Security

Windows Malicious Software Removal Tool

Like clockwork, Microsoft proffers up a new version of the Windows Malicious Software Removal Tools on each and every Patch Tuesday. In January, 2009, that item is described in Knowledge Base article KB890830. This tool is not intended to replace anti-virus or anti-spyware tool, but it can be nice for Vista admins to recognize that the tool gets updated monthly and can more or less be guaranteed to be present on Vista PCs as long as:

• Updates get pushed to Vista desktops regularly
• The list of pushed updates includes the current Windows Malicious Software Removal Tool

Just for grins, I decided to dig up and learn the details involved in using this tool. The name of the executable file is mrt.exe, which is actually the recommended string to launch the tool as well (simply type mrt.exe into the Vista search box, and it’s off and to the races).

Once you fire off this program, it presents a window on the desktop that looks like this:

The Malicious Software Removal Tool Reports status as it scans

As it’s running, mrt.exe can consume some resources, however. Check out these screen caps from my Sidebar CPU usage widget and Task Manager’s process window, captured about the same time as the preceding screenshot:

CPU consumption usually runs about 25% for this program

Task Manager shows that the mrt process is pretty active

The good thing about mrt.exe is that if admins need to help users cope with possible malware infestations on the road, it’s nearly always safe to assume that this tool will be available on the machine, ready to use to help track down and possibly clean up what ails it. That said, mrt.exe can be the only tool in the clean-up arsenal, where special purpose diagnostic tools such as HijackThis or various rootkit detectors must often play a role, and where special purpose one shot clean up tools from various antimalware vendors must also occasionally be called into play.

But as tools go, this one ain’t bad, and it’s never too far from any Vista machine, either. If there’s one downside to mrt.exe, it’s speed: on a test scan on my production Vista PC (Ultimate, with about 90 GB of files spread across 3 hard disks) the program took over 3 hours to perform a complete, in-depth scan of my system. Savvy admins will have tired road warriors fire this off before an extended break, or before bedtime, to help their charges avoid excessive losses of computing cycles on their traveling machines.

Essential out-of-cycle IE security update now available

When Secunia calls a Windows security update “extremely critical” you know a serious vulnerability is being patched. The Windows security community has been abuzz since last week when a number of remote code execution vulnerabilities originally thought limited only to IE 7 turned out to affect other IE versions, and to involve general XML vulnerabilities as well. For more information on the update see “Microsoft Security Advisory (961051) Vulnerability in Internet Explorer Could Allow Remote Code Execution” and “Microsoft Security Bulletin MS08-078 - Critical.”

Security Bulletin MS08-078 specifically mentions IE 5, 6, and 7, as well as Windows 2000, Windows XP, and Windows Vista on the desktop front, plus Windows Server 2003 and Windows Server 2008, in both 32- and 64-bit versions (where applicable). This update is also associated with Pointer Reference Memory Corruption Vulnerability - CVE-2008-4844 from the Common Vulnerability and Exploits database.

The nature of the vulnerability is called “Remote Code Execution” which essentially means that an attacker can take over a system and run any code he or she wishes to at a very high level of privilege. Please visit Windows Update and download this security fix for testing and evaluation as soon as possible. Zero-day exploits have already been reported, and it is regarded as an active and hostile threat.

Patch Tuesday Posts a Plethora of Critical Items

The second Tuesday in each month is when Microsoft schedules its patches, fixes, and security updates. Recently, Microsoft has begun to offer Advance Notification for its Security Bulletins, which makes it a lot easier to tell what’s coming down the pike. For December, 8 updates have been pushed to the Windows Update servers

Of the 8 items for Vista that appeared on December 9, 6 are rated Critical and 2 Important. Here’s a brief summary of what you’ll find:

MS08-71: Vulnerabilities in GDI Could Allow Remote Code Execution
Permits a specially crafted WMF image file to inject remote code execution at the system level.
MS08-75: Vulnerabilities in Windows Search Could allow Remote Code Execution
Blocks vulnerabilities that could occur if a user opens and saves a specially-crafted save-search file in IE or clicks a similar search URL.
MS08-073: Cumulative Security Update for IE
Resolves 4 privately reported vulnerabilities including remote code execution.
MS08-070: Vulnerabilities in Visual Basic 6 Runtime Extended Files (ActiveX Controls) could allow remote code execution
Resolves 5 private and 1 public vulnerability in ActiveX controls for VB 6.0 Runtime Extended files.
MS08-072: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution
Resolves 8 privately reported MS Office and Outlook vulnerabilities related to Word or RTF file contents that devlier access at the system level.
MS08-074: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
Resolves 3 privately reported vulnerabilities possible from specially-crafted Excel files that provide system-level access.
MS08-077: Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege
Resolves a privately reported item that allows elevation ofprivilege when authentication is bypassed by browsing to an admin URL on a SharePoint site (might result in DoS or unauthorized access).
MS08-076: Vulnerabilities in Windows Media Components Could Allow Remote Code Execution
Resolves 2 privately reported vulnerabilities in Windows Media Player, Windows Media Format Runtime, and Windows Media Services that could allow remote code execution at system level privilege.

The first six are rated Critical, the last two Important. Vista admins will probably want to start working with all of these that apply to their environments (including SharePoint and Windows Media, where applicable) because all come with potentially dire consequences if they remain unpatched. Hopefully, none of them will cause too many compatibility problems. Nonetheless I advise you to get testing underway ASAP.

I just saw an interesting story from Ryan Naraine on ZDNet that puts these Vista Updates into a different context. He calls this patch Tuesday a “whopper” because it mentions that 28 vulnerabilities in Windows, IE, and Office are addressed, of which 23 are rated “Critical.” He counts each of the reported items addressed in the preceding list of security bulletins to come up with these numbers, which certainly adds to the drama. I guess it’s all in how you play out and drum up those numbers! He also mentions that other security experts from Shavlik agree that it’s wise to start planning a roll-out of these patches ASAP because of the vulnerabilities they expose.