By Carsten Eiram
The first month of 2009 is behind us and we started the year out nicely by issuing 29 BAs.
Of particular interest this month are:
These are actually from the Microsoft December patches. I won't dwell too much on them, but just wanted to briefly mention them as they may both be exploited reliably for code execution with one of the vulnerabilities discovered by Secunia Research. One of them is an array-indexing error when parsing certain record types and allows writing a pointer to somewhat arbitrary memory locations. The other vulnerability is an error when reading the length of certain data and allows triggering stack-based buffer overflows.
2) Microsoft Windows Explorer Search Handling Vulnerability (SA33053 / CVE-2008-4269)
This one deserves mentioning as it's one of those nice design errors where the programmer is not saved by some security mechanism compiled into the code or provided by the OS. In this case, Windows Vista and Windows Server 2008 do not properly validate input passed to a feature in Windows Explorer acting as an interface to the search mechanism (e.g. via the "search-ms:" protocol handler). This can be exploited to execute arbitrary command lines by passing specially crafted parameters to the URI handler.
From an analysis point-of-view, these two vulnerabilities in Windows when handling SMB packets are not that exciting. The analysis of both issues was straight-forward with obvious changes to the code, but I'm mentioning these anyway, though, as there was some confusion as to how serious the two vulnerabilities really were.
Initially, these two vulnerabilities were hyped by certain parties, claiming that a worm was likely to start exploiting them in a very near future. Microsoft did also rate both issues as "Critical", but when consulting Microsoft's Exploitability Index, both vulnerabilities were rated: 3 (i.e. unlikely to be exploited for code execution).
Microsoft's SWI team further elaborated on the Exploitability Index rating in a blog.
Based on our internal analysis, we concur with the conclusion provided by the Microsoft SWI team and consider exploitation of these two vulnerabilities to most likely result in a DoS (Denial of Service) with code execution being only theoretically possible, but thus cannot be completely ruled out.
Using this new Exploitability Index provided by Microsoft, customers can more easily prioritise which vulnerabilities to patch first and how quickly. It is therefore a welcomed addition to the criticality ratings in the security bulletins, which mostly seem to focus on the worst-case impact of a vulnerability, disregarding (with a few exceptions) the likelihood of something actually being exploited.
The likelihood of a vulnerability being exploited is actually somewhat taken into account in the security bulletin criticality ratings as Microsoft allows various security mechanisms implemented in e.g. an application to downgrade the rating of a vulnerability with the following as examples:
* Code execution vulnerabilities in Office applications which are rated "Critical" for Office 2000 are downgraded to "Moderate" in Office XP and later as Office documents are not automatically opened without prompting the user in these versions. Instead, a user is required to manually open the document (a reason we disagree is valid for downgrading the rating).
* Code execution vulnerabilities in Internet Explorer requiring active scripting enabled are downgraded from "Critical" to "Moderate" for e.g. Windows Server 2003 and Windows Server 2008 as Internet Explorer by default runs in a restricted mode known as Enhanced Security Configuration. In this mode, the security level for the "Internet" security zone is set to "High" and thus has active scripting support disabled.
Other examples exist and it is thus curious why the same does not apply for the rating when Microsoft's security teams via the Exploitability Index and a blog conclude that a vulnerability is unlikely to be exploited. If exploiting a vulnerability for code execution can only be considered theoretically possible unless it's a full moon, your mother-in-law is visiting, and you just ran out of your favourite brand of tea, would it then not make sense to downgrade the rating? The rating should reflect how likely a vulnerability actually can be exploited whenever proper information about this is available.
Naturally, people should do their research properly before commenting on topics like the likelihood of a worm exploiting a vulnerability (we know what those assumptions are the mother of). However, Microsoft most likely could have avoided some confusion had they pulled the rating down a notch to take into account their own conclusion about the possibility of exploitation or alternatively include the Exploitability Index ratings for each vulnerability in the security bulletins instead of listing them in a separate document.
That's it for this month. Since Secunia Research also published a nice bundle of critical HP OpenView Network Node Manager vulnerabilities (SA28074 / CVE-2008-0067) in January, I've uploaded one of the analyses to our sample page for your viewing pleasure.
Chief Security Specialist