Zero Day Vulnerability in Microsoft Office

On 13 July, 2009, we alerted LiveSecurity subscribers about a zero day vulnerability in the Office Web Components ActiveX control that ships with most versions of Microsoft Office.

When we first reported this issue, attackers were already exploiting this serious vulnerability in the wild. We promised to update our alert when Microsoft released a patch to fix this vulnerability. They released those patches today as part of their monthly Patch Day.

In today's security bulletin, Microsoft describes the four Office Web Components (OWC) ActiveX control vulnerabilities in more detail. They warn that these OWC vulnerabilities also affect: Microsoft Internet Security and Acceleration (ISA) Server, Microsoft Biztalk Server, Microsoft Visual Studio .NET, and Microsoft Office Small Business Accounting.

At a high level, the vulnerabilities all involve how the OWC ActiveX control handles memory or system state in certain situations. While the flaws differ technically, they all share the same scope and impact. If an attacker can entice one of your Office users into visiting a specially crafted website, he can exploit this vulnerability to execute code on that user's computer, with that user's privileges. If your user has local administrator privileges, as most Windows users do, the attacker would gain complete control of the user's computer.

With attackers actively exploiting this vulnerability in the wild since 13 July, it poses a significant threat to most Microsoft Office users. You should download, test, and deploy the updates below immediately.

Solution: Microsoft has released patches that correct these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

This post was excerpted from the WatchGuard LiveSecurity Alert, Zero Day Vulnerability in Microsoft Office, by Corey Nachreiner, CISSP, August 11th, 2009.

Marines Ban Facebook, MySpace

The U.S. Marine Corps has slapped an immediate ban on the use of social networking sites on its network, warning that sites like Facebook, MySpace and Twitter are a “proven haven for malicious hackers and content.”

The ban, contained in an order issued Monday, will last for a year. It specifically mentions Facebook, Twitter and MySpace although it applies to what is described as “Web-based services that allows communities of people to share common interests.”

A few choice quotes from the Marine Corps order:
“These internet sites in general are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries…”

“The very nature of SNS [social network sites] creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage that puts OPSEC [operational security], COMSEC [communications security], [and] personnel… at an elevated risk of compromise.”

CNN reports that the ban was drawn up in response to a late July warning from U.S. Strategic Command, which told the rest of the military it was considering a Defense Department-wide ban on the Web 2.0 sites, due to network security concerns.

Facebook, MySpace and Twitter have been constant targets for malware attacks that exploit the trusted nature of social networks to lure users into clicking on links to malicious sites.

This post contains excerpts from the CNN article, Marines ban Twitter, Facebook and other sites, by Noah Shactman, August 4th, 2009, and the ZDNet article, U.S. Marines ban Facebook, MySpace, Twitter, by Bryan Naraine, August 4th, 2009.