Patch Tuesday Feb. 2007

As you may remember, MS scaled back the scope of patches last month to pull some MS Office patches. Thus we have quite a large collection this month. There are 12 patches total, 6 Critical and 6 Important. 5 of these (4 critical, 1 important) seem to be directly relevant to us.

Microsoft's official overview can be found here.
ISC's gridtastic overview is here.

MS07-005 (Important) CVE-2006-3448 describes a vulnerability in Step-by-Step Interactive Training. Though the bulletin details describe a number of ways to exploit this which require direct user interaction of opening a file, it does state repeatedly that a malicious webpage could be crafted to take advantage of this vulnerability. In this case it only says that the user must be persuaded to visit the website, not that any action beyond that is required. Therefore this seems like a standard browser-based exploit.

MS07-008 (Critical) CVE-2007-0214 pertains to an vulnerability in the HTML Help ActiveX control (Hhctrl.ocx). One mitigating factor for this is that Outlook opens HTML mail in the Restricted Sites security zone, and therefore it's vulnerable to this unless the user clicks on a link in the file which brings them to a site which exploits it via the web. (And since MS so kindly pointed this out, that is exactly what attackers will do if they try and use this via email.) If this patch can not be immediately applied, the appropriate workaround is to set the killbit for {52a2aaae-085d-4187-97ea-8c30db990436}.

MS07-009 (Critical) CVE-2006-5559 is an oldie but a goodie. This is a 0-day for the ADODB.connection ActiveX control posted back in October. Like MS07-008 above it can't exploit Outlook by default because of the restrictive security zone used by default. If this patch can not be immediately applied, the appropriate workaround is to set the killbit for {00000514-0000-0010-8000-00AA006D2EA4}

MS07-010 (Critical) CVE-2006-5270 describes a vulnerability in the way that the Microsoft Malware Protection Engine handles PDF files. What's interesting to me about this is that the exploit could be triggered later when MMPE scans the file. Therefore it would be very interesting if a user was reading the pdf from the browser and it looked normal, but then later when MMPE scans the temporary internet cache folder it gets exploited.

MS07-016 (Critical) is a cumulative update for Internet Explorer. CVE-2006-4697 and CVE-2007-0219 both relate to forcing IE to instantiate COM objects as ActiveX controls. There isn't much for details so the only difference between the two CVEs seem to be from where the objects are created. CVE-2007-0217 relates to a problem in FTP handling code in wininet.dll which is used by IE. If IE connected to a malicious FTP server (simply by clicking on a ftp URI), the server could craft it's response in order to cause heap memory corruption. Actually, I accidentally spotted the iDefense advisory while hitting my normal sites and this last one is pretty old. MS was notified back in August (and again in October ;)) which also means this is probably another one of the iDefense Q3 2006 Challenge vulnerabilities.