320 likes | 552 Vues
Information About Microsoft’s August 2004 Security Bulletins August 13, 2004. Feliciano Intini, CISSP, MCSE Security Advisor Premier Security Center Microsoft Services - ITALY. What we will cover. Security Bulletins: MS04-025 - Windows Internet Explorer
E N D
Information About Microsoft’s August 2004Security BulletinsAugust 13, 2004 Feliciano Intini, CISSP, MCSESecurity Advisor Premier Security Center Microsoft Services - ITALY
What we will cover • Security Bulletins: • MS04-025 - Windows Internet Explorer • MS04-026 - Microsoft Exchange Server 5.5 • Other Security Topics: • Security Tools • Reminder: Defense In Depth Configuration Changes • Windows XP Service Pack 2 • Resources • Questions & Answers
Review of August Security Bulletins • Overview of vulnerability for risk assessment • Workarounds you can implement while deploying the security updates • How to determine what systems the available security updates apply to • How you can deploy the security updates to your systems
MS04-025: Overview • Cumulative Security Update for Internet Explorer (867801) • Impact: Remote Code Execution • Maximum Severity: Critical • Affected Software: • Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003 • Critical for Windows 98, Windows 98 Second Edition, Windows Millennium Edition • Affected Components: • Internet Explorer 5.01 Service Packs 2, 3 and 4 • Internet Explorer 5.5 Service Pack 2 • Internet Explorer 6.0 • Internet Explorer 6.0 Service Pack 1,Internet Explorer 6 Service Pack 1 (64-Bit Edition) • Internet Explorer 6.0 for Windows Server 2003, Internet Explorer 6 for Windows Server 2003 (64-Bit Edition)
MS04-025: Understanding the Vulnerabilities • Navigation Method Cross-Domain Vulnerability - CAN-2004-0549: • A vulnerability in how Navigation Methods are validated that can enable code execution • Malformed BMP File Buffer Overrun Vulnerability - CAN-2004-0566: • A buffer overrun vulnerability in how BMP files are rendered that can enable code execution • Malformed GIF File Double Free Vulnerability - CAN-2003-1048: • A double free vulnerability in how GIF files are handled that can enable a denial of service or potentially code execution
MS04-025: Risk Assessment • Possible Attack Vectors • Malicious HTML page • Hosted on a Web site • Sent as e-mail • Impact of Successful Attack • Attacker’s code would run in user’s context • Mitigating Factors • Web page and e-mail vectors require user actions • Attacker’s code limited by user’s privileges
MS04-025: Risk Assessment (2) • Mitigating Factors (con’t) • HTML e-mail in the Restricted sites zone helps reduce attacks • Outlook Express 6, Outlook 2002, and Outlook 2003 by default • Outlook 98 and Outlook 2000 with Outlook E-mail Security Update (OESU) • Outlook Express 5.5 with MS04-018 • Also, risk from HTML e-mail vector significantly if both: • Latest Cumulative Security Update for IE installed (change introduced in MS03-040) • Using IE 6.0 or later
MS04-025: Updates • Two updates available • 867801 contains only security fixes and publicly available updates • Available on Windows Update, Software Update Services, Download Center • 871260 (update rollup) contains security fixes, publicly available updates AND hotfixes • Available only on the Download Center • To reduce risk of problems in deployment customers should apply 867801 by default
MS04-026: Overview • Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842463) • Impact: Remote Code Execution • Maximum Severity: Moderate • Affected Software: • Microsoft Exchange Server 5.5 SP4 • Affected Components: • Outlook Web Access (OWA)
MS04-026: Understanding the Vulnerability • Cross-site Scripting and Spoofing Vulnerability CAN-2004-0203 • A cross-site scripting and spoofing vulnerability that could cause a user to run script on the attacker's behalf or a user to view spoofed content.
MS04-026: Risk Assessment • Possible Attack Vectors • Sending a specially-crafted HTTP request to the Outlook Web Access server • Impact of Successful Attack • Execute script in the user’s context • Put spoofed content in Web browser and intermediate proxy server caches • Mitigating Factors • An attacker must have valid logon credentials for the Outlook Web Access server • Limitations on user’s account apply to attacker’s script • “Do not save encrypted pages to disk” option prevents attempts to put spoofed content into client cache • SSL-protected connections protect against intermediate proxy vector • Difficult for an attacker to predict what users would be served spoofed cached content from intermediate proxy server
MS04-020 Re-Release • Re-issued to advise on the availability of a security update for Microsoft INTERIX 2.2 • Customers who are not using Microsoft INTERIX 2.2 and have previously installed the security updates provided as part of the original release of this bulletin do not need to install the new security update • Customers using Microsoft INTERIX 2.2 should apply the new update
Workarounds • Host-based workarounds: • MS04-025 • Set Internet and Local Intranet security zone settings to “High” • Restrict Web sites to only trusted Web sites • Strengthen the security settings for the Local Machine zone • Knowledge Base article 833633. • Read e-mail messages in plain text format • MS04-026 • Disable Outlook Web Access for Each Exchange Site
Determining Systems for Deployment • MBSA: • Use MBSA to determine systems that require MS04-025, MS04-026 • MBSA will identify systems that require MS04-025 but cannot determine systems that might require 871260 (update rollup) • As of 8/10, MBSA will not raise a warning regarding greater-than-expected file versions on systems with 871260 (update rollup) • SUS: • The SUS Client (the Automatic Updates Client) will automatically detect systems that require MS04-025 • The SUS Client (the Automatic Updates Client) will identify systems that require MS04-025 but cannot determine systems that might require 871260 (update rollup) • Cannot use SUS to determine systems that require MS04-026
Determining Systems for Deployment (2) • SMS 2.0 / 2003: • SMS 2003 to identify systems that need MS04-025, MS04-026 • SMS will identify systems that require MS04-025 but cannot determine systems that might require 871260 (update rollup) • To limit the deployment of the update rollup to only those computers running post-MS04-004 hotfixes • Use software inventory to detect systems based on the hotfix affected files • For more information see Deploying Software Updates Using the SMS Software Distribution Feature: • www.microsoft.com/technet/prodtechnol/sms/sms2003/patchupdate.mspx • Note regarding SMS and MBSA: • Proxy caching at ISP or Intranet may delay the availability of detection catalog mssecure.cab • File uses “Cache-Control: must-revalidate” most proxy servers honor this • Refer to KB 842432 to diagnose delays
Deploying the Updates • SUS: • Use the SUS Client (the Automatic Updates Client) to deploy MS04-025 • SUS can only be used to deploy 867801, it will not deploy 871260 (update rollup) • SMS: • Use SMS 2.0 with the SMS SUS Feature Pack or SMS 2003 to deploy MS04-025, MS04-026 • Can deploy 871260 (update rollup) using “import” feature documented in SMS documentation
Deploying the Updates (2) • Restarts • MS04-025: Required • MS04-026: Not required but will restart these services • Microsoft Internet Information Services (IIS) • Exchange Store • Exchange System Attendant • Uninstall • MS04-025: Can be uninstalled • MS04-026: Can be uninstalled
Deploying the Updates (3) • Notes for MS04-026: • Version Requirements for Dependent Components: Microsoft Outlook Web Access (OWA) server must have one of the following: • Internet Explorer 5.01 Service Pack 3 on Windows 2000 Service Pack 3 • Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4 • Internet Explorer 6 Service Pack 1 on current supported operating systems • Apply update to Exchange 5.5 Servers running Outlook Web Access only.
Security Tools: MBSA Reminder • MBSA 1.1.1 no longer supported • As of April 20, 2004 mssecure.xml file used by versions earlier than MBSA 1.2 is no longer updated • Scans performed with MBSA 1.1.1 or earlier versions will not detect the Security Bulletins released since April • When using SMS, MBSA GUI and mbsacli, scan results will include an ‘update’, e.g.: • Obtain Upgrades: • SMS 2.0 SUS Feature Pack and SMS 2003 users: • SMS downloads page www.microsoft.com/smserver/downloads • MBSA Users: • MBSA homepage www.microsoft.com/mbsa
Security Tools: MBSA & XP SP2 • New version of MBSA (1.2.1) needed for Windows XP SP2 compatibility! • Needed to provide compatibility and better support for Windows XP SP2 security improvements • Will be available in mid-August • Users running MBSA 1.2 will be automatically notified when they run the tool with an Internet connection • www.microsoft.com/mbsa
Security Tools: MyDoom Cleaner Tool • New variant, MyDoom.O, discovered on Monday, July 26 2004 • Zindos.A worm, discovered on Tuesday, July 27 2004, uses backdoor opened by MyDoom.O • Cleaner tool was updated to clean for all known MyDoom variants and Zindos.A • More information: www.microsoft.com/security/incident/mydoom.mspx
Reminder: Deploy Defense in Depth Configuration Changes Three configuration changes released in July to enhance resiliency of Internet Explorer 6.0 and Outlook Express 5.5 SP2 • Disable ADODB.stream in Windows ActiveX Control (July 2 2004) • Knowledge Base Article 870669 (http://support.microsoft.com/default.aspx?kbid=870669) • Limit functionality of Shell.application (July 13 2004) • Fix is included in MS04-024 • Change HTML viewing in Outlook Express 5.5 SP2 (July 13 2004) • Change included in MS04-018
Enhance Security • Increase Manageability • Improve Experience • Network • Email & IM • Web Browsing • Memory Attack Vectors Windows XP Service Pack 2 Proactive protection technologies block malicious code at the “point of entry”
Application Compatibility Snapshot • The vast majority of application compatibility issues are mitigated through configuration of SP2 security options • Very few issues require code changes
Windows XP SP2 – Timeline • August 6: • Release to manufacturing for SP2 English and German (Remaining 25 languages RTM over 5 weeks) • August 9: • Release to Microsoft Download Center – full network installation package • Release to MSDN – CD ISO image • August 10: • Release to Automatic Updates - for machines running pre-release versions of Windows XP SP2 only • August 16: • Release to Automatic Updates - for machines not running pre-releases versions of Windows XP SP2 • Release to SUS • August TBD: • Release to Windows Update for interactive user installations
SP2 Delivery via Automatic Update • SP2 is categorized as a critical update • Unlike previous critical updates, SP2 requires interactive installation • Some customer have requested a mechanism to temporarily block SP2 delivery via AU • Allow all other critical security updates via AU • Registry based solution temporarily prevents Automatic Update and Windows Update from downloading SP2 - and only SP2 • AU and WU search for existence of new registry setting • Other downloads unaffected • Registry setting is the only change required on local machine
Automatic Update Blocking Mechanism • Tools for implementing solution • ADM file to control registry setting via Active Directory Group Policy • Microsoft signed executable that will set the registry setting on local machine • Script file to execute the tool remotely • E-mail message point users to a script file hosted on Microsoft.com • All of these tools allow for disabling the registry setting • This solution expires after 120 days • AU and WU will ignore registry key after December 14, 2004 • Scripts and documentation posted on TechNet • www.microsoft.com/technet/winxpsp2 • Best solution is Software Update Services • www.microsoft.com/sus
http://www.microsoft.com/technet/winxpsp2 Windows XP SP2 Summary A major step forward on a long journey • More secure • “Shields-up” approach • Reduced attack surface area • Improved manageability of security settings • More granular control • Improved support for Active Directory Group Policy • Reduced urgency for patching vulnerabilities • Better user experience • More and better security information • Applications function while remaining secure
Resources • September Security Bulletins Webcast: il nostro prossimo appuntamento è venerdì 17 settembre – 10:30http://www.microsoft.com/italy/security • Security Bulletins Search www.microsoft.com/technet/security/current.aspx • Windows XP Service Pack 2 www.microsoft.com/technet/winxpsp2 • Information on MyDoom and its variants www.microsoft.com/security/incident/mydoom.mspx • Security Newsletter www.microsoft.com/technet/security/secnews/default.mspx • Security Guidance Center www.microsoft.com/italy/security/guidance