Microsoft plugs ActiveX security holes

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Jabulani Leffall
 

Connecting state and local government leaders

By Jabulani Leffall

|

There were no surprises with Microsoft's six-patch release on July 14, but there is plenty of work to be done, according to security pros.

There were no surprises with Microsoft's six-patch release on July 14, but there is plenty of work to be done, according to security pros.

With three "critical" and three "important" items in the July patch, Microsoft is addressing some longstanding issues as well as some rare security holes. As usual, items with remote code execution (RCE) implications dominate the slate, with four bulletins devoted to this exploit. The remaining bulletins are notable for attempting to keep elevation-of-privilege attacks at bay.

Microsoft also has been rather vocal about fixing various DirectX security bugs leading up to this patch.

"Microsoft's July Security Bulletin does not have any surprises due to the intense pre-release activity around the three zero-day advisories that came out in the last six weeks," said Wolfgang Kandek, chief technology officer of Qualys. "Microsoft had already announced that they would address two advisories with patches MS09-028 and MS09-032 for DirectShow and Microsoft Video, respectively."

Critical Items

Microsoft's Embedded OpenType font engine, which facilitates the formation and structure of text fonts used on Web pages, is first on the roster of critical items in the patch. The fix addresses two privately disclosed holes and is designed to stave off RCE exploits for all supported versions of Windows operating systems.

The second critical item resolves one publicly reported hole and two privately reported weaknesses in Microsoft DirectShow. At the heart of the matter is the DirectX multimedia control solution. The patch will affect DirectX versions 7.0, 8.1 and 9.0 running on systems using Windows XP, Windows 2000 and Windows Server 2003.

In May, Microsoft began an investigation of a DirectX bug in its DirectShow framework for multimedia files. In June, the company announced it was investigating a potential DirectX bug in Internet Explorer.

The third critical item is what many security experts see as most critical because it suggests what Redmond plans to do to fix its many recurring ActiveX exploit problems.

This fix is a "cumulative security update of ActiveX kill bits," but it only resolves "a privately reported vulnerability" in Microsoft Video ActiveX control. Left unpatched, the vulnerability could allow RCE attacks via a malicious Web page where ActiveX controls are enabled.

Users with accounts configured to have fewer user rights on the system could be affected less by this bug than users with administrative rights.

"Typically, the fear is that you're downloading and installing a malicious ActiveX control from an untrustworthy source," said Eric Voskuil, chief technology officer of access control solution provider BeyondTrust. "But here we're seeing the dangers from vulnerabilities in multiple nonmalicious ActiveX controls from a known trusted source, Microsoft. In both situations, implementing the best practice of least privilege can have significant security benefits."

Kandek added that Monday's zero-day security advisory on ActiveX in Microsoft Office Web Components was nominally addressed through the cumulative patch rollout. However, he cautioned that "until an actual patch comes," IT pros should take a close look at the workaround published in Redmond's knowledgebase article released on Monday.

Yet another security gadfly, Tyler Reguly, doesn't think Redmond went far enough with these ActiveX security bulletins.

"It's interesting to once again see Microsoft issuing a bulletin for an ActiveX control, especially since the fix to this issue isn't to patch but to simply set kill bits," said Reguly who is senior security engineer at nCircle. "This means if the malicious individual can manage to convince you to revert the kill bits, then you're once again vulnerable. This is a really sad day, when a poor mitigation is acceptable as a valid patch. I expect more from Microsoft."

Important Items

The first "important" fix is designed to stop potential elevation-of-privilege attacks in Microsoft Virtual PC 2004 and Microsoft Virtual PC 2007 editions, as well as Microsoft Virtual Server 2005 R2 and Virtual Server 2005 R2 x64.

Redmond is addressing a vulnerability that could allow for code execution on an infected "guest operating system." Having floating operating systems and guest sessions are key aspects of running virtual machines.

The second important fix addresses Microsoft Internet Security and Acceleration Server 2006. ISA servers provide an application-layer firewall and protect Web servers. The patch is said to help thwart a scenario where "an attacker successfully impersonates an administrative user account" for an ISA server configured specifically for Radius One Time password parameters.

Such a highly technical attack may make this vulnerability less of a risk, security experts say.

"These [ISA Server 2006 and Virtual PC patches] are some you don't see very often," said Eric Schultze, chief technology officer at Shavlik Technologies.

The last important item deals with 2007 Microsoft Office System Service Pack 1 in general, and Microsoft Office Publisher 2007 Service Pack 1 in particular. It is the rollout's fourth RCE exploit fix and is made to protect against an exploit trigger that happens when a user opens a malicious Publisher file.

All six items may require a restart.

Microsoft also provides a July knowledgebase article that describes nonsecurity changes for Vista and Windows Server 2008 as delivered via Windows Update, Microsoft Update and Windows Server Update Services.


NEXT STORY: Guidance being updated for integrating data security into budgeting process

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.