[prev in list] [next in list] [prev in thread] [next in thread] 

List:       patchmanagement
Subject:    Just do it - MS09-034: Elegant Security Buttress for Internet Explorer:
From:       Susan Bradley <sbradcpa () pacbell ! net>
Date:       2009-07-30 3:24:42
Message-ID: 4A71127A.8080405 () pacbell ! net
[Download RAW message or body]

Verizon Business Security Blog » Blog Archive » Just do it - MS09-034: 
Elegant Security Buttress for Internet Explorer:
http://securityblog.verizonbusiness.com/2009/07/29/just-do-it-ms09-034-elegant-security/

The Microsoft Active Template Libraries (ATL) issue described in 
MS09-035 
<http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx> has 
revealed that a great many Component Object Model (COM) programs may be 
vulnerable to exploitation in a way the developers of those programs may 
not have realized. Internet Explorer is not the only program that hosts 
COM programs, but it is the most likely primary attack vector for 
criminals to exploit vulnerable programs via ActiveX controls as is the 
case with the current criminal activity using the Microsoft Video 
Control that was the subject of MS09-032 
<http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx> recently.

MS09-034 
<http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx> 
includes two significant new features, both intended to provide security 
enhancement to IE to allow it to protect users from exploitation of 
vulnerable controls.

The first of these is the use of Microsoft Research Detours 
<http://research.microsoft.com/en-us/projects/detours/> technology to 
monitor the behavior of a control and identify when that control is 
being manipulated by a criminally crafted web page. Detours allows IE to 
follow through a program’s logic and identify a pattern of behavior that 
can be identified as exploiting the ATL issues. This dramatically 
reduces the potential for criminals to exploit those ATL issues. Also, 
because Detours is able to monitor without impacting the program’s 
intended behavior, this new feature should have little to no impact on 
the legitimate use of ActiveX controls.

The second feature provides a much more forceful way of preventing 
exploitation of ActiveX controls that are vulnerable to the ATL issues. 
This feature simply stops controls from running if they are found to 
contain distinctive unsafe functions. It is one step shy of disabling 
ActiveX controls altogether in that it will likely prevent many controls 
from functioning legitimately. If you were considering disabling all 
ActiveX controls, we would suggest you consider this new option instead.

As far as the three specific memory issues addressed in the bulletin, 
few details have been provided.

Verizon Business recommends that you deploy MS09-034 
<http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx> 
within the next 7 days. First, this is because active exploitation of 
the issue has already occurred in the public in the form of attacks 
against, at least, the Microsoft Video Control (msvidctl.dll). Secondly, 
the update applies to all versions of IE back to v5.1, so it does not 
require that you move to a new version of IE. Finally, Verizon Business 
expects that reports about vulnerable controls are likely to proliferate 
exponentially within the next few weeks, likely causing some panic in 
the community. By having MS09-034 
<http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx> 
deployed you will be able to view these reports as they individually 
impact you, rather than as a growing problem for the use of IE and 
ActiveX controls in general.

Verizon Business also recommends that you use this opportunity to deploy 
an IE setting which permits only Administrator-approved ActiveX controls 
to run. The Microsoft Support document KB 883256 
<http://support.microsoft.com/kb/883256> provides instructions on how to 
do this via Group Policy Object (GPO). To use this feature you will 
require a list of ActiveX controls you do want to approve. Given that it 
is unknown which currently used ActiveX controls are actually 
vulnerable, we recommend you start with the controls your users 
currently use. Yes, it is true that some may turn out to be vulnerable, 
however, by doing this you should have no negative business impact yet 
you will prevent the vast majority of controls that are vulnerable. 
Verizon Business is attempting to put together a “white list” of 
controls which have passed the test at Verizon Cybertrust Security 
ActiveX test <http://codetest.verizonbusiness.com> and in some instances 
have been attested to by the author or publisher of the ActiveX control. 
Verizon Business will provide our customers with more information on 
this list as it evolves. Currently there are no controls known to have 
been patched for this issue with certainty, so no list exists.

We would also like to point out features that were added to IE 7 and IE 
8, that can have a positive impact on the security of IE. IE 7 and IE 8 
include the ActiveX opt-in feature 
<http://msdn.microsoft.com/en-us/library/bb250471%28VS.85%29.aspx>, 
which disables ActiveX controls that have not previously been used, and 
prompts the user when new ones are asked for by a site. IE 8 includes a 
feature which allows you to specify which Zones a given ActiveX control 
can be called from 
<http://blogs.msdn.com/ie/archive/2008/05/07/ie8-security-part-ii-activex-improvements.aspx>. 
This would prevent, for example, abuse of the Office Web Component 
ActiveX controls from the Internet, even if they were required for 
Intranet use



---
When posting or replying to messages on this list, please send all
emails in plain text format.  HTML formatted messages will not be accepted.

PatchManagement.org is hosted by Shavlik Technologies

To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
[prev in list] [next in list] [prev in thread] [next in thread]