Patch Tuesday

It's been a while, but the patch Tuesday posts are back, so here we go dissecting the relevance to client-side security. This month there are 6 patches, 4 rated Critical, 1 Moderate, and 1 Important. The patches in turn cover 15 CVEs.

Microsoft's summary is here.
ISC's gridtastic summary is here.

MS07-031 (Critical) is a patch for the Secure Channel (Schannel) package. This package is responsible for setting up SSL/TLS. It is exploitable by viewing a https webpage on a malicious webserver. Presumably the webserver itself, rather than the webpage needs to be customized in order to craft the SSL/TLS responses, therefore this is probably not the type of exploit which could be injected into a normal webpage via the standard iframe and JavaScript techniques. This item has been assigned CVE-2007-2218.

MS07-033 (Critical) is a cumulative patch for IE. The bulletin itself says something about replacing MS07-027, and if I understand it correctly, it means that patches from MS07-027 are also being rolled into this patch.

CVE-2007-0218 is a flaw in COM object instantiation. When COM objects that aren't meant to be instantiated in IE are instantiated, it can cause memory corruption, and then can be exploited.

CVE-2007-1750 is a flaw in how IE handles a CSS tag, though of course it doesn't say which tag.

CVE-2007-3027 is a flaw in something related to a language pack installation. First of all, as with all language pack installs, this would require a popup which first asks the user if they want to install the language pack. If they hit ok, then there is a way for an attacker to cause multiple language packs in such a way as to corrupt memory, and exploit it.

CVE-2007-1751 is another thing with almost no details. It says the vulnerability is "in the way Internet Explorer accesses an object that has not been correctly initialized or that has been deleted." While that sounds similar to a double-free vulnerability to me, it's hard to say for sure.

CVE-2007-1499 is more of a spoofing/semantic vulnerability of the type that generally isn't in our scope, but I will talk about it anyway as it's somewhat clever. If you go to this page at Aviv Raff's site, you can see a picture of what it would look like. Basically it injects a script into the "refresh this page" link that you get when you cancel navigation with IE. While I don't think I've ever used that link rather than the refresh button, I'm sure some people do.

CVE-2007-2222 is a fairly standard ActiveX vulnerability. This one is in the included ActiveX controls for a piece of the text-to-speech capability.

MS07-034 (Critical) is a cumulative patch for Outlook Express and Windows Mail. 3 of the 4 CVEs are information disclosure vulnerabilities, and all of those 3 are related to MHTML, which is an old friend in terms of information disclosure. CVE-2007-1658 is a possible code execution bug, but it does require the user to click on a link in the email (as opposed to automated exploitation by just viewing the email for instance).

MS07-035 (Critical) is a Win32 API vulnerability, however it says specifically that it can be exploited through IE as it uses the vulnerable API. This issue has been assigned CVE-2007-2219

So there you have it. Of the 4 critical patches this month, all 4 were relevant to client security!