Devil Is In The Details For May 2009 Microsoft Security Update
Fourteen individual vulnerabilities, as identified by distinct CVE numbers, are being addressed, all of which could lead to remote code execution on at least some of the versions of PowerPoint. PowerPoint 2000, 2002 (XP), and 2003 are the versions affected by most of the vulnerabilities.
Somewhat surprisingly, several of the vulnerabilities have been identified as affecting Office 2004 and 2008, the OS X versions of Office, as well as Microsoft Works 8.5 and 9.0. The surprising part isn't that the vulnerabilities affect those software versions, rather that MS09-017 will not patch those software versions. In reasoning given on both the Microsoft Security Response Center, and Security Research & Defense blogs, the argument is that Microsoft saw the best opportunity to patch the complete line of Windows PowerPoint versions at the same time, while patches for the remaining affected software are in the pipeline for eventual release. Rather than hold up the release of the Windows PowerPoint update to ensure every affected software version is patched at the same time, the decision was made to ensure platform integrity of patching and to take the patch to the majority of users.
This hasn't gone down well with some people in the Information Security industry. The argument that attackers reverse engineer patches to find the patched vulnerabilities and means to attack them is a fair one, but when there have been vulnerabilities available for some of the patched issues, in particular one that affects PowerPoint 2000, 2002 (XP), 2003, and 2004 (OS X), prior to the patch release, it just makes the need to release and apply patches even more critical.
This isn't the worst thing that can happen from differential patching. Since the same particular vulnerability is present across platforms, and is a remote code execution vulnerability, reverse engineers on Windows will be able to determine an attack vector against the Works versions of PowerPoint and the OS X versions, and have a clear run against those targets until Microsoft is able to release patches for those versions. Microsoft's argument that the patch release will provide coverage for the clear majority of users is fair enough, but just how large is the attack surface presented by the installed base of Works and OS X Office? Works is pushed as the solution for a home user, and OS X installations of Office would be in use in environments where interaction and file transfer between Windows and OS X is expected.
According to the SRD team, the sample exploits that they tested against for the Windows PowerPoint versions could not reliably exploit the OS X versions, but they still could. There is no guarantee that a more reliable exploit will not soon emerge.
One of the changes introduced by this update, which could catch a number of legacy systems (and thus those that most need protection), is the removal of support for PowerPoint 4 files. Quite rightly the SRD team point out that Office has not been able to create this sort of file since at least Office XP, and support for it has already been removed in Office 2007 and since SP2 for Office 2003. Rather than modifying Office to prevent handling of this file format, it is a Registry entry that disables support, something which even Microsoft provides a workaround for. A lot of the vulnerabilities addressed were related to this file format, but it still is an interesting approach to address the vulnerability - through Registry patching. It has a lot of parallels to the ActiveX patches that have been released in the past - many of them have been Registry entries disabling components, rather than addressing the component binaries directly.
13 May 2009
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.