The latest Microsoft ActiveX flaw disclosure looks like a silently patched issue.

The flaw, disclosed by US-CERT, was not part of Microsoft’s MS07-069 Security Bulletin released in December of 2007. The CVE ID (CVE-2007-6255) is not listed in Microsoft’s Bulletin at the time of this writing and is still in the reserved state on MITRE’s CVE Web site.

The vulnerability affects an ActiveX control used to play games on the MSN Games site. When exploited, it would allow for code execution at the rights level of the victim because of improperly processing a crafted “host” parameter.

The workaround for those who have not installed the patch is…

Bingo! Set the kill bit. You’ll want to disable the ActiveX object from loading using this class id: E5D419D6-A846-4514-9FAD-97E826C84822.

This is one of those cases where the moment you hear about the vulnerability, there is a patch available already. This, of course, is better than the alternative. Most of you should have the patch already installed.

I’m not going to get into the “Why weren’t we notified?” issue, I just wanted to call attention to this on the off-chance there is anyone who isn’t patched.

Late on Thursday Microsoft released an advisory about a new privilege escalation vulnerability affecting IIS and SQL Server on Windows XP, 2003, Vista, and Server 2008.

It’s likely that this is the same flaw discussed by Cesar Cerrudo in his talk, “Token Kidnapping”, at the HITB Security Conference 2008 in Dubai. Cerrudo had discovered a privilege-escalation vulnerability earlier, and said in March, “Design weaknesses can be abused on Windows XP, Vista, Internet Information Services 7 and Windows Server 2003 and 2008”.

So what is known about this flaw? A malicious local user who has authentication could execute specially crafted code to raise his privilege level to LocalSystem. IIS and SQL Server are the main attack vectors. But other vectors are possible, such as Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2003.

While the vulnerability is limited to a local privilege escalation, IIS’s susceptibility is concerning. The Web server is widely used on the Internet, and is a top pick by Web-hosting providers. We might see Web-hosting providers targeted, and — this is scary -– their clients’ Web sites breached. As Microsoft stated in its advisory, “Hosting providers may be at increased risk from this elevation of privilege vulnerability.” However, no exploitation has been observed at this time.

The next Patch Tuesday is May 13. Sysadmins, please heed to Microsoft’s suggested workarounds for IIS until then -– or more to the point, until Microsoft patches this vulnerability.

Finally, a bit of speculation (hat tip to Kevin Beets). One attack vector for this vulnerability uses the SeImpersonateClient privilege. The MSDN page for privilege constants states:

Windows XP/2000: This privilege is not supported. Note that this value is supported starting with Windows Server 2003, Windows XP SP2, and Windows 2000 SP4.

Microsoft did not say that Windows 2000 or Windows 2000 SP4 are vulnerable. But curiously, they did say Windows XP SP2 is. If Service Pack 2 for Windows XP introduced this vulnerability in that operating system, might Service Pack 4 for Windows 2000 not have done the same for Windows 2000?

This Patch-Tuesday, Microsoft patched 11 vulnerabilities. Among the patched vulnerabilities are two that can be remotely exploited by an anonymous user, MS06-074 SNMP Buffer Overflow Vulnerability and MS06-077 Remote Installation Service Vulnerability. The Windows SNMP Service and Remote Installation Service are not default installed which greatly reduces the attack surface.

The vulnerability in Visual Studio, exploited in the wild, has been addressed in this month’s patch cycle.

The update of our graphs of last month is found below. The top graph shows that Microsoft almost hit one hundred critical vulnerabilities for 2006. The year is not over and Microsoft may provide out-of-cycle patches for the current 0-Day Word vulnerabilities.

This month, Microsoft has patched 13 vulnerabilities. Among them is one that can be used to create a worm targeting Windows 2000 systems. The MS06-070 Workstation Service vulnerability can be remotely exploited without user interaction. On Windows 2000, no authentication is needed when sending traffic to this service. Details on this vulnerability have been published.
The vulnerabilities in Internet Explorer DirectAnimation.PathControl AxtiveX object and in XML Core Service, both exploited in the wild, have been addressed in this month’s patch cycle.
The update of our graphs of last month is found below. The graphs show that Microsoft is continuing the trend of patching a large number of critical vulnerabilities each month.

Today Microsoft addressed 18 vulnerabilities of which 14 are rated critical. One of the critical vulnerabilities, (MS06-035) Mailslot Heap Buffer Overflow vulnerability, can be remotely exploited by an anonymous user on Windows 2000 SP4 and Windows XP SP1. This vulnerability is the only worm candidate among the patched vulnerabilities today.
The update for our graphs of last month is found below. The top graph shows that this year Microsoft has already addressed more critical vulnerabilities than in the whole of 2005. The bottom graph shows that the number of important vulnerabilities has not changed significantly.

McAfee Avert Labs has given three of the vulnerabilities patched today a rating of High while the others have received a rating of Medium. The ones with a McAfee rating of High are the worm candidate, (MS06-035) Mailslot Heap Buffer Overflow vulnerability, and the Excel and Office vulnerabilities for which exploit code has been published, (MS06-037) Excel Malformed File Vulnerability and (MS06-038) Office Malformed String Parsing Vulnerability.

No need to remind you to review your deployments now!