Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16057
HistoryFeb 13, 2007 - 12:00 a.m.

Microsoft Security Bulletin MS07-010 Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)

2007-02-1300:00:00
vulners.com
11

Microsoft Security Bulletin MS07-010
Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)
Published: February 13, 2007

Version: 1.0
Summary

Who Should Read this Document: Customers who use Microsoft Malware Protection Engine

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should immediately ensure that they have the latest Microsoft Malware Protection Engine update

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

Windows Live OneCare

Microsoft Antigen for Exchange 9.x

Microsoft Antigen for SMTP Gateway 9.x

Microsoft Windows Defender

Microsoft Windows Defender x64 Edition

Microsoft Windows Defender in Windows Vista

Microsoft Forefront Security for Exchange Server

Microsoft Forefront Security for SharePoint

Affected Components:

Microsoft Malware Protection Engine

The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.
Top of sectionTop of section
General Information

Executive Summary

Executive Summary:

This update resolves a newly discovered, privately reported vulnerability in the Microsoft Malware Protection Engine. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

We recommend that customers should immediately ensure that they have the latest Microsoft Malware Protection Engine update.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers Impact of Vulnerability Windows Live OneCare Microsoft Antigen for Exchange 9.x Microsoft Antigen for SMTP Gateway 9.x Microsoft Windows Defender Microsoft Windows Defender x64 Microsoft Windows Defender in Windows Vista Microsoft Forefront Security for Exchange Server Microsoft Forefront Security for SharePoint

Microsoft Malware Protection Engine Vulnerability - CVE-2006-5270

Remote Code Execution

Critical

Critical

Critical

Critical

Critical

Critical

Critical

Critical

This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

Are my Microsoft products that use the Microsoft Malware Protection Engine automatically updated?

The following table provides the deployment methods for this security update.
Product Automatically Updated Engine Version Number

Windows Live OneCare

Yes (Windows Live OneCare AutoUpdate)

1.1.2101.0

Microsoft Antigen for Exchange 9.x

Yes (Forefront Server security update service)

0.1.8.53

Microsoft Antigen for SMTP Gateway 9.x

Yes (Forefront Server security update service)

0.1.8.53

Microsoft Windows Defender

Yes (Microsoft Update)

1.1.2101.0

Microsoft Windows Defender in Windows Vista

Yes (Microsoft Update)

1.1.2101.0

Microsoft Windows Defender x64 Edition

Yes (Microsoft Update)

1.1.2101.0

Microsoft Forefront Security for Exchange Server

Yes (Forefront Server security update service)

0.1.8.53

Microsoft Forefront Security for SharePoint

Yes (Forefront Server security update service)

0.1.8.53

Note If your engine version is equal to or greater than the above listed Engine Version Number, then you are not affected by this vulnerability and do not need to take any further action.

Note Users who have disabled AutoUpdate or Microsoft Update for their Microsoft Antivirus client software will need to either re-enable AutoUpdate or update the Microsoft Antivirus client software manually to receive the updated Microsoft Malware Protection engine. To update the Microsoft Antivirus client software manually, users should follow the product documentation provided with the affected software.

Note For Microsoft Antigen and Microsoft Forefront, the Microsoft engine is automatically updated. For systems that have been altered from the default installation, manual engine updates can be performed through the administrator tool. If the engine had been disabled, it can be re-enabled and then updated immediately by clicking “update now”. For customers that update engines using Microsoft Antigen Enterprise Manager, users should select Engine Update Redistribution Job and click Run Now.
Top of sectionTop of section

Vulnerability Details

Microsoft Malware Protection Engine Vulnerability - CVE-2006-5270:

A remote code execution vulnerability exists in the Microsoft Malware Protection Engine because of the way that it parses Portable Document Format (PDF) files. An attacker could exploit the vulnerability by constructing a specially crafted PDF File that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.

Mitigating Factors for Microsoft Malware Protection Engine Vulnerability - CVE-2006-5270:

We have not identified any mitigating factors for this vulnerability.
Top of sectionTop of section

Workarounds for Microsoft Malware Protection Engine Vulnerability - CVE-2006-5270:

Microsoft Forefront Security for Exchange Server, Microsoft Forefront Security for SharePoint, and Microsoft Antigen supports multiple engines in addition to the Microsoft Malware Protection Engine on a single system. If multiple engines are available on an affected system, administrators can disable the Microsoft Malware Protection Engine as a workaround, until the Microsoft Malware Protection Engine can be updated. Before disabling the Microsoft Malware Protection Engine, administrators should ensure they have installed the latest virus signatures for any third party engine.

We have not identified any workarounds for Windows Live OneCare and Microsoft Windows Defender.
Top of sectionTop of section

FAQ for Microsoft Malware Protection Engine Vulnerability - CVE-2006-5270:

What is the scope of the vulnerability?
A remote code execution vulnerability exists in the Microsoft Malware Protection Engine because of the way that it parses Portable Document Format (PDF) files. An attacker could exploit the vulnerability by constructing a specially crafted PDF file that could potentially allow remote code execution when the target computer system receives, and the Microsoft Malware Protection Engine scans, the PDF file.

What causes the vulnerability?
An integer overflow in the Microsoft Malware Protection Engine when processing a specially crafted PDF file.

What is the Microsoft Malware Protection Engine?
The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection and cleaning capabilities for the following antivirus and antispyware clients: Windows Live OneCare, Microsoft Forefront Security, Microsoft Antigen, and Windows Defender.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause remote code execution and take complete control of the affected system.

Who could exploit the vulnerability?
Any anonymous user who could deliver a specially crafted PDF to an affected system could try to exploit this vulnerability.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially crafted PDF attachment and forcing an affected system to process the PDF. When Microsoft Malware Protection Engine on the target machine automatically scans the PDF, the PDF could then cause the affected system to execute arbitrary code.

Finally, an attacker could also make a specially crafted PDF available on a Web site. An attacker would have no way to force users to visit a particular Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

What systems are primarily at risk from the vulnerability?
Any Microsoft Antivirus client that uses the Microsoft Malware Protection Engine and whose filters are configured to allow PDF file processing is at risk.

What does the update do?
The update removes the integer overflow vulnerability by modifying the way that the Microsoft Malware Protection Engine validates the length of data in the PDF before passing the data to the allocated buffer.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This security bulletin addresses the vulnerability as well as additional issues discovered through internal investigations.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Top of sectionTop of section
Top of sectionTop of section
Top of sectionTop of section

Security Update Information

Affected Software:

For information about the specific security update for your affected software, click the appropriate link:

Windows Live OneCare

Prerequisites
This security update requires Windows Live OneCare.

Restart Requirement

This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

For more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.

Removal Information

This update cannot be uninstalled when using Windows Live OneCare on Windows XP.

This update can be uninstalled when using Windows Live OneCare in Windows Vista.

Verifying Update Installation

To verify that the update has been applied to an affected system, perform the following steps:

Click Help, then click About Windows Live OneCare.

Check the version number. If the Virus and spyware definition version reads 1.1.2101.0 or above, the update has been successfully installed.
Top of sectionTop of section

Microsoft Antigen for Exchange 9.x

Prerequisites
This security update requires Microsoft Antigen for Exchange 9.x.

Restart Requirement

This update is automatic and does not require a restart.

Forefront Server security update service automatically updates the Microsoft Antivirus engine in Microsoft Antigen for Exchange Server. However, on computer systems running Microsoft Antigen where users have disabled the Microsoft Antivirus engine, users will have to re-enable the engine through the administrator tool. Once re-enabled the engine should be updated by clicking “update now”.

Removal Information

This update cannot be uninstalled.

Verifying Update Installation

To verify that the update has been applied to an affected system, perform the following steps:

In Antigen Administrator, click Scanner Updates and then click Microsoft Antivirus.

Check the version number. If the Microsoft Antivirus engine build number reads 0.1.8.53 or above, the update has been successfully installed.

For instructions on configuring Microsoft Antigen engines, visit the following Microsoft Web site.
Top of sectionTop of section

Microsoft Antigen for SMTP Gateway 9.x

Prerequisites
This security update requires Microsoft Antigen for SMTP Gateway 9.x.

Restart Requirement

This update is automatic and does not require a restart.

Forefront Server security update service automatically updates the Microsoft Antivirus engine in Microsoft Antigen for SMTP Gateway. However, on computer systems running Microsoft Antigen where users have disabled the Microsoft Antivirus engine, users will have to re-enable the engine through the administrator tool. Once re-enabled the engine should be updated by clicking “update now”.

Removal Information

This update cannot be uninstalled.

Verifying Update Installation

To verify that the update has been applied to an affected system, perform the following steps:

In Antigen Administrator, click Scanner Updates and then click Microsoft Antivirus.

Check the version number. If the Microsoft Antivirus engine build number reads 0.1.8.53 or above, the update has been successfully installed.

For instructions on configuring Microsoft Antigen engines, visit the following Microsoft Web site.
Top of sectionTop of section

Microsoft Windows Defender and Windows Defender in Windows Vista

Prerequisites
This security update requires Windows Defender.

Restart Requirement

This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

For more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.

Removal Information

This update cannot be uninstalled from Windows XP, or Windows Server 2003.

This update can be uninstalled from Windows Vista.

Verifying Update Installation

To verify that the update has been applied to an affected system, perform the following steps:

Click Help, then click About Windows Defender.

Check the version number. If the Microsoft Antivirus engine build number reads 1.1.2101.0 or above, the update has been successfully installed.
Top of sectionTop of section

Microsoft Forefront Security for Exchange Server

Prerequisites
This security update requires Forefront Security for Exchange Server.

Restart Requirement

This update is automatic does not require a restart.

Forefront Server security update service automatically updates the Microsoft Antimalware Engine in Forefront Security for Exchange Server. However, on computer systems running Forefront Security for Exchange Server where users have disabled the Microsoft Antimalware Engine, users will have to re-enable the engine through the administrator tool. Once re-enabled the engine should be updated by clicking “update now”.

Removal Information

This update cannot be uninstalled.

Verifying Update Installation

To verify that the update has been applied to an affected system, perform the following steps:

In Forefront Administrator, click Scanner Updates and then click Antimalware Engine.

Check the version number. If the Microsoft Antimalware Engine build number reads 0.1.8.53 or above, the update has been successfully installed.

For instructions on configuring Forefront Server Security for Exchange Server engines, visit the following Microsoft Web site.
Top of sectionTop of section

Microsoft Forefront Security for SharePoint

Prerequisites
This security update requires Forefront Security for SharePoint.

Restart Requirement

This update is automatic and does not require a restart.

Forefront Server security update service automatically updates the Microsoft Antimalware Engine in Forefront Security for SharePoint. However, on computer systems running Forefront Security for SharePoint where users have disabled the Microsoft Antimalware Engine, users will have to re-enable the engine through the administrator tool. Once re-enabled the engine should be updated by clicking “update now”.

Removal Information

This update cannot be uninstalled.

Verifying Update Installation

To verify that the update has been applied to an affected system, perform the following steps:

In Forefront Administrator, click Scanner Updates and then click Microsoft Antimalware Engine.

Check the version number. If the Microsoft Antimalware Engine build number reads 0.1.8.53 or above, the update has been successfully installed.

For instructions on configuring Forefront Server Security for SharePoint engines, visit the following Microsoft Web site.
Top of sectionTop of section
Top of sectionTop of section

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Neel Mehta and Alex Wheeler of ISS X-Force for reporting the Microsoft Antivirus Engine Vulnerability (CVE-2006-5270).

Obtaining Other Security Updates:

Updates for other security issues are available at the following locations:

Security updates are available at the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch."

Updates for consumer platforms are available at the Microsoft Update Web site.

Support:

Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Security Resources:

The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

TechNet Update Management Center

Microsoft Software Update Services

Microsoft Windows Server Update Services

Microsoft Baseline Security Analyzer (MBSA)

Windows Update

Microsoft Update

Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.

Office Update

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.

For more information about how to deploy security updates by using Software Update Services, visit the Software Update Services Web site.

Windows Server Update Services:

By using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 onto Windows 2000 and later operating systems.

For more information about how to deploy security updates using Windows Server Update Services, visit the Windows Server Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer, the Microsoft Office Detection Tool, and the Enterprise Update Scan Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (February 13, 2007): Bulletin published.

Related for SECURITYVULNS:DOC:16057