Bulletin Release Briefing July OOB 2009 2 New Security Bulletins and Advisories 1 New Security Advisory 1 New Critical Bulletin 1 New Moderate Bulletin Other Security Resources Detection and Deployment ID: 383357
Download Presentation The PPT/PDF document "Microsoft Technical Security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Microsoft Technical Security
Bulletin Release Briefing
July OOB 2009Slide2
2
New Security Bulletins and Advisories1 New Security Advisory1 New Critical Bulletin1 New Moderate BulletinOther Security Resources
Detection and Deployment
Links
Contact Information
What We Will Cover
July 2009
(Out-of-Band) AgendaSlide3
Bulletin
ID
KB Article
Severity Rating
Product
Affected Software
MS09-034972260CriticalInternet ExplorerInternet Explorer on Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008MS09-035969706ModerateVisual StudioMicrosoft Visual Studio .NET 2003, Microsoft Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual C++ 2005, Microsoft Visual C++ 2008
July
(OOB) Security
Bulletins
Updates at a GlanceSlide4
Title & KB Article:
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
Affected Software:
All controls and components created using vulnerable Active Template Library
Purpose of Advisory:
This advisory provides customers with Workarounds, Mitigating Factors, and Suggested Actions for the publicly disclosed vulnerabilities that are discussed Security Bulletins MS09-032, MS09-034, and MS09-035
ATL Information:The Active Template Library (ATL) is a set of template-based C++ classes that lets you create small, fast Component Object Model (COM) objects. ATL has special support for key COM features, including stock implementations, dual interfaces, standard COM enumerator interfaces, connection points, tear-off interfaces, and ActiveX controls. ATL Vulnerability:The issue is caused in some cases by the way ATL is used, and in other cases by the ATL code itself. In these cases, data streams may be handled incorrectly, which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy. Security Advisory (973882) | General InformationSlide5
Title & KB Article:
Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
Affected Software:
Visual Studio .NET 2003 SP1
Visual Studio 2005 SP1 and Visual Studio 2005 SP1 64-bit Hosted Visual C++ Tools
Visual Studio 2008 and Visual Studio 2008 SP1
Visual C++ 2005 SP1 Redistributable PackageVisual C++ 2008 and Visual C++ 2008 SP1 Redistributable PackageReplaced Updates:NoneVulnerabilities: CVE-2009-0901 | ATL Uninitialized Object Vulnerability CVE-2009-2493 | ATL COM Initialization Vulnerability CVE-2009-2495 | ATL Null String VulnerabilityPublicly Disclosed / and/or Exploited:These vulnerabilities have not been publicly disclosed prior to releaseThese vulnerabilities have not been exploited in the wild at releaseExploitability Index:
__
1 - Consistent exploit code likely
|
__
2 - Inconsistent exploit code likely
| __ 3 - Functioning exploit code unlikely
MS09-035: Visual Studio
|
Moderate
General InformationSlide6
Vulnerability Summary:
A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to an issue in the ATL headers that could allow an attacker to force
VariantClear
to be called on a VARIANT that has not been correctly initialized. Because of this, the attacker can control what happens when
VariantClear
is called during handling of an error by supplying a corrupt stream. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. This issue could allow a remote, unauthenticated user to perform remote code execution on an affected system.
Attack Vectors:Maliciously Crafted Web PageMitigations:By default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerableMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882)Workaround:Mitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882)MS09-035: Visual Studio | Moderate Vulnerability Details: CVE-2009-0901Slide7
Vulnerability Summary:
A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to issues in the ATL headers that handle instantiation of an object from data streams. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. For components and controls built using ATL, unsafe usage of
OleLoadFromStream
could allow the instantiation of arbitrary objects which can bypass related security policy, such as kill bits within Internet Explorer.
Attack Vectors:
Maliciously Crafted Web Page
Mitigations:By default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerableMitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882)Workaround:Mitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882)MS09-035: Visual Studio | Moderate Vulnerability Details: CVE-2009-2493Slide8
Vulnerability Summary:
An information disclosure vulnerability exists in the Microsoft Active Template Library (ATL) that could allow a string to be read without a terminating NULL character. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory.
Attack Vectors:
Maliciously Crafted Web Page
Mitigations:
By default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerable
Mitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882)Workaround:Mitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882)MS09-035: Visual Studio | Moderate Vulnerability Details: CVE-2009-2495Slide9
MS09-035: Visual Studio
| Moderate Detection and Deployment Tools and Guidance
Affected Platform
Windows Update
Microsoft Update
MBSA 2.1
WSUS 3.0SMS SUSFPSMS ITMUSCCM 2007Visual Studio .NET 2003No No No No
Yes
No
No
Visual Studio 2005
No
Yes
Yes
Yes
No
Yes
Yes
Visual Studio 2005 64-bit Hosted Visual C++ Tools
No
Yes
Yes
Yes
No
Yes
Yes
Visual Studio 2008
No
Yes
Yes
Yes
No
Yes
Yes
Visual C++ 2005
Redistributable
Package
No
Yes
Yes
Yes
No
Yes
Yes
Visual C++ 2008
Redistributable
Package
No
Yes
Yes
Yes
No
Yes
YesSlide10
Restart Requirement
:
You MUST restart your system after you apply this security update
Installation and Removal:
Use Add / Remove Programs tool in Control Panel
More Information:
For more Information, please review these links:Microsoft Security Bulletin MS09-035http://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx Microsoft Knowledge Base Article (969706)http://support.microsoft.com/kb/969706MS09-035: Visual Studio | Moderate Update InformationSlide11
Questions about
MS09-035? Slide12
Title & KB Article:
Cumulative Security Update for Internet Explorer (972260)
Affected Software:
IE 5.01 and IE 6 SP1 on Windows 2000 (All Supported Versions)
IE 6.0, IE 7, and IE 8 on Windows XP (All Supported Versions)
IE 6.0, IE 7, and IE 8 on Windows Server 2003 (All Supported Versions)
IE 7 and IE 8 on Windows Vista (All Supported Versions)IE 7 and IE 8 on Windows Server 2008 (All Supported Versions)Replaced Updates:MS09-019Vulnerabilities: CVE-2009-1917 | Memory Corruption Vulnerability CVE-2009-1918 | HTML Objects Memory Corruption Vulnerability CVE-2009-1919 | Uninitialized Memory Corruption VulnerabilityPublicly Disclosed / and/or Exploited:These vulnerabilities have not been publicly disclosed prior to releaseThese vulnerabilities have not been exploited in the wild at release
MS09-034: Internet Explorer
|
Critical
General Information
Exploitability Index:
__
1 - Consistent exploit code likely
|
__
2 - Inconsistent exploit code likely
|
__
3 - Functioning exploit code
unlikely Slide13
Summary:
As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with vulnerable versions of ATL.
Defense-in-Depth Details
:
The first defense-in-depth measure is enabled by default and modifies how ATL-based ActiveX controls read persisted data. The first mitigation is a change to modify how ATL-based controls read persisted data by detecting specific call patterns that are problematic.
The second defense-in-depth measure is related to the first, but provides stronger protections and increases application compatibility risk. This defense-in-depth measure is disabled by default and offers the ability to regulate usage of
IPersistStream* and IPersistStorage* interface implementations within individual controls. FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTEAdditional Defense in Depth Mitigations and Workaround :By default, the majority of ActiveX controls are not included in the default allow-list for ActiveX controls in IE 7 or IE 8IE 8 offers enhanced protections by enabling DEP/NX memory protections by default for users on Windows XP SP3, Windows Vista SP1 and SP2, and Windows 7IE 7 and IE 8 on Windows Vista and later operating systems run in Protected Mode by default in the Internet security zoneMS09-034: Internet Explorer | Critical Defense in Depth ChangesSlide14
Vulnerability Summary:
3 remote code execution vulnerabilities exist in the way Internet Explorer handles a memory object, handles table operations in specific situations, and accesses an object that has been deleted, which could allow an attacker to take complete control of an affected system if a user views a specially crafted Web page
Attack Vectors:
Maliciously Crafted Web Page
Mitigations:
Users would have to be persuaded to visit a malicious web site
Exploitation only gains the same user rights as the logged on accountBy default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted Sites zoneBy default, IE on Windows 2003 and Windows 2008 runs in a restricted modeIE 5.01 SP4 on Windows 2000 is not affected by CVE-2009-1917Workaround:Set Internet and local Intranet settings to High to prompt before running ActiveX and Active Scripting in these zonesConfigure IE to prompt before running ActiveX and Active ScriptingMS09-034: Internet Explorer | Critical Vulnerability Details: CVE-2009-1917, CVE-2009-1918, and CVE-2009-1919Slide15
SMS SUSFP does not support Internet Explorer 7, Internet Explorer 8, Exchange Server 2007, Windows Media Player 11, Works 8.5 and 9.0, Office System 2007, OneNote 2007, Windows Vista, Windows Server 2008, or any Windows x64 or Windows ia64 systems
Affected Platform
Windows Update
Microsoft Update
MBSA 2.1
WSUS 3.0
SMS SUSFPSMS ITMUSCCM 2007Windows 2000YesYesYesYesYesYes
Yes
Windows XP
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Windows XP x64
Yes
Yes
Yes
Yes
No
*
Yes
Yes
Windows 2003
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Windows 2003
x64YesYesYesYesNo * YesYesWindows 2003 ia64YesYesYesYesNo * YesYesWindows VistaYesYesYesYesNo * YesYesWindows Vista x64YesYesYesYesNo * YesYesWindows 2008YesYesYesYesNo * YesYesWindows 2008 x64YesYesYesYesNo * YesYesWindows 2008 ia64YesYesYesYesNo * YesYes
MS09-034: Internet Explorer
|
Critical
Detection
and Deployment Tools and
Guidance Slide16
Restart Requirement
:
You must restart your system after you apply this security update
Installation and Removal:
Use Add / Remove Programs tool in Control Panel
Scriptable installation and removal supported
(except Windows Vista and Windows Server 2008)More Information:For more Information, please review these links:Microsoft Security Bulletin MS09-034 http://www.microsoft.com/technet/security/Bulletin/MS09-034.mspx Microsoft Knowledge Base Article (972260)http://support.microsoft.com/kb/972260MS09-034: Internet Explorer | Critical Update InformationSlide17
Questions about
MS09-034? Slide18
Bulletin ID
Windows Update
Microsoft Update
MBSA 2.1
WSUS 3.0
SMS SUSFP
SMS ITMUSCCM 2007MS09-034YesYesYesYesYes 1
Yes
Yes
MS09-035
No
Yes
Yes
Yes
No
1
Yes
Yes
Detection and Deployment
Manageability Tools Reference
SMS SUSFP does not support Internet Explorer 7, Internet Explorer 8, Office System 2007, Works 8.5 & 9.0, ISA
2006, DirectX,
Virtual PC and Virtual Server, Windows Vista, Windows Server 2008, or any Windows x64 or Windows ia64 systems
Windows Update only supports native Windows Security Update packages Slide19
July 2009 Out-of-Band ATL
LinksPublic Security Links and Resources
ATL Issue Landing Page |
http://www.microsoft.com/atl
Security Bulletin
MS09-034 | http://www.microsoft.com/technet/security/Bulletin/MS09-034.mspxKnowledge Base Article (972260) | http://support.microsoft.com/kb/972260 Security Bulletin MS09-035 | http://www.microsoft.com/technet/security/Bulletin/MS09-035.mspxKnowledge Base Article (969706) | http://support.microsoft.com/kb/969706 Security Advisory 973882 | http://www.microsoft.com/technet/security/advisory/973882.mspx Knowledge Base Article (973882) | http://support.microsoft.com/kb/973882 MSDN ATL Guidance | http://msdn.microsoft.com/en-us/library/3ax346b7(VS.71).aspx ICASI / Verizon Business ATL Scan Tool | http://www.icasi.org/ The Microsoft Security Response Center (MSRC) Blog | http://blogs.technet.com/msrc Security Research & Defense Blog | http://blogs.technet.com/srd The Security Development Lifecycle Blog | http://blogs.technet.com/sdl Slide20
Bulletins Links:
Security Bulletins Search http://www.microsoft.com/technet/security/current.aspx Security Advisories
http://www.microsoft.com/technet/security/advisory
Microsoft Security Bulletin Summary for July 2009
http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx Supplemental updated monthly reference articles: KB961747 Detection and deployment guidance for Microsoft Security Updates http://support.microsoft.com/kb/961747 KB894199 Description of Software Update Services and Windows Server Update Services changes in content for 2009 http://support.microsoft.com/kb/894199 New, Revised, and Rereleased Updates for Microsoft Products other than Microsoft Windows http://technet.microsoft.com/en-us/wsus/bb466214.aspx KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000 http://support.microsoft.com/kb/890830 Useful LinksPublic Security Links and Resources Blogs: MSRC Blog http://blogs.technet.com/msrc SRD Team Blog http://blogs.technet.com/srd MSRC Ecosystem Strategy Team http://blogs.technet.com/ecostrat MMPC Team Blog http://blogs.technet.com/mmpc