Microsoft Patches Three Critical Flaws

In July's Patch Tuesday release, Microsoft kicked off its monthly patching exercise with three critical security bulletins -- all of which address potential remote code execution (RCE) exploits in its Office, Active Directory and .NET Framework offerings.

The software giant also issued patches for two "Important" and one "Moderate" vulnerability. Both of the important security bulletins -- which address issues with Microsoft Publisher and Internet Information Services (running on Windows XP Professional only) -- patch potential RCE vulnerabilities, too.

Today's patch haul includes a fix for three new RCE vulnerabilities in Microsoft Excel and Microsoft Office.

Microsoft has released several fixes for Excel RCE vulnerabilities (as well as patches for flaws in Microsoft Word) over the last few months. The current crop of Excel vulnerabilities, like most other Excel- and Office-related flaws, can be exploited by means of a malicious Excel file.

The security bulletin associated with the Excel RCE flaws wasn't available as of press time, so some details still aren't known. According to Microsoft, the Excel RCE flaws affect Excel 2000 (Critical), Excel 2003 (Important), Excel 2003 Viewer (Important), Excel 2007 (Important), and the Office Compatibility Pack for Word, Excel and PowerPoint 2007 (Important).

The Windows RCE vulnerability affects Microsoft Active Directory (AD). It stems from a privately reported incident, Microsoft says, and could result in both RCE and potential denial-of-service (DoS) attacks. DoS is most likely according to Microsoft, although there are scenarios in which RCE could be possible, too.

On Windows Server 2003 systems, an attacker must have valid logon credentials in order to exploit the flaw. As in the case of most RCE flaws, an attacker who successfully exploits the AD vulnerability could take complete control of a compromised system. The security bulletin associated with the AD RCE flaw wasn't available as of press time, so some details aren't known. According to Microsoft, it affects Windows 2000 Server Service Pack (SP) 4 (Critical), and all versions (and service packs) of Windows Server 2003, including both x64 and Itanium editions.

The .NET Framework bulletin actually addresses three RCE flaws, all three of which were privately reported to Microsoft.

Two of the flaws are associated with potential RCE exploits on client systems with the .NET Framework installed, while the third is associated with information disclosure on Web servers running ASP.NET. Microsoft's patch modifies the way the .NET Framework addresses buffer allocation, officials said.

The .NET flaws consist of a PE Loader vulnerability, a .NET JIT Compiler flaw, and an ASP.NET Null Byte Termination flaw. The first two are associated with potential RCE scenarios, and the latter with information disclosure, Microsoft said.

The patch affects versions 1.x and 2.0 of the .NET Framework running on all Windows operating platforms. Windows 2000 SP4 and Windows XP (all versions) are critically susceptible to the .NET flaws. The vulnerabilities are of important severity on Windows Server 2003 (all versions) and Windows Vista (all versions) systems, according to Microsoft.

Elsewhere, Redmond patched an Invalid Memory Reference vulnerability in its Publisher 2007 product that could result in remote code execution.

According to Microsoft, Publisher doesn't do a good enough job of clearing out memory resources when it writes application data from disk to memory. One upshot of this is that an attacker could construct a malicious Publisher (.pub) page and lure a user into viewing it to perpetrate an RCE exploit. The attacker could then gain complete control over an affected system.

The second important bulletin is an Internet Information Services (IIS) Memory Request flaw that could also result in remote code execution. Ironically, the flaw affects only Windows XP Professional systems on which IIS is installed and running. An attacker could exploit this vulnerability by sending malicious URL requests to a Web page hosted on IIS, Microsoft said. He or she could then gain complete control over a compromised system.

The sole remaining "Moderate" bulletin relates to a vulnerability in the Windows Vista firewall that could result in information disclosure, Redmond confirmed.

According to Microsoft, a remote anonymous attacker could send inbound network traffic to a vulnerable Windows Vista system and be able to discover information about that system over the network. The vulnerability stems from the fact that network traffic is handled incorrectly by the Vista firewall's Teredo interface, which, as a result, bypasses some firewall rules.

About the Author

Stephen Swoyer is a contributing editor for Enterprise Systems. He can be reached at [email protected].