Tuesday, September 25, 2012

Microsoft has issues with its Outlook 2007 update

Late last week, Microsoft says it has removed a security fix from its regular Patch Tuesday update for its Outlook 2007 email client that the software behemoth had issued just two days earlier, citing Internet connection and performance issues for this rather unusual decision. It's been since April 2010 that Microsoft did something similar.
The Outlook security update was issued on December 14 at 1.30 PM EST as part of its regular Patch Tuesday that happens once or twice a month, beginning by the second Tuesday of the month. Within just a few hours, computer users reported several issues with retrieving email and some major delays when switching folders inside Outlook.
"This latest security update results in Outlook 2007 being extremely slow in switching folders and the archiving functionality appears to have been removed," said someone identified as "alspart" on a Microsoft support forum earlier this morning. "Is this an error or is it by design?", asked the user.
Other PC users said they couldn't send or receive email, even including Gmail messages, through Outlook after installing the security patch.
Ironically, Microsoft had termed the update as one that contained "stability and performance improvements."
Microsoft support forum moderators were telling users to uninstall the update. Microsoft made that official late Friday in a post on the Outlook team's blog. "We have discovered several issues with the Outlook update and as of December 16, this update has been removed from Microsoft's official update."
According to Microsoft, the Tuesday patch contained no less than three critical issues related to Secure Password Authentication (SPA), a Microsoft protocol used to authenticate mail clients like Outlook to a mail server; sluggish folder switching when Outlook wasn't configured to get mail from a Microsoft Exchange Server; and a broken Auto Archive feature.
The software giant urged PC users who had installed the update during its three days of availability to remove it immediately, and spelled out the necessary steps to achieve the task.

"We really apologize to our many users for not discovering these issues before releasing the update and for any other inconvenience we have caused to you," the Outlook team wrote on its blog. "We failed to meet our customers' expectation for quality with this security update. We are working to repair these problems and will post a release date for those fixes, and provide a link to download them, as soon as that information is readily available."
It isn't the first time that Microsoft has removed updates before. In April, it pulled a patch for Windows 2000 (which at the time was still being supported) over what it called "quality issues."
Then in early 2008, Microsoft also removed an update designed to prepare Windows Vista for Service Pack 1 (SP1) after users flooded support forums with tales of endless and catostrophic reboots.
But the software company hasn't set a timetable yet for releasing a re-patch for its Outlook 2007 email client.
The security patch in April that was flawed also caused other issues at several high-profile websites, including Microsoft’s own Bing.com, Google, Wikipedia, Twitter and just about any site that lets IE 8 users create profiles.
Microsoft added the anti-XSS feature in IE 8 in August 2009 to detect Type-1 attacks that can lead to cookie theft, keystroke logging, website defacement and credentials theft.
But as the researchers discovered, Microsoft’s filters work by scanning outbound requests for strings that may be malicious in nature.
When such a malicious string is detected, IE 8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response then the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful to whomever initiated it.
The exact method used to alter a server’s response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized then a malicious script may stil execute. On the other hand, it is also crucial that benign requests are not accidentally detected.
Security analysts figured out a way to use the IE 8’s altered response to conduct simple abuses and universal cross-site scripting attacks.
Jerry Bryant, a spokesman for Microsoft’s security response team, said that most of the security issues described were already fixed with the MS10-002 security patch, which was released for IE users earlier in February.
“Microsoft also added a defense-in-depth change (MS10-018) later in March to provide broader coverage for this type of attack scenario,” Bryant said.
But not all of the security issues have been fixed and the browser’s XSS filter is still introducing security risks on certain web sites.
Until this security hole is properly analyzed and carefully repaired, the researchers recommend the following server-side mitigations:

·  Filter all user-generated content so that, even if it is interpreted in a different context, it cannot execute.
·  Use site-wide anti-CSRF tokens that prevent any sort of XSS from being exploited in the first place.
·  Disable IE 8s filters using the response header opt-out mechanism. There are obvious pros and cons to doing this, so consider your options carefully. Despite the serious vulnerabilities discussed in this paper, the filters do go a long way towards protecting IE 8 users from traditional XSS attacks nevertheless. Obviously, once users have upgraded to the patched version we strongly suggest you keep the filters enabled.
·  End users running IE 8 should consider disabling the filters from within the browser until a comprehensive Microsoft patch is shipped later.