (SP0)
Resources
• Security Bulletins Summary http://www.microsoft.com/taiwan/technet/security/bulletin/ms07-may.mspx
• Security Bulletins Searchwww.microsoft.com/technet/security/current.aspx
• Security Advisorieswww.microsoft.com/taiwan/technet/security/advisory/
• MSRC Bloghttp://blogs.technet.com/msrc
• Notificationswww.microsoft.com/technet/security/bulletin/notify.mspx
• TechNet Radiowww.microsoft.com/tnradio
• IT Pro Security Newsletterwww.microsoft.com/technet/security/secnews/
• TechNet Security Centerwww.microsoft.com/taiwan/technet/security
• TechNet Forum ITProhttp://forums.microsoft.com/technet-cht/default.aspx?siteid=23
• Detection and deployment guidance for the May 2007 security releasehttp://support.microsoft.com/kb/936981/en-us
Questions and Answers
• Submit text questions using the
“Ask a Question” button
• Don’t forget to fill out the survey
• For upcoming and previously recorded webcasts:
http://www.microsoft.com/taiwan/technet/webcast/default.aspx
• Webcast content suggestions:
http://www.microsoft.com/taiwan/technet/forum