[Sunnet Alert] Advisory #219 - Windows (update), Yahoo! Messenger, Multiple News

Thu Apr 5 03:26:19 EST 2007

Sûnnet Beskerming Alert List Advisory #219

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	Windows (update)
	- Remote Hacker Automatic Control
	- Time Since Discovery - 2 Days
1.2	Yahoo! Messenger
	- Remote Hacker Automatic Control
	- Time Since Discovery - Same Day
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	Company Operations Update
2.2	How The Patch Was Built
=====================================

1.	SECURITY

1.1	Windows (update) - Remote Hacker Automatic Control

	-- Products Affected --
	All current versions of Windows

	-- Technical Description --
	MS07-017 has been released to address the ANI remote code execution  
vulnerability, along with six other, mainly unknown vulnerabilities  
affecting other Windows image handling routines.  The most critical  
of these vulnerabilities is the ANI vulnerability which is currently  
being exploited.  There are reports of some difficulties associated  
with applying the patch, for which Microsoft have issued some  
hotfixes.  This patch replaces MS06-001, MS05-053, and MS05-002 for  
appropriate systems.

	-- Description --
	Microsoft have released an out-of-cycle patch to address several  
image handling vulnerabilities within Windows, including the  
currently-exploited vulnerability with ANI file handling.  The patch,  
MS07-017 is available for immediate download and installation (which  
is recommended), and replaces a number of earlier patches on various  
Windows versions.  There are some reports of problems on some systems  
following patch installation, which Microsoft has issued hotfixes  
for.  Automated exploit-building code has been released publicly,  
along with confirmation that users can be affected through alternate  
Internet browsers, such as Firefox.

	-- Recommended Action --
	Apply MS07-017 as soon as possible on all vulnerable systems, and  
apply hotfixes supplied by Microsoft if any difficulties are  
encountered.

	-- Source --
	http://blogs.technet.com/msrc/archive/2007/04/03/ms07-017-released.aspx

	-- Updates Available --
	http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx

	-- External Tracking Data --
	CVE-ID: CVE-2006-5758 (GDI Privilege Elevation)
	CVE-ID: CVE-2007-1211 (WMF DoS)
	CVE-ID: CVE-2007-1212 (EMF Privilege Elevation)
	CVE-ID: CVE-2006-5586 (GDI Privilege Elevation)
	CVE-ID: CVE-2007-0038 (ANI Remote Code Execution)
	CVE-ID: CVE-2007-1215 (GDI Privilege Elevation)
	CVE-ID: CVE-2007-1213 (Font Rasterizer)

	-- Threat Matrix --
			U	O
	Home User	10	10 (Highly Critical)
	Corporate	10	10 (Highly Critical)

1.2	Yahoo! Messenger - Remote Hacker Automatic Control

	-- Products Affected --
	Yahoo! Messenger 8.x

	-- Technical Description --
	Arbitrary remote code execution in Yahoo! Messenger due to a buffer  
overflow in the 'AudioConf' ActiveX control, which can be triggered  
by convincing the victim to view a malicious web page.

	-- Description --
	It has been discovered that there is a serious vulnerability in the  
way that Yahoo! Messenger handles requests for audio conferences on  
versions of the Messenger client from before March 13, 2007.   
Specifically, the vulnerability is with the ActiveX control  
associated with the client and can be triggered by tricking the  
victim into viewing a malicious web page with the code on it.  This  
vulnerability could allow an attacker to take full control of a  
victim's system.

	-- Recommended Action --
	Update to the latest version of Yahoo! Messenger, available from the  
update link, below.  Alternatively, advanced users can verify that  
the reported CLSID is 2B323CD9-50E3-11D3-9466-00A0C9700498 and the  
version is 1.0.0.48 (which will indicated a fully patched version).

	-- Source --
	http://messenger.yahoo.com/security_update.php?id=031207
	http://www.zerodayinitiative.com/advisories/ZDI-07-012.html

	-- Updates Available --
	http://messenger.yahoo.com

	-- External Tracking Data --
	Not Yet Identified

	-- Threat Matrix --
			U	O
	Home User	9	9  (Critical)
	Corporate	9	9  (Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	Company Operations Update

Recipients who have recently visited our site (http:// 
www.beskerming.com), may have noticed some recent changes.  We have  
made some changes to the front section of the site, to make it a  
little easier to find the services and products that we offer,  
including the various free and fee-based options.  If you haven't  
been and had a look in a while, you will be pleased with the changes,  
so why not stop by and take a look.

Still on the website front, there will be more changes coming in the  
near future, as we look to have available through the site more  
information that is more accessible.  While some people are content  
to receive their security updates through their email, others prefer  
to have theirs through an online interface.  Which is why we will  
soon have sections of the site dedicated to presenting this  
information (which will also be reproduced in the mailing lists).

Yet another example of Sûnnet Beskerming's ability to deliver results  
ahead of all other competing systems has been seen, soon after our  
success with the early notification of the Windows ANI problems.   
This time, it deals with the release of the 'VBootkit', a bootkit- 
style rootkit that targets Vista.  Sûnnet Beskerming first published  
details on this issue with Advisory #52 (fee-based) / #214 (free  
list), and we had been aware of the issue for some time prior to  
publishing details.  Overnight, the creators of the tool demonstrated  
and provided more information on it at the BlackHat conference in  
Europe.  This high profile event guaranteed that many other sources  
would pick up on their claims, including Bruce Schneier, Heise- 
Security, and many others.  In this case, Sûnnet Beskerming provided  
weeks of advanced notification.

Subscribers to the free email list might have noticed that the Source  
entry for the Security items is being removed from recent  
Advisories.  Fee-paying subscribers are still receiving the full  
source details for every report, along with update links and external  
tracking methods - a significantly value improvement over the free  
list reporting, so why not upgrade your subscription today?

2.2	How The Patch Was Built

Following the release of the out-of-cycle patch, MS07-017, Microsoft  
posted to their MSRC blog a detailed insight on how they create and  
test major patches.  This came about as a result of end users  
questioning why Microsoft had taken more than 3 months to release the  
patch, when they knew it could so easily be attacked.

As has already been acknowledged, Microsoft were initially made aware  
of the vulnerability by researchers at Determina Security, who  
notified them on December 20, 2006.  Microsoft acknowledge that they  
immediately knew that it would require a security update to fix.

The posting then goes on to explain, in straight forward terms, that  
Microsoft then decides on how urgently a release is required by the  
immediate risk to end users.  If the immediate risk is high, they  
will shortcut their security lifecycle by a long way in order to  
expedite delivery of a patch to users (and thus increase the risk  
that something will go wrong for some users).

When it comes to the actual investigation and development of an  
appropriate patch, Microsoft begin with the analysis of the issue  
being reported, and any possible related problems around it (this is  
based on end user feedback to Microsoft that end users want patches  
to be as comprehensive as possible - even though many patches still  
have to be installed over at later stages).

Microsoft indicate that for the ANI vulnerability, this stage of  
investigation showed a dependency on some kernel level code  
(specifically a vulnerability in that code), which meant that both  
sets of files would need updating sat the same time.  The result of  
this is the multi-vulnerability update addressed with MS07-017, as  
listed above.

Interestingly, the next part of the process is the testing and QA  
phase (which isn't really all that interesting).  The interesting  
component is the length of time that is required for this process,  
which Microsoft indicates takes 2 months, on average.  Because this  
particular patch modifies system-wide behaviour that is tightly  
linked with the core Operating System, the testing process was  
expected to take even longer, as more thorough testing would be  
required.  Microsoft indicate that hundreds of people globally were  
involved in the testing process, and more than 80 potential issues  
with the update were found and investigated at just one point in this  
process.  Microsoft went on to indicate that there was still one  
known problem that existed at the time of patch release, for which a  
hotfix was made available.

Microsoft's original planned release date for the patch was April 10,  
however the discovery and release of active exploitation code meant  
that they expedited the testing process and decided to release the  
complete patch, rather than developing a new patch from scratch.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.