At Microsoft, as at most large software vendors, we are likely to have publicly known issues under investigation at any given time. This is what we do on the Security Research & Defense team. Recently we’ve seen confusion from folks trying to make sense of some of the current public issues. To help clear that up, we offer this table of information to help customers make a risk assessment for their particular environment. Note that applying the Microsoft-recommended workaround for any issue in the table removes the risk posed by the issue entirely.
|Internet Explorer 6/7/8 vulnerability in recursive style sheet importing.
|Public, exploit code is available. We are seeing limited exploitation.||As listed in Security Advisory #2488013, EMET is an effective mitigation tool.
Anti-virus and IDS/IPS signatures developed by our MAPP partners for this issue have also been quite effective at detecting and blocking attacks.
|Windows graphics rendering engine vulnerability in parsing BMP thumbnails embedded within an OLESS document container.
|Public exploit code was posted this week.
Proof-of-concept code we have seen so far requires a user to browse to an attacker-writable folder using Windows Explorer. If Explorer is set to display thumbnails or a preview of contained files (neither setting is the default), the chance of code execution exists. Current proof-of-concept code is not successful when Explorer is set to display files in the default List mode.
|As listed in Security Advisory #2490606, modify the Access Control List on shimgvw.dll. The advisory also lists a one-click FixIt to automate this configuration change.|
|IIS 7.0 and 7.5 FTP service vulnerability in encoding Telnet IAC (Interpret As Command) characters in the FTP response.||As discussed in this SRD blog post, attempts to exploit this vulnerability would most likely result in a Denial-of-Service. We have not seen attempts to exploit this vulnerability for code execution.||The FTP service is not installed by default with IIS 7 or IIS 7.5. And when it is installed, it is not enabled by default.
If you have enabled IIS FTP service, consider disabling it, if possible, until a security update is available.
|Internet Explorer fuzzer released publicly capable of hitting Internet Explorer crashes||A fuzzer for various browsers was released, as well as information on a crash that shows a potentially exploitable condition. While the fuzzer is successful in encountering exploitable memory corruption issues in Internet Explorer, we have been unable so far to turn a crash into a stand-alone HTML page that could be used as a browse-and-own exploit. Encountering the issues appears dependent on first loading many previous iterations of HTML in the fuzzer, making the issues we have discovered so far less useful for the purpose of real-world attacks. We are still investigating this issue and will monitor for any developments that may change the current risk.||Unable to make an assessment at this time without stand-alone PoC. However, we are working on a security update to address the issues found in fuzzing.|
|WMI Administrative Tools ActiveX control vulnerability.||Only the very few customers who have installed the WMI Administrative Toolkit are vulnerable to this issue. This product has a small number of total downloads. The ActiveX control itself is not signed by Microsoft. This is not a case where an attacker can host a Microsoft-signed ActiveX control and entice the user to make one click to allow it to install.
The real-world risk to most customers from this issue is expected to be quite low.
|This ActiveX control can be killbitted to protect any machines that have installed the WMI Administrative Toolkit. The affected ActiveX control was not intended to be instantiated within Internet Explorer so legitimate use of the WMI Administrative Toolkit should not be impacted by this configuration change.
The attached .txt file, if renamed to .reg and opened, will apply the killbit to the affected clsid’s.
We hope that this helps customers make a risk assessment for your environment. We are closely monitoring each of these issues, and we will update or issue advisories if the threat landscape changes.
Thanks to each of the case managers and security engineers who worked over the holidays to respond appropriately to these public disclosures!
– Jonathan Ness, MSRC Engineering
*Posting is provided “AS IS” with no warranties, and confers no rights.*