一月份資訊安全公告 Jan 15, 2007 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security, CISSP) 資深技術支援工程師 台灣微軟技術支援處

Questions and Answers Submit text questions using the “Ask a Question” buttonSubmit text questions using the “Ask a Question” button

What We Will Cover Other security resourcesOther security resources –Prepare for new WSUSSCAN.CAB architecture –Lifecycle Information –Windows Malicious Software Removal Tool ResourcesResources Questions and answersQuestions and answers

Recap Dec. security updates MS06-072MS Cumulative Security Update for Internet Explorer –MS and all previous Cumulative Security Updates for Internet Explorer. MS06-073MS Vulnerability Visual Studio 2005 Could Allow Remote Code Execution –This update resolves a public vulnerability for WMI Object Broker. MS06-070MS Vulnerability in Windows Media Format Could Allow Remote Code Execution

Jan Security Bulletins Summary On Jan 10:On Jan 10: –4 New Security Bulletins 1 Windows (critical)1 Windows (critical) 3 Office components3 Office components –2 High-priority non-security updates

Jan Security Bulletins Overview Bulletin Number Title Maximum Severity Rating Products Affected MS Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker That Could Allow Remote Code Execution (921585) Important Office 2003, Project 2003, Visio 2003 MS Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198) Critical Excel 2000, 2002, 2003, Excel for Mac MS Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938) Critical Outlook 2000, 2002, 2003 MS Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969) Critical Windows 2000, XP, 2003

Jan Security Bulletins Severity Summary Bulletin Number Microsoft Office 2003 (Brazilian Version) Microsoft Office MUI 2003 Microsoft Project MUI 2003 and Microsoft Visio MUI 2003 MS ImportantImportantImportant Microsoft Office Excel 2000 Microsoft Office Excel 2002 Microsoft Office Excel 2003 Microsoft Excel Viewer 2003 Microsoft Office Excel 2004, X for Mac MS CriticalImportantImportantImportantImportant Microsoft Outlook 2000 Microsoft Outlook 2002 Microsoft Outlook 2003 MS ModerateImportantImportant Windows 2000 SP4 Windows XP SP2 Windows Server 2003 Windows Server 2003 SP1 Windows Vista MS CriticalCriticalCriticalModerate Not Affected

Title: Vulnerability in Microsoft Office 2003 Brazilian Grammar Checker Vulnerability Could Allow Remote Code Execution (921585) Affected Software: Microsoft Office 2003 Service Pack 2Microsoft Office 2003 Service Pack 2 Microsoft Office Multilingual User Interface 2003Microsoft Office Multilingual User Interface 2003 Microsoft Project Multilingual User Interface 2003Microsoft Project Multilingual User Interface 2003 Microsoft Visio Multilingual User Interface 2003Microsoft Visio Multilingual User Interface 2003 Vulnerabilities: CVE CVE Publicly Disclosed: YesYes Known Exploits: NoNo MS07-001: Office - Important

Issue Summary: An remote code execution vulnerability in the Office 2003 Brazilian Grammar Checker could allow an attacker to take complete control of the affected system. Attack Vectors: Maliciously Crafted Web PageMaliciously Crafted Web Page Maliciously Crafted AttachmentMaliciously Crafted Attachment Mitigations: Users would have to be persuaded to visit a malicious web siteUsers would have to be persuaded to visit a malicious web site Exploitation only gains the same user rights as the local userExploitation only gains the same user rights as the local user User must be convinced to open the attachmentUser must be convinced to open the attachment Workarounds: Do not save or open Office files from un-trusted sources or that are received unexpectedly from trusted sources.Do not save or open Office files from un-trusted sources or that are received unexpectedly from trusted sources. MS07-001: Office-Important

Replaced Updates: NoneNone Installation and Removal Caveats: Office 2003 SP2 must be applied prior to applying this update. (Office 2003 SP1 is no longer a supported platform.)Office 2003 SP2 must be applied prior to applying this update. (Office 2003 SP1 is no longer a supported platform.) Restart Required: NoNo More Information: For more Information, please review the FAQ at: mspxFor more Information, please review the FAQ at: mspx mspx mspx Known Issue None so far.None so far. MS07-001: Office-Important

Title: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (927198) Affected Software: Microsoft Excel 2000, 2002, 2003Microsoft Excel 2000, 2002, 2003 Microsoft Excel Viewer 2003Microsoft Excel Viewer 2003 Microsoft Works Suite 2004, 2005, 2006Microsoft Works Suite 2004, 2005, 2006 Microsoft Office 2004 for MacMicrosoft Office 2004 for Mac Microsoft Office X for MacMicrosoft Office X for Mac Vulnerabilities: CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE Publicly Disclosed: NoNo Known Exploits: NoNo MS07-002: Excel - Critical

Issue Summary: An Remote Code Execution vulnerability in Excel could allow an attacker to take complete control of the affected system. Attack Vectors: Maliciously Crafted Web PageMaliciously Crafted Web Page Maliciously Crafted Maliciously Crafted Specially Crafted Network MessageSpecially Crafted Network Message Mitigations: Users would have to be persuaded to visit a malicious web siteUsers would have to be persuaded to visit a malicious web site Exploitation only gains the same user rights as the local userExploitation only gains the same user rights as the local user The vulnerability cannot be exploited automatically through e- mailThe vulnerability cannot be exploited automatically through e- mail Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. Workarounds: Do not open or save Microsoft Excel files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.Do not open or save Microsoft Excel files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. MS07-002: Excel - Critical

Replaced Updates: MS06-059MS Installation and Removal Caveats: Excel 2000 update cannot be uninstalledExcel 2000 update cannot be uninstalled Office 2004 for Mac update cannot be uninstalledOffice 2004 for Mac update cannot be uninstalled Office X for Mac update cannot be uninstalledOffice X for Mac update cannot be uninstalled Restart Required: NoNo More Information: For more Information, please review the FAQ at: mspxFor more Information, please review the FAQ at: mspx mspx mspx Known Issue After you install the Microsoft Excel 2000 version of security update MS07-002, you can no longer open some files you created by using Excel 2000 with the Executable Mode set to Korean, Chinese, or Japanese.After you install the Microsoft Excel 2000 version of security update MS07-002, you can no longer open some files you created by using Excel 2000 with the Executable Mode set to Korean, Chinese, or Japanese. Reference: Excel 2000 does not open some files after you install security update that is documented in security bulletin MS Excel 2000 does not open some files after you install security update that is documented in security bulletin MS MS07-002: Excel - Critical

MS07-003: Outlook – Critical Title & KB Article: Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938) Affected Software: Outlook 2000 SP3Outlook 2000 SP3 Outlook XP SP3Outlook XP SP3 Outlook 2003 SP2Outlook 2003 SP2 Vulnerabilities: CVE Microsoft Outlook VEVENT VulnerabilityCVE Microsoft Outlook VEVENT Vulnerability CVE Microsoft Outlook Denial of Service VulnerabilityCVE Microsoft Outlook Denial of Service Vulnerability CVE Microsoft Outlook Advanced Find VulnerabilityCVE Microsoft Outlook Advanced Find Vulnerability Publicly Disclosed: CVE and CVE NoCVE and CVE No CVE YesCVE Yes Known Exploits?: No No

MS07-003: Outlook - Critical Issue Summary: CVE Microsoft Outlook VEVENT Vulnerability - Remote code execution vulnerability that an attacker could exploit and gain the same rights as the local user. An attacker could try to exploit the vulnerability by creating a specially crafted.ICS (iCal) file or embed the contents of an iCal calendar request in the body of a specially crafted and send it to a user of Outlook who connects to a POP, IMAP or HTTP server to retrieve their .CVE Microsoft Outlook VEVENT Vulnerability - Remote code execution vulnerability that an attacker could exploit and gain the same rights as the local user. An attacker could try to exploit the vulnerability by creating a specially crafted.ICS (iCal) file or embed the contents of an iCal calendar request in the body of a specially crafted and send it to a user of Outlook who connects to a POP, IMAP or HTTP server to retrieve their . CVE Microsoft Outlook Denial of Service Vulnerability An attacker who exploited this denial of service vulnerability could cause the affected system to stop responding.CVE Microsoft Outlook Denial of Service Vulnerability An attacker who exploited this denial of service vulnerability could cause the affected system to stop responding. CVE Microsoft Outlook Advanced Find Vulnerability A remote code execution vulnerability that an attacker could exploit when Outlook parses a Office Saved Searches (.oss) file.CVE Microsoft Outlook Advanced Find Vulnerability A remote code execution vulnerability that an attacker could exploit when Outlook parses a Office Saved Searches (.oss) file. Attack Vectors: Malicious Malicious Malicious Web PageMalicious Web Page Mitigations: Exploitation only allows the same privileges as the logged on user.Exploitation only allows the same privileges as the logged on user. CVE : MAPI is not a valid attack vector due to Exchange's handling of iCal calendar data in messages or in.ICS attachments.CVE : MAPI is not a valid attack vector due to Exchange's handling of iCal calendar data in messages or in.ICS attachments. CVE : No way to force users to visit a malicious Web site and the vulnerability cannot be exploited automatically through .CVE : No way to force users to visit a malicious Web site and the vulnerability cannot be exploited automatically through . Workarounds: Modify registry and do not open/save Ofc Saved Searches (.oss) filesModify registry and do not open/save Ofc Saved Searches (.oss) files

MS07-003: Outlook - Critical Replaced Updates: MS Outlook 2003 MS Outlook 2003 MS Outlook 2000 and Outlook 2002 MS Outlook 2000 and Outlook 2002 Installation and Removal Caveats: Add/Remove Programs Add/Remove Programs Command line uninstall option Command line uninstall option Scriptable Deployment Scriptable Deployment Restart Requirement: This update may require a restart if the affected files are in use. This update may require a restart if the affected files are in use. More Information: For more Information, please review the FAQ at: mspx mspx Known Issue Outlook users can no longer open or save the search results as an Office Saved Searches (.oss) file. Additionally, you can no longer open an Office Saved Searches (.oss) file by using Outlook.Outlook users can no longer open or save the search results as an Office Saved Searches (.oss) file. Additionally, you can no longer open an Office Saved Searches (.oss) file by using Outlook. The feature was disabled by this patch for security reasons.The feature was disabled by this patch for security reasons. References: KB and KB925542References: KB and KB925542

Title: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969) Affected Software: Microsoft Windows 2000 SP4Microsoft Windows 2000 SP4 Microsoft Windows XP SP2Microsoft Windows XP SP2 Microsoft Windows XP Professional x64 EditionMicrosoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 and 2003 SP1Microsoft Windows Server 2003 and 2003 SP1 Microsoft Windows Server 2003 and 2003 SP1 for Itanium-based SystemsMicrosoft Windows Server 2003 and 2003 SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 EditionMicrosoft Windows Server 2003 x64 Edition Microsoft Windows Vista RC1Microsoft Windows Vista RC1 Vulnerabilities: CVE CVE Publicly Disclosed: This update resolves a public vulnerability as well as additional issues discovered through internal investigationsThis update resolves a public vulnerability as well as additional issues discovered through internal investigations Known Exploits: Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited. MS07-004: VML- Critical

Issue Summary: A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. It could allow an attacker to take complete control of an affected system. Attack Vectors: Maliciously Crafted Web PageMaliciously Crafted Web Page Maliciously Crafted Maliciously Crafted Mitigations: Users would have to be persuaded to visit a malicious web siteUsers would have to be persuaded to visit a malicious web site Exploitation only gains the same user rights as the local userExploitation only gains the same user rights as the local user Reading in plain text mitigates against attack.Reading in plain text mitigates against attack. By default, IE on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration.By default, IE on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. Outlook Express on XP sp2 and Windows server 2003 SP1 open mail in Restricted Sites zone by default.Outlook Express on XP sp2 and Windows server 2003 SP1 open mail in Restricted Sites zone by default. Workarounds: Un-register VGX.DLLUn-register VGX.DLL Modify the ACL on VGX.DLL to be more restrictiveModify the ACL on VGX.DLL to be more restrictive Configure IE 6 for XP SP2 to disable Binary and Script behaviors in Intranet zone.Configure IE 6 for XP SP2 to disable Binary and Script behaviors in Intranet zone. Read in plain text.Read in plain text. Block VML Vulnerability traffic with ISA ServerBlock VML Vulnerability traffic with ISA Server MS07-004: VML-Critical

Replaced Updates: MS06-055MS Installation and Removal Caveats: Some listed mitigations must be undone before the update is installed.Some listed mitigations must be undone before the update is installed. Remove through Add\Remove programsRemove through Add\Remove programs Restart Required: YesYes More Information: For more Information, please review the FAQ at: mspxFor more Information, please review the FAQ at: mspx mspx mspx Known Issue The update bulletin states that a reboot is always required. However, users are not always prompted to reboot after installation.The update bulletin states that a reboot is always required. However, users are not always prompted to reboot after installation. If vgx.dll is not loaded in process anywhere on the system, then the update will apply and not force a reboot. If you are not prompted to reboot after installation, no reboot is necessary.If vgx.dll is not loaded in process anywhere on the system, then the update will apply and not force a reboot. If you are not prompted to reboot after installation, no reboot is necessary. MS07-004: VML- Critical

Detection and Deployment WU/SUS/ AU Office Update & SMS Microsoft Office Inventory Tool for Updates MBSA 1.2 & SMS Security Update Inventory Tool Enterprise Scan Tool & SMS Security Update Scan Tools MU/WSUS/AU, SMS 2003 ITMU, & MBSA 2.0 MS NAYesLocalNA Yes (except 2000) MS NAYesLocalNA Yes (except 2000) MS NAYesLocalNA Yes (except 2000) MS YesNANoYesYes

Other Update Information BulletinRestartHotpatchingUninstallReplaces On products MS May be required NAYesNA MS NAYesMS06-059All MS NAYesMS06-003All MS RequiredNoYesMS06-055All

January 2007 Non-Security Updates NUMBERTITLEDistribution Update for Outlook Junk Filter 2003 MU Update for Outlook 2003 WU, MU

New WSUSSCAN.CAB architecture New architecture for wsusscan.cab begins since November 2006 Support for existing wsusscan.cab architecture ends on March 2007 SMS ITMU customers: download and deploy updated version of the SMS ITMU – – MBSA 2.0 offline scan customers: – –Download updated version of MBSA now – –Or download the new offline scan file, wsusscn2.cab, by clicking Save this file to C:\Documents and Settings\ \Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\wsusscn2.cab. If you only run MBSA 2.0 in the online mode, do anything. See Microsoft KB Article for more information – –

Lifecycle Support Information Software Update Services (SUS) 1.0Software Update Services (SUS) 1.0 –Old deadline of 6 December 2006 has CHANGED to 10 July 2007 –Information on upgrading: –Information on upgrading: s/default.mspx s/default.mspx Public security support for Windows XP SP1 and Office 2003 SP1 HAS ENDED as of 10 October 2006Public security support for Windows XP SP1 and Office 2003 SP1 HAS ENDED as of 10 October 2006 –No Security Updates for Windows XP SP1 or Office 2003 SP1 starting in November 2006 –Remaining Windows XP SP1, Office 2003 SP1 customers should upgrade to Windows XP SP2, Office 2003 SP2 right away Public security support for Windows 98, 98 SE, and Millennium Edition HAS ENDED as of 11 July 2006Public security support for Windows 98, 98 SE, and Millennium Edition HAS ENDED as of 11 July 2006 –See for more information Microsoft Forefront Client Security Beta open to download.Microsoft Forefront Client Security Beta open to download. –

Windows Malicious Software Removal Tool – KB The Jan update adds the ability to remove:The Jan update adds the ability to remove: –Win32/Haxdoor Available as priority update through Windows Update or Microsoft Update for Windows XP usersAvailable as priority update through Windows Update or Microsoft Update for Windows XP users –Offered through WSUS; not offered through SUS 1.0 Also as an ActiveX control or download at as an ActiveX control or download at Deployment step-by-stsp: KB891716Deployment step-by-stsp: KB891716

Resources Jan Security Bulletin Webcast (US) US&EventID= Jan Security Bulletin Webcast (US) US&EventID= US&EventID= US&EventID= Security Bulletins Summary Bulletins Summary Security Bulletins Search Bulletins Search Security Advisories Advisories MSRC Blog Blog Notifications TechNet Radio Radio IT Pro Security Newsletter Pro Security Newsletter TechNet Security Center Security Center TechNet Forum ITPro Forum ITPro Detection and deployment guidance for the Jan 2007 security release and deployment guidance for the Jan 2007 security release

Questions and Answers Submit text questions using the “Ask a Question” buttonSubmit text questions using the “Ask a Question” button Don’t forget to fill out the surveyDon’t forget to fill out the survey For upcoming and previously recorded webcasts: upcoming and previously recorded webcasts: Webcast content suggestions: content suggestions: