Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2013

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2008

MA-134.072008 : MyCERT Special Alert - Vulnerabilities in Microsoft Products

Original Issue Date: 15th July 2008

Microsoft has released notification regarding latest vulnerabilities in its products. There are two vulnerabilities that will be affecting many users in Malaysia. Users are advised to take high precautions and execute remedial action to avoid their machines from being compromised.

Three Microsoft products that are experiencing the vulnerabilities are as below:

i. Microsoft Word
ii. Microsoft DNS

The details of the vulnerabilities have been summarized in the tables as below. Be very aware that there is an exploit available for the vulnerability of Microsoft Word and users are advised to undertake a prompt action to fix the vulnerabilities

Produced in 15th July 2008 by MyCERT, CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation (MOSTI).

Revision History:

Initial Release: 15th July 2008

	Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (951207)
CVE / Microsoft Security Bulletin	CVE-2008-2244
System Affected	Microsoft Word 2002 Service Pack 3 Microsoft Word 2000 * * The software may just exit when opening purposely crafted .doc file However the software listed below are NOT affected from the vulnerability Microsoft Office Word 2000 Microsoft Office Word 2003 Service Pack 2 Microsoft Office Word 2003 Service Pack 3 Microsoft Office Word 2007 Microsoft Office Word 2007 Service Pack 1 Microsoft Office Word Viewer 2003 Microsoft Office Word Viewer 2003 Service Pack 3 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 Microsoft Office for Mac 2004 Microsoft Office for Mac 2008
Method of infection	User initiated, by opening specially crafted Microsoft Word file with embedded code; usually sent via email or hosted on websites. Attacker then could get access of complete control on the machine
Impact	Attacker could execute exploit remotely by manipulating memory corruption vulnerability in Microsoft Word. Attacker may gain the same user right as local user, and fewer user rights reflects less affected system.
Exploit	AVAILABLE It exploits Microsoft Word Macro processing code for macro names length vulnerability and then executes the attacker-supplied arbitrary code on the compromised computer, drops the backdoor and executes it.
Fixes/Remedial	Run all software as a nonprivileged user with minimal access rights. Use Microsoft Office Word 2003 Viewer or Microsoft Office Word 2003 Viewer Service Pack 3 to open and view Microsoft Word files. Do not open and save Microsoft Office file from unknown sources or unexpectedly.

	Vulnerabilities in DNS Could Allow Spoofing (DNS Insufficient Socket Entropy Vulnerability & DNS Cache Poisoning Vulnerability)
CVE / Microsoft Security Bulletin	CVE-2008-1454 CVE-2008-1447/MS08-037
System Affected	DNS Client - Microsoft Windows 2000 SP4 DNS Server - Microsoft Windows 2000 Server SP4 DNS Client - Windows XP SP2 & SP3 DNS Client - Windows XP Pro x64 2 & Windows XP Pro x64 SP2 DNS Client - Windows Server 2003 SP1 & SP2 DNS Server - Windows Server 2003 SP 1 & SP2 DNS Client - Windows Server 2003 x64 Edition & Windows Server 2003 x64 SP2 DNS Server - Windows Server 2003 x64 Edition & Windows Server 2003 x64 SP2 DNS Client - Windows Server 2003 with SP1 for Itanium & Windows Server 2003 with SP2 for Itanium. DNS Server - Windows Server 2003 with SP1 for Itanium & Windows Server 2003 with SP2 for Itanium. DNS Server - Windows Server 2008, 32 bit DNS Server - Windows Server 2008, x64
Method of infection	DNS Insufficient Socket Entropy Vulnerability - CVE-2008-1447 The cause of this is the lack of sufficient entropy allowing an attacker to spoof DNS query responses. An attacker could send specific queries to a vulnerable DNS server or client, and at the same time respond back in a manner that allows the attacker to insert false or misleading DNS data. The attacker could then redirect Internet traffic from legitimate locations to an address of the attacker's choice. DNS Cache Poisoning Vulnerability - CVE-2008-1454 The vulnerability could allow an unauthenticated remote attacker to send specially crafted responses to DNS requests made by vulnerable systems, thereby poisoning the DNS cache and redirecting Internet traffic from legitimate locations and invoking Man in the Middle attack. It happens when the software fails to properly handle responses that contains data outside of their authority. Including data from beyond the DNS Server authority can cause extra data to be inserted into the DNS cache.
Impact	DNS Insufficient Socket Entropy Vulnerability - CVE-2008-1447 An attacker who has successfully exploited this vulnerability can insert arbitrary addresses into the DNS cache, also known as DNS cache poisoning. Unsuspecting users would fall prey to a pharming attack. DNS Cache Poisoning Vulnerability - CVE-2008-1454 An attacker who successfully exploited this vulnerability could insert false or misleading DNS data in the response to specific DNS requests, thereby redirecting Internet traffic. This will then expose users for pharming attack.
Exploit	N/A
Fixes/Remedial	Available (http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx) Ensure that only trusted hosts and networks can send DNS responses to affected machines.