Articles

Microsoft Security Hole - July 2009

On July 13, 2009 - Microsoft was still working on a solution that is fit for wide distribution. In the meantime they still are using their workaround directions.

Also posted below is a list of products affected:

Link to Microsoft Security Advisory

Link to Microsoft Zero Day fix

Notes from their site:
“This is Dave Forstrom, group manager for our security response communications team. We have just posted Microsoft Security Advisory 973472, which highlights a vulnerability in Microsoft Office Web Components. Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we’ve only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user.

Products affected are:

Microsoft Office XP Service Pack 3,

Microsoft Office 2003 Service Pack 3,

Microsoft Office XP Web Components Service Pack 3,

Microsoft Office Web Components 2003 Service Pack 3,

Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1,

Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3,

Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3,

Microsoft Internet Security and Acceleration Server 2006,

Internet Security and Acceleration Server 2006 Supportability Update,

Microsoft Internet Security and Acceleration Server 2006 Service Pack 1,

Microsoft Office Small Business Accounting 2006.”

---------
On July 6, Microsoft Corp. warned about a serious computer hole related to its Internet Explorer browser. It can allow hackers to remotely take control of victims’ machines. The victims don’t need to do anything to get infected except visit websites infected with a tiny bit of code that taps into the security hole.

If successful, a hacker could execute code remotely and take control of a system. So far the exploit seems to be spreading via drive-by downloads on compromised and malicious sites. Internet Explorer versions 6 and 7 are at risk, but people running IE 8 are not vulnerable, Symantec said.

Microsoft urged vulnerable users to disable the problematic part of its software, which can be done from Microsoft’s Web site, while the company works on a “patch” — or software fix — for the problem.

Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability. People are drawn to these sites by clicking a link in spam e-mail.

The so-called “zero day” vulnerability disclosed by Microsoft affects a part of its software used to play video. The problem arises from the way the software interacts with Internet Explorer, which opens a hole for hackers to tunnel into.

Once the attacker gains access to a PC, the machine most often is used in a network of other compromised PCs, called bots, to spread spam and steal data. Bots are also widely used to spread promotions for fake anti-spyware subscriptions and to hijack cash from online banking accounts.

Link To news.CNET Video Active X article, July 6

From Mike Reavey at the Microsoft Security Response Center: “We were far enough along in our process that we felt comfortable taking this information from our investigation and giving it to customers so they could take immediate action to protect themselves while we finish our security update. To make it even easier for customers to protect themselves, we also implemented the “FixIt” that automatically implements the killbits.

Customers who have already implemented the killbits manually or through the FixIt workaround won’t need to implement next week’s security update, though we recommend that you apply the update to ensure that reporting accurately shows that the systems are fully protected.

We’re on track to release the security update next Tuesday (7/14). But if you haven’t implemented the killbits already, we recommend that you go ahead and do that to protect yourself against the attacks”.