Why settle for mainstream? Go upstream!

+46-8-56610670 info@upstream.se

Critical MS Office 0-Day Attack Fixed With Kaseya

Microsoft just released MSFixit 51004 as a quick solution for the current critical 0-day problem in MS Office, Microsoft Security Advisory (2896666).

From the Microsoft Technet blog: ”The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”

This is a perfect opportunity to describe the workflow when doing changes like this over a large volume of machines. The key is to be able to report upon this after the changes have been made, not just doing this silently. In our latest Upstream Power Pack update you now have the tools to apply the MSFixit for this problem. Download the ZIP file here. Go to the System Tab in Kaseya and look for the Import Center. Import the XML files within the ZIP file. You should now have a new Agent Procedures folder under Shared looking like this:

After executing the Microsoft Security Advisory (2896666) on a test machine, check for the following Windows Event:

Log Name: Application
Source: MsiInstaller
Event ID: 1033
Level: Information
User: SYSTEM
Info: Windows Installer installed the product. Product Name: Microsoft Fix it 51004. Product Version: 2.1.3.0. Product Info: 1053. Manufacturer: Microsoft. Installation success or error status: 0.This is your verification. But how to report on this on a larger scale? You may have hundreds or thousands of machines needing this fix. Letting the Kaseya agent collect non-critical Information events will affect the size of the database and may not be your best option. Let’s create a Kaseya Event Set triggering upon the event before we schedule any more machines getting the fix.

By selecting Application log and react on ID 1033 and the exact description we can raised alarm upon success. In this case the alarm would be a positive thing.

Let’s finalize with the alarm creation. This can of course also be done from the Kaseya Policy Manger.

So to summarize all this: By looking at the Application Event 1033 and the exact content when executing the MSFixIt installer from Kaseya Agent Procedures we can use the alarm log to make reports.

Good luck with the deployment of the MSFixIt.

Kind regards
The Upstream Tech Team

6 november, 2013 • AV Ronny Tunfjord