FYI...

Microsoft Security Advisory (2718704)
Unauthorized Digital Certificates Could Allow Spoofing
- https://technet.microsoft.com/en-us/security/advisory/2718704
June 03, 2012 - "Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows. Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:
• Microsoft Enforced Licensing Intermediate PCA (2 certificates)
• Microsoft Enforced Licensing Registration Authority CA (SHA1)
Recommendation. For supported releases of Microsoft Windows, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service..."
* http://support.microsoft.com/kb/2718704

- https://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx?Redirected=true
3 Jun 2012 - "We recently became aware of a complex piece of targeted malware known as 'Flame' and immediately began examining the issue. As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks..."

- https://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx?Redirected=true
3 Jun 2012 - "... we released Security Advisory 2718704*, notifying customers that unauthorized digital certificates have been found that chain up to a Microsoft sub-certification authority issued under the Microsoft Root Authority... we encourage all customers to apply the officially tested update to add the proper certificates to the Untrusted Certificate Store... Components of the Flame malware were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.
Conclusion: We recommend that all customers apply this update."

- http://support.microsoft.com/kb/894199
Last Review: June 4, 2012 - Revision: 129.0
___

- http://www.securitytracker.com/id/1027114
Jun 4 2012
... Unauthorized digital certificates derived from these certificate authorities are being actively used in attacks.
Windows Mobile 6.x and Windows Phone 7 and 7.5 are also affected.
Impact: A remote user may be able to spoof code signing signatures.
Solution: The vendor has issued a fix (KB2718704), available via automatic update...

>> https://www.f-secure.com/weblog/archives/00002377.html
June 4, 2012
___

Microsoft Security Advisory (2718704)
- http://atlas.arbor.net/briefs/index#-2141289419
Severity: Extreme Severity
Published: Monday, June 04, 2012 20:39
This security vulnerability is high risk and should be looked at ASAP by security teams.
Analysis: Due to the risks involved, multiple sources suggest that this issue be mitigated as soon as possible. The vulnerability has already been used in the Flame malware, which has been around for a few years. How many other potential adversaries have found and are leveraging the same security hole for their purposes is an open question.
Source: http://technet.microsoft.com/en-us/security/advisory/2718704

Source: https://isc.sans.edu/diary.html?storyid=13366
Last Updated: 2012-06-05 ...(Version: 4)

Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/
June 1, 2012 Mikko Hypponen, Chief Research Officer - F-Secure

:fear::fear:

FYI...

WSUS and Windows update hardening

- http://blogs.technet.com/b/wsus/archive/2012/06/08/further-hardening-of-wsus-now-available.aspx
8 Jun 2012
- http://blogs.technet.com/b/mu/archive/2012/06/06/update-to-windows-update-wsus-coming-this-week.aspx
June 8, 2012 - Revision: 2.2
- http://blogs.technet.com/b/configmgrteam/archive/2012/06/08/further-hardening-of-wsus-now-available.aspx
8 Jun 2012

... and:

- http://support.microsoft.com/kb/2720211
Last Review: June 8, 2012 - Revision: 2.2
- http://support.microsoft.com/kb/894199
Last Review: June 8, 2012 - Revision: 131.0
___

An update for Windows Server Update Services 3.0 Service Pack 2 is available
- http://support.microsoft.com/kb/2720211
Last Review: June 11, 2012 - Revision: 5.0

:fear: :fear: :spider:

FYI...

Ref: http://technet.microsoft.com/en-us/security/bulletin

- https://technet.microsoft.com/en-us/security/bulletin/ms12-jun
June 12, 2012 - "This bulletin summary lists security bulletins released for June 2012...
(Total of -7-)

Critical -3-

Microsoft Security Bulletin MS12-036 - Critical
Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)
- https://technet.microsoft.com/en-us/security/bulletin/MS12-036
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-037 - Critical
Cumulative Security Update for Internet Explorer (2699988)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-037
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS12-038 - Critical
Vulnerability in .NET Framework Could Allow Remote Code Execution (2706726)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-038
Critical - Remote Code Execution - May require restart Microsoft Windows, Microsoft .NET Framework

Important -4-


Microsoft Security Bulletin MS12-039 - Important
Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)
- https://technet.microsoft.com/en-us/security/bulletin/MS12-039
Important - Remote Code Execution - May require restart - Microsoft Lync

Microsoft Security Bulletin MS12-040 - Important
Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-040
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-041 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-041
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-042 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)
- https://technet.microsoft.com/en-us/security/bulletin/MS12-042
Important - Elevation of Privilege - Requires restart - Microsoft Windows

___

Certificate Trust List update...
- https://blogs.technet.com/b/msrc/archive/2012/06/12/certificate-trust-list-update-and-the-june-2012-bulletins.aspx?Redirected=true
12 Jun 2012
RSA keys under 1024 bits are blocked
- https://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx?Redirected=true
11 Jun 2012

Bulletin deployment priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2604.June-2012-Priority.png

Severity and exploitability index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8737.June-2012-Severity.png
___

Microsoft Security Advisory (2719615)
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2719615
June 12, 2012
0-day... CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1889 - 9.3 (HIGH)
> http://support.microsoft.com/kb/2719615#FixItForMe

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2269637
• V16.0 (June 12, 2012) - "... Updates relating to Insecure Library Loading section: MS12-039..."
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=13453
Last Updated: 2012-06-12 17:45:41 UTC
___

MSRT
- http://support.microsoft.com/?kbid=890830
June 12, 2012 - Revision: 103.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Cleaman
• Kuluoz

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.9.exe - 15.5 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.9.exe - 16.1 MB

.

FYI...

Microsoft Security Advisory (2719615)
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2719615
June 12, 2012
0-day... CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1889 - 9.3 (HIGH)
> http://support.microsoft.com/kb/2719615#FixItForMe

- https://secunia.com/advisories/49456/
Release Date: 2012-06-12
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
... vulnerability is reportedly being actively exploited.
Solution: Apply Microsoft Fix it solution.
Reported as a 0-day.
Original Advisory: Microsoft:
http://technet.microsoft.com/en-us/security/advisory/2719615

- http://googleonlinesecurity.blogspot.com/2012/06/microsoft-xml-vulnerability-under.html
June 12, 2012 - "... attacks are being distributed both via malicious web pages intended for Internet Explorer users and through Office documents. Users running Windows XP up to and including Windows 7 are known to be vulnerable..."
___

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2269637
• V16.0 (June 12, 2012) - "... Updates relating to Insecure Library Loading section: MS12-039..."
___

An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2
- http://support.microsoft.com/kb/2677070
Last Review: June 13, 2012 - Revision: 2.0

> https://blogs.technet.com/b/pki/archive/2012/06/12/announcing-the-automated-updater-of-untrustworthy-certificates-and-keys.aspx?Redirected=true
___

> http://forums.spybot.info/showpost.php?p=426868&postcount=25

:fear::fear:

FYI...

Further insight into Security Advisory 2719615
- https://blogs.technet.com/b/msrc/archive/2012/06/13/further-insight-into-security-advisory-2719615.aspx?Redirected=true
13 Jun 2012 - "During our regular Update Tuesday bulletin cycle this week, we released Security Advisory 2719615*, which provides guidance concerning a remote code execution issue affecting MSXML Code Services. As part of that Advisory, we've built a Fix it workaround that blocks the potential attack vector in Internet Explorer. Fix its are a labor-saving mechanism that helps protect customers from a specific issue in advance of a comprehensive security update. We encourage customers to read more about SA2716915's one-click, no-reboot-required Fix it in an in-depth post on the SRD blog**."
* http://technet.microsoft.com/en-us/security/advisory/2719615

** http://blogs.technet.com/b/srd/archive/2012/06/13/msxml-fix-it-before-fixing-it.aspx

Microsoft Security Advisory (2718704)
Unauthorized Digital Certificates Could Allow Spoofing
- https://technet.microsoft.com/en-us/security/advisory/2718704
"... update revokes the trust of the following intermediate CA certificates:
Microsoft Enforced Licensing Intermediate PCA (2 certificates)
Microsoft Enforced Licensing Registration Authority CA (SHA1) ..."
• V1.1 (June 13, 2012): Advisory revised to notify customers that Windows Mobile 6.x, Windows Phone 7, and Windows Phone 7.5 devices are not affected by the issue.

:fear::fear:

FYI...

FixIt NOW - 0-day XML Core Services...
> https://isc.sans.edu/diary.html?storyid=13489
Last Updated: 2012-06-16 15:58:47 UTC - "... metasploit module (public release) for this vulnerability. Users are encouraged to patch*..."

* http://support.microsoft.com/kb/2719615#FixItForMe
June 12, 2012 - Revision: 3.0

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1889 - 9.3 (HIGH)

- https://secunia.com/advisories/49456/
Last Update: 2012-06-22
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
... vulnerability is currently being actively exploited...

- http://h-online.com/-1619732
18 June 2012

- https://www.us-cert.gov/current/#microsoft_releases_security_advisory_for5
updated June 25, 2012

- http://nakedsecurity.sophos.com/2012/06/29/zero-day-xml-core-services-vulnerability-included-in-blackhole-exploit-kit/
June 29, 2012 - "... CVE-2012-1889 exploiting code very similar to that published to Metasploit was seen within the landing page of a Blackhole exploit kit..."

:fear::fear: :sad:

FYI...

MS12-034: Description of the security update for CVE-2012-0181 in Windows XP and Windows Server 2003
- http://support.microsoft.com/kb/2686509#FixItForMeAlways
Last Review: June 19, 2012 - Revision: 4.0 - "... If you receive the "0x8007F0F4" error when you try to install this security update, check to see if the %windir%\FaultyKeyboard.log file was created on the computer...
Known issues with this security update: In some scenarios, the %windir%\FaultyKeyboard.log file might not have been created on your computer. If the file was not created, follow these steps: To fix this problem automatically, click the Fix it button or link. Then click Run in the File Download dialog box, and follow the steps in the Fix it wizard..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0181 - 10.0 (HIGH)

:sad::fear:

FYI...

MS12-037 exploit in-the-wild
- http://nakedsecurity.sophos.com/2012/06/19/ie-remote-code-execution-vulnerability-being-actively-exploited-in-the-wild/
June 19, 2012 - "A critical Internet Explorer vulnerability, announced and patched by Microsoft in June's Patch Tuesday, is being exploited in the wild. The vulnerability is CVE-2012-1875*... patched in MS12-037**... Cunningly-crafted JavaScript code - which can be embedded in a web page to foist the exploit on unsuspecting vistors - is circulating freely on the internet. Also, the Metasploit exploitation framework now has a plug-in module which will generate malicious JavaScript for you on-the-fly to help you automate an attack... response is easy: if you haven't patched already, do so right away..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1875 - 9.3 (HIGH)

Cumulative Security Update for Internet Explorer (2699988) - Critical
** https://technet.microsoft.com/en-us/security/bulletin/ms12-037
June 12, 2012

- http://www.symantec.com/connect/blogs/cve-2012-1875-wild-part-2-internet-explorer-gets-stumped
19 Jun 2012

- http://atlas.arbor.net/briefs/index#-1257954642
Severity: Elevated Severity
Source: http://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid
18 Jun 2012
___

- https://www.us-cert.gov/cas/techalerts/TA12-174A.html
June 22, 2012
> http://support.microsoft.com/kb/2686509#FixItForMeAlways

:mad::sad:

FYI...

WSUS KB 272011: Common issues encountered and how to fix them
- https://blogs.technet.com/b/sus/archive/2012/06/20/wsus-kb272011-common-issues-encountered-and-how-to-fix-them.aspx?Redirected=true
20 Jun 2012

An update for Windows Server Update Services 3.0 SP2 is available
- http://support.microsoft.com/kb/2720211
Last Review: June 18, 2012 - Revision: 6.0


Thanks to Susan Bradley!

:fear:

FYI...

IE9 may stop responding if DFX Audio Enhancer is installed
- http://support.microsoft.com/kb/2727797/
Last Review: June 22, 2012 - Revision: 2.0 ...
"Consider the following scenario:
You are running Windows Internet Explorer 9.
DFX Audio Enhancer version 10 is installed on the computer.
The following security update is installed on the computer:
2699988 MS12-037: Cumulative Security Update for Internet Explorer: June 12, 2012
In this scenario, Windows Internet Explorer 9 may stop responding, or "hang."
CAUSE: This issue occurs because of an incompatibility with an earlier version of DFX Audio Enhancer...
For more information about how to obtain the latest version of DFX, go to the following third-party webpage:
- http://www.fxsound.com/dfx/index.php ..."

:fear: :sad:

FYI...

Update for Windows Update ...
- http://h-online.com/-1624979
25 June 2012 - "Microsoft has released an unscheduled, non-patch day update for Windows to update the Windows Update function itself. However, according to reports from readers, the Windows Update Agent update does -not- always run smoothly... Users who run Windows Update are confronted with a message which says that an update for Windows Update needs to be installed before the system can check for other updates. On some computers, clicking the "Install Updates" button results in a failed installation with error code 80070057 or 8007041B. On heise Security's test Windows 7 computer, repeatedly attempting the update (click on "Check for updates" on the left) did eventually result in the update being successfully applied. Microsoft has provided a "Fix it" tool* for more stubborn cases in Knowledge Base Article 949104**. The update in question upgrades the Windows Update Agent from version 7.4.7600.226 to 7.6.7600.256 ..."
* Direct download: http://go.microsoft.com/?linkid=9767096

** http://support.microsoft.com/kb/949104

:sad: :fear:

FYI...

MS June cumulative updates have been released
- https://blogs.technet.com/b/the_microsoft_excel_support_team_blog/archive/2012/06/28/june-cumulative-updates-have-been-released.aspx?Redirected=true
28 Jun 2012

2007 Office system cumulative update for June 2012
For Excel 2007: http://support.microsoft.com/kb/2712234 ...
June 26, 2012 - "The cumulative update packages for June 2012 contain the latest hotfixes for the 2007 Microsoft Office system and for the 2007 Office servers..."

Office 2010 cumulative update for June 2012
For Excel 2010: http://support.microsoft.com/kb/2712235 ...
June 28, 2012 - "The cumulative update packages for June 2012 contain the latest hotfixes for the Microsoft Office 2010 system and for the Office 2010 servers..."

:fear:

FYI...

Installing updates for the Microsoft .NET Framework 4 can take longer than expected
- http://support.microsoft.com/kb/2570538/en-us?sd=rss&spid=548#fixit4me
Last Review: July 3, 2012 - Rev: 4.0
... CAUSE: Updates to the .NET Framework 4 require a complete regeneration of the Native Image Cache, a very time-consuming operation. For some computers, an interaction with previously installed Native Images may cause Native Image regeneration to take much longer than expected. Although this issue only affects setup times, the effect can be several minutes to tens of minutes. Computers that have more Native Images installed will see longer generation times...
To fix this problem automatically, click the Fix it button or link. Then click Run in the File Download dialog box, and follow the steps in the Fix it wizard...

- http://support.microsoft.com/kb/2570538/en-us?sd=rss&spid=548#appliesto
APPLIES TO Microsoft .NET Framework 4

:fear:

FYI...

MSRT results to date - June 2012 release ...
- https://blogs.technet.com/b/mmpc/archive/2012/07/04/cleaning-out-cleaman.aspx?Redirected=true
4 Jul 2012 - "... Since the release of the MSRT on June 12, we have removed 59,479 Win32/Cleaman threats from 56,982 computers..."

:fear:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms12-jul
July 10, 2012 - "This bulletin summary lists security bulletins released for July 2012...
(Total of -9-)

Critical - 3

Microsoft Security Bulletin MS12-043 - Critical
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-043
Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft Office, Microsoft Developer Tools, Microsoft Server Software

Microsoft Security Bulletin MS12-044 - Critical
Cumulative Security Update for Internet Explorer (2719177)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-044
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS12-045 - Critical
Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (2698365)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-045
Critical - Remote Code Execution - May require restart - Microsoft Windows

Important - 6

Microsoft Security Bulletin MS12-046 - Important
Vulnerability in Visual Basic for Applications Could Allow Remote Code Execution (2707960)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-046
Important - Remote Code Execution - May require restart - Microsoft Office, Microsoft Developer Tools

Microsoft Security Bulletin MS12-047 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-047
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-048 - Important
Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-048
Important - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-049 - Important
Vulnerability in TLS Could Allow Information Disclosure (2655992)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-049
Important - Information Disclosure - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-050 - Important
Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-050
Important - Elevation of Privilege - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS12-051 - Important
Vulnerability in Microsoft Office for Mac Could Allow Elevation of Privilege (2721015)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-051
Important - Elevation of Privilege - Does not require restart - Microsoft Office
___

- https://blogs.technet.com/b/msrc/archive/2012/07/10/gadgets-certificate-housekeeping-and-the-july-2012-bulletins.aspx?Redirected=true
10 Jul 2012

Bulletin Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/3755.July-2012-DP.png

Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/5826.July-2012-XI.png
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=13642
Last Updated: 2012-07-10 18:30:31 UTC
___

- https://secunia.com/advisories/49456/ - MS12-043
- https://secunia.com/advisories/45690/ - MS12-044
- https://secunia.com/advisories/49743/ - MS12-045
- https://secunia.com/advisories/49800/ - MS12-046
- https://secunia.com/advisories/49200/ - MS12-047
- https://secunia.com/advisories/49873/ - MS12-048
- https://secunia.com/advisories/49874/ - MS12-049
- https://secunia.com/advisories/49877/ - MS12-050
- https://secunia.com/advisories/49875/ - MS12-050
- https://secunia.com/advisories/49876/ - MS12-051
___

MSRT
- http://support.microsoft.com/?kbid=890830
July 10, 2012 - Revision: 106.0

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.10.exe - 15.6 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.10.exe - 16.3 MB

.

FYI...

MS Security Advisories - 2012.07.10 ...

Microsoft Security Advisory (2728973)
Unauthorized Digital Certificates Could Allow Spoofing
- https://technet.microsoft.com/en-us/security/advisory/2728973
July 10, 2012

- https://blogs.technet.com/b/msrc/archive/2012/07/10/gadgets-certificate-housekeeping-and-the-july-2012-bulletins.aspx?Redirected=true
July 10, 2012 - "... we’ve chosen to -deprecate- the Windows Gadget Gallery effective immediately, and to provide a Fix it to help sysadmins disable Gadgets and the Sidebar across their enterprises..."
Microsoft Security Advisory (2719662)
Vulnerabilities in Gadgets Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2719662
July 10, 2012 - "... Applying the automated Microsoft Fix It* solution described in Microsoft Knowledge Base Article 2719662 disables the Windows Sidebar experience and all Gadget functionality..."
* http://support.microsoft.com/kb/2719662#FixItForMe
Last Review: July 13, 2012 - Revision: 2.0

- https://isc.sans.edu/diary.html?storyid=13651
Last Updated: 2012-07-10 22:10:12 UTC - "... insecure gadgets allow random code to be executed with the rights of the logged on user..."

Microsoft Security Advisory (2719615)
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2719615
Published: Tuesday, June 12, 2012 | Updated: Tuesday, July 10, 2012
"... We have issued MS12-043 to address this issue..."
- http://support.microsoft.com/kb/2722479#FixItForMe
July 10, 2012
Fix it solution for MSXML version 5 - Microsoft Fix it 50908
> http://go.microsoft.com/?linkid=9813081

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2269637
July 10, 2012 - v17.0: Added the following Microsoft Security Bulletin to the Updates relating to Insecure Library Loading section: MS12-046

> http://forums.spybot.info/showpost.php?p=427982&postcount=37

:fear::spider:

FYI...

Win7 SP1 Browser Choice errors ...
- https://www.microsoft.com/en-us/news/press/2012/Jul12/07-17statement.aspx
July 17, 2012 - "Under a December 2009 decision of the European Commission, Microsoft is required to display a “Browser Choice Screen” (BCS) on Windows PCs in Europe where Internet Explorer is the default browser. We have fallen short in our responsibility to do this. Due to a technical error, we missed delivering the BCS software to PCs that came with the service pack 1 update to Windows 7. The BCS software has been delivered as it should have been to PCs running the original version of Windows 7, as well as the relevant versions of Windows XP and Windows Vista. However, while we believed when we filed our most recent compliance report in December 2011 that we were distributing the BCS software to all relevant PCs as required, we learned recently that we’ve missed serving the BCS software to the roughly 28 million PCs running Windows 7 SP1. While we have taken immediate steps to remedy this problem, we deeply regret that this error occurred and we apologize for it. The Commission recently told us that it had received reports that the BCS was not being displayed on some PCs. Upon investigating the matter, we learned of the error... the engineering team responsible for maintenance of this code did not realize that it needed to update the detection logic for the BCS software when Windows 7 SP1 was released last year. As a result of this error, new PCs with Windows 7 SP1 did not receive the BCS software as they should have. Since most computer users run earlier versions of Windows, we estimate that the BCS software was properly distributed to about 90% of the PCs that should have received it. We recognize, however, that our obligation was to distribute the BCS to every PC that should have received it. Therefore, we have moved as quickly as we can to address the error and to provide a full accounting of it to the Commission."

- http://thenextweb.com/microsoft/2012/07/17/microsoft-confirms-28-million-pcs-affected-by-browser-ballot-snafu-promises-fix-by-the-end-of-the-week/
"... 28 million PCs in question... Distribution of the fix started on July 3rd..."

What is the Browser Choice update?
- http://support.microsoft.com/kb/976002

.

FYI...

Microsoft Security Advisory (2737111)
Vulnerabilities in Microsoft Exchange and FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2737111
July 24, 2012 - "Microsoft is investigating new public reports of vulnerabilities in third-party code, Oracle Outside In libraries, that affect Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint, which ship that component. Customers that apply the workarounds described in this advisory are not exposed to the vulnerabilities described in Oracle Critical Patch Update Advisory - July 2012. The vulnerabilities exist due to the way that files are parsed by the third-party, Oracle Outside In libraries. In the most severe case of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010, it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."
• V1.1 (July 25, 2012): Revised the workaround titles for clarity. There were no changes to the workaround steps.

More info...
- https://blogs.technet.com/b/srd/archive/2012/07/24/more-information-on-security-advisory-2737111.aspx?Redirected=true
24 Jul 2012

Microsoft Exchange Server...
- https://secunia.com/advisories/50019/
Release Date: 2012-07-25
Criticality level: Highly critical
Impact: DoS, System access
Where: From remote...
... more information: https://secunia.com/advisories/49936/
Solution: ... vendor recommends to apply workarounds... see the vendor's advisory...
Original Advisory: Microsoft: http://technet.microsoft.com/en-us/security/advisory/2737111

Microsoft SharePoint and FAST Search Server vuln...
- https://secunia.com/advisories/50049/
Release Date: 2012-07-25
Criticality level: Moderately critical
Impact: DoS, System access
Where: From remote...
... more information: https://secunia.com/advisories/49936/
Solution: ... vendor recommends to apply workarounds... see the vendor's advisory...
Original Advisory: Microsoft: http://technet.microsoft.com/en-us/security/advisory/2737111
___

- http://www.kb.cert.org/vuls/id/118913
Last revised: 27 Jul 2012 - "... used by a variety of applications, including Microsoft Exchange, Oracle Fusion Middleware, Guidance Encase Forensics, AccessData FTK, and Novell Groupwise. Outside In 8.3.7.77 and earlier fail to properly handle multiple file types when the data is malformed..."

Vendor Information for VU#118913
- http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=118913&SearchOrder=4

- http://h-online.com/-1653568
26 July 2012

Oracle Outside In Advisory ...
- http://atlas.arbor.net/briefs/index#101557049
Severity: Elevated Severity
Published: Thursday, July 19, 2012 21:19
The Oracle Outside In library is used by many other applications and has multiple security holes in it's parsing routines. Patches are available.
Analysis: Security holes in such a library are good news for the attackers, who have multiple targets to choose from. Defenders should patch ASAP. Of the 15 vulnerable vendors, heavyweights such as Microsoft, IBM and Cisco appear along with others. It is a positive development that this security hole was found by a Google security researcher instead of a cyber-criminal.
Source: http://www.kb.cert.org/vuls/id/118913

.

FYI...

> https://blogs.technet.com/b/mrsnrub/archive/2012/08/06/support-phases-ending-in-the-next-2-years.aspx?Redirected=true
5 Aug 2012

July 13th 2013 (2013-07-13)
Windows Server 2008
- enters extended support
- will receive only security/GDR updates
- extended support end July 10th 2018 (2018-07-10)
- last service pack was SP2
- ref: Microsoft Product Lifecycle Search
___

April 8th 2014 (2014-04-08)
Windows XP
- end of support
- no more updates for this product
- includes XP x64 Edition
- last service pack for x86 was SP3
- last service pack for x64 was SP2
- ref: Microsoft Product Lifecycle Search
- ref: End of Support

Office 2003
- end of support
- no more updates for this product
- ref: End of Support

.

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms12-aug
August 14, 2012 - "This bulletin summary lists security bulletins released for August 2012...
(Total of -9-)

Critical -5-

Microsoft Security Bulletin MS12-052 - Critical
Cumulative Security Update for Internet Explorer (2722913)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-052
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS12-053 - Critical
Vulnerability in Remote Desktop Could Allow Remote Code Execution (2723135
- https://technet.microsoft.com/en-us/security/bulletin/ms12-053
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-054 - Critical
Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)
- https://www.microsoft.com/technet/security/bulletin/MS12-054
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-060 - Critical
Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-060
Critical - Remote Code Execution - May require restart - Microsoft Office, Microsoft SQL Server, Microsoft Server Software, Microsoft Developer Tools
- http://support.microsoft.com/kb/2708437
Last Review: August 14, 2012 - Revision: 1.3

Microsoft Security Bulletin MS12-058 - Critical
Vulnerabilities in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution (2740358)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-058
Critical - Remote Code Execution - Does not require restart - Microsoft Exchange Server

Important -4-

Microsoft Security Bulletin MS12-055 - Important
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2731847)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-055
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-056 - Important
Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution (2706045)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-056
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS12-057 - Important
Vulnerability in Microsoft Office Could Allow Remote Code Execution (2731879)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-057
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS12-059 - Important
Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2733918)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-059
Important - Remote Code Execution - May require restart - Microsoft Office
___

Bulletin Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/4812.Deployment.png

Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/4846.August-2012-Severity.png

August 2012 Bulletin Release
- https://blogs.technet.com/b/msrc/archive/2012/08/14/august-2012-security-updates.aspx?Redirected=true
14 Aug 2012 - "... MS12-060... We’re aware of limited, targeted attacks attempting to exploit this vulnerability..."
___

- https://secunia.com/advisories/50237/ - MS12-052
- https://secunia.com/advisories/50244/ - MS12-053
- https://secunia.com/advisories/50245/ - MS12-054
- https://secunia.com/advisories/50236/ - MS12-055
- https://secunia.com/advisories/50243/ - MS12-056
- https://secunia.com/advisories/50251/ - MS12-057
- https://secunia.com/advisories/50019/ - MS12-058
- https://secunia.com/advisories/50228/ - MS12-059
- https://secunia.com/advisories/50247/ - MS12-060
___

Update Rollup 4 for Exchange 2010 SP2
- https://blogs.technet.com/b/exchange/archive/2012/08/14/released-update-rollup-4-for-exchange-2010-service-pack-2.aspx?Redirected=true
14 Aug 2012 - "... On August 13th 2012, the Exchange CXP team released Update Rollup 4 for Exchange Server 2010 SP2 to the Download Center. This update contains a number of customer reported and internally found issues. See KB 2706690* Description of Update Rollup 4 for Exchange Server 2010 Service Pack 2 for more details...
* http://support.microsoft.com/kb/2706690
August 14, 2012 - Revision: 1.0
Applies to:
Microsoft Exchange Server 2010 Service Pack 2, when used with:
Microsoft Exchange Server 2010 Enterprise
Microsoft Exchange Server 2010 Standard
- https://isc.sans.edu/diary.html?storyid=13900#comment
"... apparently we're all getting that rollup whether we want it or not...
posted by GrumpySysAdmin, Wed Aug 15 2012, 21:37"
__

Update Rollup 8 for Exchange 2007 SP3
- https://blogs.technet.com/b/exchange/archive/2012/08/14/released-update-rollup-8-for-exchange-2007-service-pack-3.aspx?Redirected=true
14 Aug 2012 - "On August 13th 2012, the Exchange CXP team released Update Rollup 8 for Exchange Server 2007 SP3 to the Download Center... See KB 2734323* Description of Update Rollup 8 for Exchange Server 2007 Service Pack 3..."
* http://support.microsoft.com/kb/2734323
Last Review: August 14, 2012 - Revision: 1.0
Applies to: Microsoft Exchange Server 2007 Service Pack 3, when used with:
Microsoft Exchange Server 2007 Enterprise Edition
Microsoft Exchange Server 2007 Standard Edition
___

MSRT
- http://support.microsoft.com/?kbid=890830
August 14, 2012 - Revision: 108.0
- http://www.microsoft.com/security/pc-security/malware-families.aspx
Updated: Aug 14, 2012 - "... added in this release...
• Bafruz
• Matsnu ..."
- https://blogs.technet.com/b/mmpc/archive/2012/08/14/msrt-august-12-what-s-the-buzz-with-bafruz.aspx?Redirected=true
14 Aug 2012

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.11.exe - 15.7 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.11.exe - 16.3 MB
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=13900
Last Updated: 2012-08-14 18:32:51 UTC

.

FYI...

Microsoft Security Advisory (2737111)
Vulnerabilities in Microsoft Exchange and FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2737111
• V2.0 (August 14, 2012): Advisory updated to reflect publication of security bulletin for Microsoft Exchange.
... MS12-058* addresses this issue for Microsoft Exchange.
* https://technet.microsoft.com/en-us/security/bulletin/ms12-058

Microsoft Security Advisory (2661254)
Update For Minimum Certificate Key Length
- https://technet.microsoft.com/en-us/security/advisory/2661254
August 14, 2012 - Ref:
> http://support.microsoft.com/kb/2661254
... Update for minimum certificate key length
August 14, 2012 - Revision: 1.6

>> http://forums.spybot.info/showpost.php?p=429691&postcount=42

:fear::fear:

FYI...

Microsoft Security Bulletin MS12-043 - Critical
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-043
V2.0 (August 14, 2012): Bulletin re-released to offer the security updates for Microsoft XML Core Services 5.0 that were unavailable at the time of initial release. Customers running Microsoft XML Core Services 5.0 should apply the KB2687324, KB2596856, or KB2596679 update to be protected from the vulnerability described in this bulletin. Customers who have already successfully installed the updates originally offered on July 10, 2012 for Microsoft XML Core Services 3.0, Microsoft XML Core Services 4.0, and Microsoft XML Core Services 6.0 do not need to take any action. See the Update FAQ for details...

- http://support.microsoft.com/kb/2687324
Last Review: August 14, 2012 - Revision: 1.9

- http://support.microsoft.com/kb/2596856
Last Review: August 14, 2012 - Revision: 1.0

- http://support.microsoft.com/kb/2596679
Last Review: August 14, 2012 - Revision: 1.2

:fear:

FYI...

Microsoft Security Advisory (2743314)
Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure
- https://technet.microsoft.com/en-us/security/advisory/2743314
August 20, 2012 - "Microsoft is aware that detailed exploit code has been published for known weaknesses in the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). The MS-CHAP v2 protocol is widely used as an authentication method in Point-to-Point Tunneling Protocol (PPTP)-based VPNs. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary..."
- http://support.microsoft.com/kb/2744850
Last Review: August 20, 2012 - Revision: 1.4

- http://h-online.com/-1672257
22 August 2012
___

Microsoft Security Advisory (2661254)
Update For Minimum Certificate Key Length
- https://blogs.technet.com/b/gladiatormsft/archive/2012/08/15/software-update-to-block-rsa-keylengths-gt-1024-has-been-released-to-the-download-center.aspx?Redirected=true
14 Aug 2012 - "... an update was released that, once applied, will block RSA certificates with keys less than 1024 bits. The software update was released to the Download Center. The security advisory is located at:
http://technet.microsoft.com/security/advisory/2661254 .
The KB article is available at http://support.microsoft.com/kb/2661254 *.
The update is available now to allow organizations to assess the impact of this update and to reissue certificates with larger key sizes, if necessary, before the update is sent out through Windows Update. Previous blogs may have mentioned it being released to Windows Update this month. That is no longer the case. The update is planned to be sent out through Windows Update on October 9, 2012..."
* http://support.microsoft.com/kb/2661254
Last Review: August 21, 2012 - Revision: 2.1

:fear:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms12-sep
September 06, 2012 - "This is an advance notification of security bulletins that Microsoft is intending to release on September 11, 2012...
(Total of -2-)

Bulletin 1 - Important - Elevation of Privilege - No restart required - Microsoft Developer Tools
Bulletin 2 - Important - Elevation of Privilege - No restart required - Microsoft Server Software
___

- https://blogs.technet.com/b/msrc/archive/2012/09/06/september-ans-and-an-important-heads-up-concerning-certificates.aspx?Redirected=true
6 Sep 2012 - "... Security Advisory 2661254* was initially made available in August via the Download Center and the Microsoft Update Catalog, with distribution through Windows Update planned for October 2012. To help ensure that all customers are prepared for the update, we are reiterating those announcements before releasing the requirement change with our monthly bulletins on Oct. 9... customers will want to take advantage of September’s quiet bulletin cycle to review their asset inventories – in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they “still work” and have not had any cause for review for some time. For those who find they are using certificates with RSA key lengths of -less- than 1024 bits, those certificates will be required to be reissued with at least a 1024-bit key length. (1024 should, by the way, be considered a minimum length; the most up-to-date security practices recommend 2048 bits or even better.) We recommend that you evaluate your environments with the information provided in Security Advisory 2661254 and your organization is aware of and prepared to resolve any known issues prior to October. Some known issues that customers may encounter after applying this update may include:
• Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits
• Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
• Difficulties creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
• Difficulties installing Active X controls that were signed with less than 1024 bit signatures
• Difficulties installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to Jan. 1, 2010, which will not be blocked by default)..."
* http://support.microsoft.com/kb/2661254
Last Review: August 21, 2012 - Revision: 2.1

.

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms12-sep
Sep 11, 2012 - "This bulletin summary lists security bulletins released for September 2012...
(Total of -2-)

Microsoft Security Bulletin MS12-061 - Important
Vulnerability in Visual Studio Team Foundation Server Could Allow Elevation of Privilege (2719584)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-061
Important - Elevation of Privilege - No restart required - Microsoft Developer Tools

Microsoft Security Bulletin MS12-062 - Important
Vulnerability in System Center Configuration Manager Could Allow Elevation of Privilege (2741528)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-062
Important - Elevation of Privilege - No restart required - Microsoft Server Software

Bulletin Deployment priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8228.September-2012-Deployment-Pri.png

Severity and exploitability index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/3404.September-2012-Deployment-S_2600_E-Index.png
___

- https://secunia.com/advisories/50463/ - MS12-061
- https://secunia.com/advisories/50497/ - MS12-062
___

Microsoft Security Advisory (2736233)
Update Rollup for ActiveX Kill Bits
- https://technet.microsoft.com/en-us/security/advisory/2736233
Sep 11, 2012 - "... This update sets the kill bits for the following third-party software:
Cisco Secure Desktop... relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable...
Cisco Hostscan... relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable...
Cisco AnyConnect Secure Mobility Client... relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable..."
- http://support.microsoft.com/kb/2736233

Microsoft Security Advisory (2661254)
Update For Minimum Certificate Key Length
- https://technet.microsoft.com/en-us/security/advisory/2661254
V1.2 (September 11, 2012): Clarified that applications and services that use RSA keys for cryptography and call into the CertGetCertificateChain function could be impacted by this update. Examples of these applications and services include but are not limited to encrypted email, SSL/TLS encryption channels, signed applications, and private PKI environments.
- http://support.microsoft.com/kb/2661254
Last Review: September 12, 2012 - Revision: 3.0
___

MSRT
- http://support.microsoft.com/?kbid=890830
September 11, 2012 - Revision: 110.0
- http://www.microsoft.com/security/pc-security/malware-families.aspx
"... added in this release...
• Medfos ..."

- https://blogs.technet.com/b/mmpc/archive/2012/09/10/msrt-september-12-medfos-hijacking-your-daily-search.aspx?Redirected=true

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.12.exe - 16.1 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.12.exe - 16.7 MB
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=14071
Last Updated: 2012-09-11

.

FYI...

Microsoft Security Advisory (2757760)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
* http://technet.microsoft.com/security/advisory/2757760
17 Sep 2012 (see "Workarounds" ) - "... To download EMET, visit the following Microsoft website:
https://www.microsoft.com/en-us/download/details.aspx?id=29851 ..."

** http://support.microsoft.com/kb/2458544

- https://blogs.technet.com/b/msrc/archive/2012/09/17/microsoft-releases-security-advisory-2757760.aspx?Redirected=true
17 Sep 2012 - "... we released Security Advisory 2757760* to address an issue that affects Internet Explorer 9 and earlier versions if a user views a website hosting malicious code. Internet Explorer 10 is not affected. We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue. In the meantime, customers using Internet Explorer are protected when they deploy the following workarounds and mitigations included in the advisory:
• Deploy the Enhanced Mitigation Experience Toolkit (EMET)
This will help prevent exploitation by providing mitigations to help protect against this issue and should not affect usability of websites.
• Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
Deploying EMET will help to prevent a malicious website from successfully exploiting the issue described in Security Advisory 2757760*. EMET in action is unobtrusive and should not affect customers’ Web browsing experience. We are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog..."
___

- https://www.net-security.org/secworld.php?id=13614
18 Sep 2012 - "... The Rapid7 team got right on it and created a module exploiting the vulnerability for the Metasploit exploit toolkit during the weekend, and advised IE users to switch to other browsers such as Chrome or Firefox until Microsoft patches the flaw security update becomes available. Microsoft has reacted fast by issuing a security advisory yesterday, in which it confirms the existence of the flaw in Internet explorer 9 and all previous versions (IE10 is not affected), and offers instructions on steps the users can take to mitigate - but not yet remove - the threat:
• Deploy the Enhanced Mitigation Experience Toolkit (EMET) and configure it for Internet Explorer
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
These steps [i]could bring additional problems to the users, such as being bombarded by a slew of security warnings, so until Microsoft releases a definitive patch for the hole, maybe it would be easier for IE users to take Rapid7's advice and switch to another browser for the time being."

:fear::sad:

FYI...

Microsoft Security Advisory (2757760)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2757760
V1.1 (Sep 18, 2012): Assigned Common Vulnerability and Exposure number CVE-2012-4969 to the issue. Also -corrected- instructions in the EMET workaround.
V1.2 (Sep 19, 2012): Added link to Microsoft Fix it solution, "Prevent Memory Corruption via ExecCommand in Internet Explorer," that prevents exploitation of this issue.

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969 - 9.3 (HIGH)
"... function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012..."

- https://blogs.technet.com/b/msrc/archive/2012/09/18/additional-information-about-internet-explorer-and-security-advisory-2757760.aspx?Redirected=true
18 Sep 2012 - "We will release a Fix it in the next few days to address an issue in Internet Explorer... It will not affect your ability to browse the Web, and it will provide full protection against this issue until an update is available. It won’t require a reboot of your computer. This Fix it will be available for everyone to download and install within the next few days..."

:fear:

FYI...

IE Fix it available - Security Update scheduled for Friday
- https://blogs.technet.com/b/msrc/archive/2012/09/19/internet-explorer-fix-it-available-now-security-update-scheduled-for-friday.aspx?Redirected=true
19 Sep 2012 - "... today we have released a Fix it* that is available to address that issue. This is an easy, one-click solution that will help protect your computer right away. It will not affect your ability to browse the web, and it does not require a reboot of your computer. Then, on this Friday, Sept. 21, we will release a cumulative update for Internet Explorer through Windows Update and our other standard distribution channels. We recommend that you install this update as soon as it is available... This will not only reinforce the issue that the Fix It addressed, but cover other issues as well. Today’s Advance Notification Service** (ANS) provides additional details about the update we are releasing on Friday - MS12-063. We are planning to release this bulletin as close to 10 a.m. PDT as possible. This cumulative update for Internet Explorer has an aggregate severity rating of Critical. It addresses the publicly disclosed issue described in Security Advisory 2757760 as well as four other Critical-class remote code execution issues..."
* http://support.microsoft.com/kb/2757760#FixItForMe
Last Review: September 20, 2012 - Revision: 2.0

** http://technet.microsoft.com/security/bulletin/ms12-sep
Sep 19, 2012 - Version: 2.0
Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

:fear:

FYI...

> https://technet.microsoft.com/en-us/security/bulletin/ms12-sep
V2.0 (Sep 21, 2012): Added Microsoft Security Bulletin MS12-063, Cumulative Security Update for Internet Explorer (2744842)... out-of-band security bulletin.

Microsoft Security Bulletin MS12-063 - Critical
Cumulative Security Update for Internet Explorer (2744842)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-063
Sep 21, 2012 - Internet Explorer 6, 7, 8, 9.
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1529 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2546 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2548 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2557 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969 - 9.3 (HIGH)

> https://update.microsoft.com/

:fear:

FYI...

Microsoft Security Advisory (2757760)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2757760
V2.0 (Sep 21, 2012): Advisory updated to reflect publication of security bulletin.
"... We have issued MS12-063* to address this issue..."
* https://technet.microsoft.com/en-us/security/bulletin/ms12-063
Sep 21, 2012 - "... rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows..."

- https://blogs.technet.com/b/msrc/archive/2012/09/21/microsoft-releases-ms12-063-cumulative-security-update-for-internet-explorer.aspx?Redirected=true
21 Sep 2012

- http://atlas.arbor.net/briefs/index#1229731326
Severity: Extreme Severity
Sep 21, 2012
MS12-063 patches the recent 0day security hole in Internet Explorer along with other security holes.
Analysis: The exploit for one of the now-patched security holes was first found and reported last week and was apparently used in targeted attacks. One of the actions of at least one group of attackers was the installation of the Poison Ivy Remote Access Trojan (RAT). The exploit for this issue was soon revealed to the public and a Metasploit module was developed, allowing anyone to gain access to the exploit code for any purpose...

> https://update.microsoft.com/
___

Microsoft Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
- https://technet.microsoft.com/en-us/security/advisory/2755801
Sep 21, 2012 - "... availability of an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10... The update addresses the vulnerabilities described in Adobe security bulletins APSB12-18 and APSB12-19. As of the release of this update, CVE-2012-1535* is known to be under active attack. For more information about this update, including download links, see Microsoft Knowledge Base Article 2755399**... Customers with Windows 8 Release Preview and Windows Server 2012 Release Candidate are encouraged to apply the update to their systems. The update is only available on Windows Update**..."
** http://go.microsoft.com/fwlink/?LinkId=21130

* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1535 - 9.3 (HIGH)
Last revised: 08/15/2012
** http://support.microsoft.com/kb/2755399
Sep 21, 2012
- https://blogs.technet.com/b/msrc/archive/2012/09/21/security-advisory-2755801-addresses-adobe-flash-player-issues.aspx?Redirected=true
21 Sep 2012

- http://atlas.arbor.net/briefs/index#1045103976
Severity: Elevated Severity
Sep 21, 2012
Microsoft releases a security update to Flash player.
Analysis: This patch resolves security issues patched by Adobe in August 2012 for Internet Explorer 10 on Windows 8. This includes the following CVE's: CVE-2012-1535, CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167, CVE-2012-4168, CVE-2012-4171. Attacks on the CVE-2012-1535 vulnerability are actively underway...

:fear::fear:

FYI...

MS KB 2732059 - .oxps files ...
You cannot open an .oxps file in Windows 7 or in Windows Server 2008 R2
- http://support.microsoft.com/kb/2732059
Last Review: September 26, 2012 - Revision: 2.0
"This issue occurs because Windows 7 and Windows Server 2008 R2 do not support the .oxps format. The supported XPS document format in Windows 7 and in Windows Server 2008 R2 is .xps... This update is available from the following Microsoft Update website:
https://update.microsoft.com
Applies to: Win7, Windows Server 2008 ..."

:fear:

FYI...

- http://technet.microsoft.com/en-us/security/bulletin/ms12-oct
October 09, 2012 - "This bulletin summary lists security bulletins released for October 2012...
(Total of 7-)

Microsoft Security Bulletin MS12-064 - Critical
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2742319)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-064
Critical - Remote Code Execution - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS12-065 - Important
Vulnerability in Microsoft Works Could Allow Remote Code Execution (2754670)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-065
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS12-066 - Important
Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-066
Important - Elevation of Privilege - May require restart - Microsoft Office, Microsoft Server Software, Microsoft Lync

Microsoft Security Bulletin MS12-067 - Important
Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (2742321)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-067
Important - Remote Code Execution - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS12-068 - Important
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2724197)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-068
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-069 - Important
Vulnerability in Kerberos Could Allow Denial of Service (2743555)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-069
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-070 - Important
Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-070
Important - Elevation of Privilege - May require restart - Microsoft SQL Server
___

Assessing risk for the October 2012 security updates
- https://blogs.technet.com/b/srd/archive/2012/10/09/assessing-risk-for-the-october-2012-security-updates.aspx?Redirected=true
9 Oct 2012

Bulletin Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/7585.October-2012-Deployment.png

Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/6866.October-2012-Severity.png

MSRC > Welcome to the 1024-bit world and the October security updates
- http://blogs.technet.com/b/msrc/archive/2012/10/09/welcome-to-the-1024-bit-world-and-the-october-security-updates.aspx?Redirected=true
9 Oct 2012
___

MSRT
- http://support.microsoft.com/?kbid=890830
October 9, 2012 - Revision: 111.0
- http://www.microsoft.com/security/pc-security/malware-families.aspx
"... added in this release...
• Nitol
• OneScan..."

- https://blogs.technet.com/b/mmpc/archive/2012/10/09/msrt-thwarts-rogues-with-just-one-scan.aspx?Redirected=true
9 Oct 2012

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.13.exe - 16.2 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.13.exe - 16.8 MB
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=14272
Last Updated: 2012-10-09 17:12:12 UTC

.

FYI...

Microsoft Security Advisory (2749655)
Compatibility Issues Affecting Signed Microsoft Binaries
- http://technet.microsoft.com/en-us/security/advisory/2749655
October 09, 2012 - "... For more information about the update, please see Microsoft Knowledge Base Article 2749655*..."
* http://support.microsoft.com/kb/2749655

Security Advisory 2749655 and timestamping
- https://blogs.technet.com/b/srd/archive/2012/10/09/security-advisory-2749655-and-timestamping.aspx?Redirected=true
9 Oct 2012 - "... due to a clerical error, a subset of binaries processed by the PRSS lab between June 12, 2012 and August 14, 2012 were digitally signed in an incorrect manner... we are re-releasing an initial batch of four security updates -- MS12-053, MS12-054, MS12-055, and MS12-058 -- with new digital signatures, each of which has been timestamped with a proper timestamping certificate. We are continuing our investigation and expect to re-release additional bulletins as needed in months to come..."
___

Microsoft Security Advisory (2737111)
Vulnerabilities in Microsoft Exchange and FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution
- http://technet.microsoft.com/en-us/security/advisory/2737111
• V3.0 (October 9, 2012): Advisory updated to reflect publication of security bulletin* for Microsoft FAST Search Server 2010 for SharePoint.
* http://technet.microsoft.com/en-us/security/bulletin/ms12-067

Microsoft Security Advisory (2661254)
Update For Minimum Certificate Key Length
- http://technet.microsoft.com/en-us/security/advisory/2661254
• V2.0 (October 9, 2012): Revised advisory to re-release the KB2661254 update for Windows XP and to announce that the KB2661254 update for all supported releases of Microsoft Windows is now offered through automatic updating. Customers who previously applied the KB2661254 update do not need to take any action. See advisory FAQ for details.

Microsoft Security Advisory (2755801)
Update for Vulnerabilities in Adobe -Flash- Player in IE 10
* https://technet.microsoft.com/en-us/security/advisory/2755801
Updated: Oct 08, 2012 - "... Microsoft recommends that customers apply the current update -immediately- using update management software, or by checking for updates using the Microsoft Update service. Since the update is cumulative, only the current update will be offered..."
• V2.0 (October 8, 2012): Added KB2758994** to the Current update section.
** http://support.microsoft.com/kb/2758994

:fear::fear:

FYI...

RE-RELEASED:

Microsoft Security Bulletin MS12-043 - Critical
- http://technet.microsoft.com/en-us/security/bulletin/ms12-043
• V3.0 (October 9, 2012): Added Microsoft XML Core Services 4.0 when installed on supported editions of Windows 8 and Windows Server 2012 to affected software and announced a corresponding detection change for the KB2721691 update package. Customers who have installed Microsoft XML Core Services 4.0 on systems running Windows 8 or Windows Server 2012 need to install the KB2721691 update to be protected from the vulnerability described in this bulletin. See the update FAQ for details.

Microsoft Security Bulletin MS12-053 - Critical
- http://technet.microsoft.com/en-us/security/bulletin/ms12-053
• V2.0 (October 9, 2012): Revised bulletin to rerelease the KB723135 update for Windows XP. Customers do not need to apply the rereleased update packages to avoid an issue with digital certificates described in Microsoft Security Advisory 2749655.

Microsoft Security Bulletin MS12-054 - Critical
- http://technet.microsoft.com/en-us/security/bulletin/ms12-054
• V2.0 (October 9, 2012): Revised bulletin to rerelease the KB2731847 update for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Customers using Windows XP and Windows Server 2003 do not need to apply the rereleased update packages to avoid an issue with digital certificates described in Microsoft Security Advisory 2749655. Customers using Windows Vista, Windows 7, and Windows Server 2008 need to apply the rereleased update packages to avoid an issue with digital certificates described in Microsoft Security Advisory 2749655.

Microsoft Security Bulletin MS12-055 - Important
- http://technet.microsoft.com/en-us/security/bulletin/ms12-055
• V2.0 (October 9, 2012): Revised bulletin to rerelease the KB2731847 update for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Customers using Windows XP and Windows Server 2003 do not need to apply the rereleased update packages to avoid an issue with digital certificates described in Microsoft Security Advisory 2749655. Customers using Windows Vista, Windows 7, and Windows Server 2008 need to apply the rereleased update packages to avoid an issue with digital certificates described in Microsoft Security Advisory 2749655.

Microsoft Security Bulletin MS12-058 - Critical
- http://technet.microsoft.com/en-us/security/bulletin/ms12-058
• V2.0 (October 9, 2012): Revised bulletin to offer the rerelease of updates for Microsoft Exchange Server 2007 Service Pack 3 (KB2756497), Microsoft Exchange Server 2010 Service Pack 1 (KB2756496), and Microsoft Exchange Server 2010 Service Pack 2 (KB2756485). Customers need to apply the rereleased updates to avoid an issue with digital certificates described in Microsoft Security Advisory 2749655.

>> Per: Security Advisory 2749655 and timestamping
- https://blogs.technet.com/b/srd/archive/2012/10/09/security-advisory-2749655-and-timestamping.aspx?Redirected=true
9 Oct 2012 - "... due to a clerical error, a subset of binaries processed by the PRSS lab between June 12, 2012 and August 14, 2012 were digitally signed in an incorrect manner... we are re-releasing an initial batch of four security updates -- MS12-053, MS12-054, MS12-055, and MS12-058 -- with new digital signatures, each of which has been timestamped with a proper timestamping certificate. We are continuing our investigation and expect to re-release additional bulletins as needed in months to come..."

:fear::fear::sad:

FYI...

Windows Update Web site indicates that your Windows Update software has to be updated
- http://support.microsoft.com/kb/836974/en-us
Last Review: October 18, 2012 - Revision: 3.0
Resolution: To resolve this issue, manually update the Windows Update software, and then return to the Windows Update Web site to update your computer. To do this, follow the appropriate steps for your Microsoft Windows operating system...
Windows Server 2003, Windows XP, and Windows 2000
1. Download the Iuctl.cab file and save it on your desktop. To download the Iuctl.cab file, visit the following Windows Update Web site:
http://v4.update.microsoft.com/cab/x86/unicode/iuctl.cab
2. After the file is saved on your desktop, right-click the Iuctl.cab file, and then click Open
3. Select all the files that are listed. To do this, point to the file list, and then press CTRL+A.
4. Right-click the files that you selected, and then click Extract.
5. Select a known location, and then click OK. For example, select the desktop.
6. Locate the file where you extracted it. For example, locate the file on the desktop.
7. Right-click the Iuctl.inf file, and then click Install.
8. Try again to update your computer by using the Windows Update Web site.
After you have resolved this issue, you can safely delete the files and folders that you downloaded and extracted in steps 1 through 4 of this procedure.

:fear::secret:

FYI...

MSRT results - Oct 2012...
- https://blogs.technet.com/b/mmpc/archive/2012/10/22/msrt-october-12-nitol-by-the-numbers.aspx?Redirected=true
22 Oct 2012 - "... Top 10 countries with Win32/Nitol detections (January 2012 to October 2012):
> https://www.microsoft.com/security/portal/blog-images/Nitol/Nitol1.png
... Monthly report volume for Win32/Nitol (January 2011 to October 2012):
> https://www.microsoft.com/security/portal/blog-images/Nitol/Nitol3.png
... This month’s MSRT included two prevalent families - Win32/Onescan, which is a Korean rogue software, and Win32/Nitol. Within the first two days of MSRT release, Win32/Onescan was our top family detected and cleaned by the MSRT tool, while Win32/Nitol took the 9th spot. After one week of report monitoring, while Win32/Onescan was still on top and had been cleaned from almost 1,000,000 machines, Win32/Nitol had slipped to the 11th spot, having been removed from over 36,000 machines. Win32/Nitol’s numbers are something within our expectation. The recent takedown which disrupted a large percentage of Win32/Nitol’s C&C (command and control) infrastructure is a big factor in explaning why Win32/Nitol’s prevalence has been dropping considerably.
MSRT top 15 families after one week:
> https://www.microsoft.com/security/portal/blog-images/Nitol/Nitol4.png ..."

:fear:

FYI...

Microsoft Security Bulletin MS12-034 - Critical
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight
- http://technet.microsoft.com/en-us/security/bulletin/ms12-034
V1.0 (May 8, 2012): Bulletin published.
V1.1 (May 16, 2012): Added a link to Microsoft Knowledge Base Article 2681578 under Known Issues in the Executive Summary. Also added Microsoft .NET Framework 1.1 Service Pack 1 to the Non-Affected Software table and corrected the update replacement information for Microsoft Office. These were informational changes only. There were no changes to the security update files or detection logic.
V1.2 (May 22, 2012): Added an entry to the Frequently Asked Questions (FAQ) Related to This Security Update section to explain this revision.
V1.3 (June 6, 2012): Added an entry to the update FAQ to explain why systems with non-affected versions of Microsoft Visio Viewer 2010 will be offered security update KB2589337.
V1.4 (July 31, 2012): Bulletin revised to announce a detection change in the Windows Vista packages for KB2676562 to correct a Windows Update reoffering issue. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
V1.5 (October 31, 2012): Corrected update replacement information for the KB2676562* update.
* http://support.microsoft.com/kb/2676562

.

FYI...

- http://technet.microsoft.com/en-us/security/bulletin/ms12-nov
November 13, 2012 - "This bulletin summary lists security bulletins released for November 2012...
(Total of -6-)

Microsoft Security Bulletin MS12-071 - Critical
Cumulative Security Update for Internet Explorer (2761451)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-071
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS12-072 - Critical
Vulnerabilities in Windows Shell Could Allow Remote Code Execution (2727528)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-072
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-074 - Critical
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2745030)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-074
Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework

Microsoft Security Bulletin MS12-075 - Critical
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2761226)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-075
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-076 - Important
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2720184)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-076
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS12-073 - Moderate
Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information
- https://technet.microsoft.com/en-us/security/bulletin/ms12-073
Moderate - Information Disclosure - May require restart - Microsoft Windows
___

Bulletin Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/5353.November-2012-Deployment.png

Severity and Exploitabilty Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/0486.November-2012-Severity.png

- http://blogs.technet.com/b/msrc/archive/2012/11/13/november-2012-bulletin-release.aspx?Redirected=true
13 Nov 2012 - "... six security bulletins... four Critical, one Important, and one Moderate – addressing 19 vulnerabilities in Microsoft Windows Shell, Windows Kernel, Internet Explorer, Internet Information Services (IIS), .NET Framework, and Excel..."
___

- https://secunia.com/advisories/51202/ - MS12-071
- https://secunia.com/advisories/51221/ - MS12-072
- https://secunia.com/advisories/51235/ - MS12-073
- https://secunia.com/advisories/51236/ - MS12-074
- https://secunia.com/advisories/51239/ - MS12-075
- https://secunia.com/advisories/51242/ - MS12-076
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=14503
Last Updated: 2012-11-13 18:43:04 UTC
___

MSRT
- http://support.microsoft.com/?kbid=890830
November 13, 2012 - Revision: 116.0
- http://www.microsoft.com/security/pc-security/malware-families.aspx
"... added in this release...
• Folstart
• Phorpiex
• Weelsof ..."

- https://blogs.technet.com/b/mmpc/archive/2012/11/13/don-t-fall-for-folstart.aspx?Redirected=true
13 Nov 2012 - "... good practice to show hidden files and system files file extensions..."
- https://www.microsoft.com/security/portal/blog-images/Folstart/3.png
... How to display hidden files and folders, and show file extensions

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.14.exe - 16.5 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.14.exe - 17.1 MB

.

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://technet.microsoft.com/en-us/security/advisory/2269637
V18.0 (November 13, 2012): Added the following Microsoft Security Bulletin to the Updates relating to Insecure Library Loading section: MS12-074*, "Vulnerabilities in .NET Framework Could Allow Remote Code Execution."
* http://technet.microsoft.com/en-us/security/bulletin/ms12-074

Microsoft Security Advisory (2749655)
Compatibility Issues Affecting Signed Microsoft Binaries
- http://technet.microsoft.com/en-us/security/advisory/2749655
V1.2 (November 13, 2012): Added the KB2687626 update, described in MS12-046*, to the list of available re-releases (List of available re-releases at the URL above).
* http://technet.microsoft.com/en-us/security/bulletin/ms12-046
V2.0 (November 13, 2012): Re-released bulletin to replace the KB2598361 update with the KB2687626** update for Microsoft Office 2003 Service Pack 3 to address an issue with digital certificates described in Microsoft Security Advisory 2749655. See the update FAQ for details.
** http://support.microsoft.com/KB/2687626
November 13, 2012 - Revision: 2.0

.

FYI... Per comments/info below, you may choose -not- to install this item:

"An IPv6 readiness update is available for Windows 7 and for Windows Server 2008 R2"
- http://support.microsoft.com/kb/2750841
November 13, 2012 - Revision: 1.0
___

From: Susan Bradley
Subject: Do not install KB2750841

http://support.microsoft.com/kb/2750841
Do -not- install that

Threads here:
http://forums.opendns.com/comments.php?DiscussionID=16465
here
http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/additional-log-on-information-may-be-required/d5be5c1c-f9aa-4f06-943e-03d8cb305a57
and
https://isc.sans.edu/diary.html?storyid=14503#comment
"After applying the updates, in the Network Notification Area, I get 'Additional log on info may be required'..."

:fear::sad:

FYI...

MSRT November '12 ...
- https://blogs.technet.com/b/mmpc/archive/2012/12/04/msrt-november-12-weelsof-around-the-world.aspx?Redirected=true
4 Dec 2012
> https://www.microsoft.com/security/portal/blog-images/Weelsof/Weels4.png

> https://www.microsoft.com/security/portal/blog-images/Weelsof/Weels5.png
___

Unexpected reboot: Necurs
- https://blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx?Redirected=true
6 Dec 2012 - "Necurs is a prevalent threat in the wild at the moment - variants of Necurs were reported on 83,427 unique machines during the month of November 2012. Necurs is mostly distributed by drive-by download. This means that you might be -silently- infected by Necurs when you visit websites that have been compromised by exploit kits such as Blackhole. So what does Necurs actually do? At a high level, it enables further compromise by providing the functionality to:
- Download additional malware
- Hide its components
- Stop security applications from functioning
In addition Necurs contains backdoor functionality, allowing remote access and control of the infected computer. Necurs also monitors and filters network activity and has been observed to send spam and install rogue security software. Nefariousness aplenty. See our Trojan:Win32/Necurs* family write-up for the full details... we've had reports from a number of users stating that they're having trouble with the Microsoft Security Essentials real time protection option being turned off after their computer has rebooted. We will continue to monitor variants of Necurs in the wild..."
* http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Necurs
Updated: Dec 05, 2012

:fear::fear:

FYI...

- http://technet.microsoft.com/en-us/security/bulletin/ms12-dec
December 11, 2012 - "This bulletin summary lists security bulletins released for December 2012...
(Total of 7)

Microsoft Security Bulletin MS12-077 - Critical
Cumulative Security Update for Internet Explorer (2761465)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-077
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS12-078 - Critical
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2783534)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-078
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-079 - Critical
Vulnerability in Microsoft Word Could Allow Remote Code Execution (2780642)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-079
Critical - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS12-080 - Critical
Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2784126)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-080
Critical - Remote Code Execution - May require restart - Microsoft Server Software

Microsoft Security Bulletin MS12-081 - Critical
Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2758857)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-081
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-082 - Important
Vulnerability in DirectPlay Could Allow Remote Code Execution (2770660)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-082
Important - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-083 - Important
Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass (2765809)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-083
Important - Security Feature Bypass - Requires restart - Microsoft Windows
___

- http://blogs.technet.com/b/msrc/archive/2012/12/11/it-s-that-time-of-year-for-the-december-2012-bulletin-release.aspx?Redirected=true

Bulletin Deployment Priority:
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/6355.Slide2.PNG

Severity and Exploitability Index:
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/0550.Slide1.PNG

- http://blogs.technet.com/b/security/archive/2012/12/11/new-guidance-to-mitigate-determined-adversaries-favorite-attack-pass-the-hash.aspx?Redirected=true
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=14683
Last Updated: 2012-12-12 01:54:45 UTC
___

- https://secunia.com/advisories/51411/ - MS12-077
- https://secunia.com/advisories/51459/ - MS12-078
- https://secunia.com/advisories/51467/ - MS12-079
- https://secunia.com/advisories/51474/ - MS12-080
- https://secunia.com/advisories/51493/ - MS12-081
- https://secunia.com/advisories/51497/ - MS12-082
- https://secunia.com/advisories/51500/ - MS12-083
___

MSRT
- http://support.microsoft.com/?kbid=890830
December 11, 2012 - Revision: 117.0
- http://www.microsoft.com/security/pc-security/malware-families.aspx
"... added in this release...
• Phdet ..."
- https://blogs.technet.com/b/mmpc/archive/2012/12/11/msrt-december-12-phdet.aspx?Redirected=true

Download:
- https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.15.exe - 16.8 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.15.exe - 17.4 MB

.

FYI...

Microsoft Security Advisory (2749655)
Compatibility Issues Affecting Signed Microsoft Binaries
- http://technet.microsoft.com/en-us/security/advisory/2749655
V2.0 (December 11, 2012): Added the KB2687627 and KB2687497 updates described in MS12-043, the KB2687501 and KB2687510 updates described in MS12-057, the KB2687508 update described in MS12-059, and the KB2726929 update described in MS12-060* to the list of available rereleases.
* http://technet.microsoft.com/en-us/security/bulletin/ms12-060
V2.0 (December 11, 2012): Re-released bulletin to replace the KB2687323 update with the KB2726929 update for Windows common controls on all affected variants of Microsoft Office 2003, Microsoft Office 2003 Web Components, and Microsoft SQL Server 2005.

Microsoft Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in IE 10
- http://technet.microsoft.com/en-us/security/advisory/2755801
V5.0 (December 11, 2012): Added KB2785605* to the Current update section.
* http://support.microsoft.com/kb/2785605
Dec 11, 2012 - Revision: 1.0
___

The following bulletins have undergone a major revision increment. Please see the appropriate bulletin for more details.

- http://technet.microsoft.com/security/bulletin/MS12-043
- http://technet.microsoft.com/security/bulletin/MS12-050
V2.1 (December 12, 2012): Clarified that the update for Microsoft SharePoint Services 2.0 is available from the Microsoft Download Center only.
- http://technet.microsoft.com/security/bulletin/MS12-057
- http://technet.microsoft.com/security/bulletin/MS12-059
- http://technet.microsoft.com/security/bulletin/MS12-060

:fear:

FYI..

MS12-078 - "Known issues" ...
- http://support.microsoft.com/kb/2753842
Last Review: December 14, 2012 - Revision: 2.0
"Known issues with this security update: We are aware of issues related to OpenType Font (OTF) rendering in applications such as PowerPoint on affected versions of Windows that occur after this security update is applied. We are currently investigating these issues and will take appropriate action to address the known issues..."

- http://h-online.com/-1771419
18 Dec 2012 - "... this patch seems to prevent the correct display of PostScript Type 1 fonts and OpenType fonts. They disappear completely in a variety of applications – CorelDraw, QuarkExpress and PowerPoint – and currently the only way to make them visible again is to remove the patch..."

:fear::fear:

FYI...

MS12-078 re-released
- https://technet.microsoft.com/en-us/security/bulletin/ms12-078
V2.0 (December 20, 2012): Re-released update KB2753842 to resolve an issue with OpenType fonts not properly rendering after the original update was installed. Customers who have successfully installed the original KB2753842 update need to install the rereleased update.
(Requires restart.)

- http://support.microsoft.com/kb/2753842
Dec 20, 2012 - Rev: 3.0
___

- http://h-online.com/-1773744
21 Dec 2012

- https://secunia.com/advisories/51459/
Last Update: 2012-12-21
Criticality level: Highly critical
CVE Reference(s):
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2556 - 9.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4786 - 10.0 (HIGH)
Original Advisory: MS12-078 (KB2779030, KB2753842):
https://technet.microsoft.com/en-us/security/bulletin/ms12-078

:fear:

FYI...

IE 0-day attack in-the-wild...
- https://krebsonsecurity.com/2012/12/attackers-target-internet-explorer-zero-day-flaw/
Dec 28th, 2012 - "Attackers are breaking into Microsoft Windows computers using a newly discovered vulnerability in Internet Explorer, security experts warn. While the flaw appears to have been used mainly in targeted attacks so far, this vulnerability could become more widely exploited if incorporated into commercial crimeware kits sold in the underground. In a blog posting* Friday evening, Milpitas, Calif. based security vendor FireEye said it found that the Web site for the Council on Foreign Relations was compromised and rigged to exploit a previously undocumented flaw in IE8 to install malicious software on vulnerable PCs used to browse the site. According to FireEye, the attack uses Adobe Flash to exploit a vulnerability in the latest (fully-patched) version of IE8..."
* http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html
2012.12.28 - "... we received reports that the Council on Foreign Relations (CFR) website was compromised and hosting malicious content on or around 2:00 PM EST on Wednesday, December 26. Through our Malware Protection Cloud, we can confirm that the website was compromised at that time, but we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21... We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability. We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time... the JavaScript proceeded to load a flash file today.swf, which ultimately triggered a heap spray in Internet Explorer in order to complete the compromise of the endpoint..."
Update: "... We have seen multiple variations of this attack, as it looks like the attackers changed tactics multiple times during this campaign... Here is the decrypted payload.
- https://www.virustotal.com/file/af5775caa4b2e2fa0a40a425b1277a00067a762469fcb13e0ca6deaa740780b9/analysis/
File name: base
Detection ratio: 21/45
Analysis date: 2012-12-31

- https://krebsonsecurity.com/2012/12/attackers-target-internet-explorer-zero-day-flaw/#comments
Dec 29, 2012 - "... worth noting that IE9 is not supported on Windows XP, so this vulnerability is probably most dangerous for XP users who browse with IE."
___

- https://secunia.com/advisories/51695/
Release Date: 2012-12-30
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: IE 6.x, 7.x, 8.x
... currently being actively exploited in targeted attacks.
Original Advisory: http://technet.microsoft.com/en-us/security/advisory/2794220

- http://h-online.com/-1775071
30 Dec 2012

- http://www.kb.cert.org/vuls/id/154201
29 Dec 2012
___

MS Security Advisory (2794220)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://technet.microsoft.com/en-us/security/advisory/2794220
Dec 29, 2012 - "Microsoft is investigating public reports of a vulnerability in IE6, IE7, and IE8. Internet Explorer 9 and Internet Explorer 10 are -not- affected by the vulnerability. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8. The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs..."
CVE Reference:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792
"... exploited in the wild in December 2012."

- https://blogs.technet.com/b/msrc/archive/2012/12/29/microsoft-releases-security-advisory-2794220.aspx?Redirected=true
Dec 29, 2012 - "... we are actively working to develop a security update to address this issue..."

- https://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx?Redirected=true
29 Dec 2012 - "... We’re also working on an appcompat shim-based Fix It protection tool that can be used to protect systems until the comprehensive update is available. The shim does not address the vulnerability but does prevent the vulnerability from being exploited for code execution... we’re working around the clock on the full security update. You should next expect to see an update from us announcing the availability of a Fix It tool to block the vulnerable code paths..."

:fear: :mad:

FYI...

Targeted 0-day attack - IE 6, 7, and 8
- https://isc.sans.edu/diary.html?storyid=14776
Last Updated: 2012-12-30 22:06:53 UTC... Version: 2 - "... Update:
There is now a Metasploit module (ie_cdwnbindinfo_uaf)that emulates this attack, meaning this will move in to mainstream exploitation rapidly, thus mitigation steps should be taken so soon as possible. Home users running XP should be looking to use another browser as their primary method of browsing the web, and corporate security staff should review Microsoft’s recommendations to build a layered defence to protect staff..."

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792 - 9.3 (HIGH)
Last revised: 12/31/2012 - "Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8... exploited in the wild in December 2012..."

- https://secunia.com/advisories/51695/
Release Date: 2012-12-30
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: IE 6.x, 7.x, 8.x
... currently being actively exploited in targeted attacks.
Original Advisory: http://technet.microsoft.com/en-us/security/advisory/2794220

:fear::fear:

FYI...

MS FixIt released for IE 0-day...
MS Security Advisory (2794220)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://technet.microsoft.com/en-us/security/advisory/2794220
V1.1 (December 31, 2012): Added link to Microsoft Fix it* solution, "MSHTML Shim Workaround," that prevents exploitation of this issue.
* http://support.microsoft.com/kb/2794220#FixItForMe
Last Review: Dec 31, 2012 - Rev 1.0
Applies to: IE8, IE7, IE6...

- https://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx?Redirected=true
31 Dec 2012

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792 - 9.3 (HIGH)
___

- https://windowssecrets.com/windows-secrets/a-windows-patching-december-to-remember/
Jan 2, 2013
> http://www.microsoft.com/security/pc-security/bulletins/201212.aspx

>> http://forums.spybot.info/showpost.php?p=435553&postcount=51
7 Jan 2013

:fear:

FYI...

MS Security Advisory (2798897)
Fraudulent Digital Certificates Could Allow Spoofing
- http://technet.microsoft.com/en-us/security/advisory/2798897
Jan 03, 2013 - "Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows. TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. To help protect customers from the fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) and is providing an update for all supported releases of Microsoft Windows that removes the trust of certificates that are causing this issue... see Microsoft Knowledge Base Article 2677070 for details..."
* http://support.microsoft.com/kb/2677070
___

- http://h-online.com/-1777291
4 Jan 2013 - "... Mozilla will be adding the two SubCA certificates to its certificate blacklist during its next update, which is due on 8 January... Chrome has also been updated and no longer trusts the SubCA certificates; the company says that when it updates Chrome later in the month it will no longer show Extended Validation status for TURKTRUST issued certificates."

:fear:

FYI...

IE FixIt negated with bypass ...
- http://www.securitytracker.com/id/1027930
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4792 - 9.3 (HIGH)
Updated: Jan 4 2013
Original Entry Date: Dec 30 2012
Impact: Execution of arbitrary code via network, User access via network
Vendor Confirmed: Yes
Version(s): IE6,7,8
... the vendor has provided the Microsoft Fix it solution, "MSHTML Shim Workaround"... the Microsoft Fix it solution can be bypassed using a variation of the original exploit http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-cve-2012-4792/
The vendor's advisory is available at:
http://technet.microsoft.com/en-us/security/advisory/2794220

Mitigation: Use an alternative browser until a full patch is released for this issue.

:fear:

FYI...

- http://technet.microsoft.com/en-us/security/bulletin/ms13-jan
Jan 08, 2013 - "This bulletin summary lists security bulletins released for January 2013...
(Total of -7-)

Microsoft Security Bulletin MS13-001 - Critical
Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution (2769369)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-001
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-002 - Critical
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (2756145)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-002
Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft Office, Microsoft Developer Tools, Microsoft Server Software

Microsoft Security Bulletin MS13-003 - Important
Vulnerabilities in System Center Operations Manager Could Allow Elevation of Privilege (2748552)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-003
Important - Elevation of Privilege - Does not require restart - Microsoft Server Software

Microsoft Security Bulletin MS13-004 - Important
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2769324)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-004
Important - Elevation of Privilege - May require restart - Microsoft Windows, Microsoft .NET Framework

Microsoft Security Bulletin MS13-005 - Important
Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-005
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-006 - Important
Vulnerability in Microsoft Windows Could Allow Security Feature Bypass (2785220)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-006
Important - Security Feature Bypass - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-007 - Important
Vulnerability in Open Data Protocol Could Allow Denial of Service (2769327)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-007
Important - Denial of Service - May require restart - Microsoft Windows, Microsoft .NET Framework
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=14854
Last Updated: 2013-01-08 18:02:06 UTC
___

Bulletin Deployment Priority
> https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8284.January-2013-Deployment.png

Severity and Exploitabilty Index
> https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/7384.January-2013-Severity.png

- http://blogs.technet.com/b/msrc/archive/2013/01/08/predictions-and-the-january-2013-bulletin-release.aspx?Redirected=true
8 Jan 2013
___

- https://secunia.com/advisories/51640/ - MS13-001
- https://secunia.com/advisories/51773/ - MS13-002
- https://secunia.com/advisories/51686/ - MS13-003
- https://secunia.com/advisories/51777/ - MS13-004
- https://secunia.com/advisories/51704/ - MS13-005
- https://secunia.com/advisories/51724/ - MS13-006
- https://secunia.com/advisories/51772/ - MS13-007
___

MSRT
- https://support.microsoft.com/?kbid=890830
Last Review: January 9, 2013 - Revision: 118.7
- http://www.microsoft.com/security/pc-security/malware-families.aspx
"... added in this release...
• Ganelp
• Lefgroo..."
- https://blogs.technet.com/b/mmpc/archive/2013/01/08/msrt-january-2013-ganelp.aspx?Redirected=true
8 Jan 2013

Download:
- https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.16.exe - 16.8 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.16.exe - 17.5 MB

.

FYI...

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://technet.microsoft.com/en-us/security/advisory/973811
• V1.14 (January 8, 2013): Updated the FAQ and Suggested Actions with information about attacks against NTLMv1 (NT LAN Manager version 1) and LAN Manager (LM) network authentication. Microsoft Fix it solutions for Windows XP and Windows Server 2003 are available to help protect against these attacks. Applying these Microsoft Fix it solutions enables NTLMv2 settings required for users to take advantage of Extended Protection for Authentication.

Microsoft Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in IE 10
- http://technet.microsoft.com/en-us/security/advisory/2755801
• V6.0 (January 8, 2013): Added KB2796096* to the Current update section.
* http://support.microsoft.com/kb/2796096

:fear::fear:

FYI...

IE patch to be released 1.14.2013
- http://technet.microsoft.com/en-us/security/bulletin/ms13-jan
January 13, 2013 - Version: 2.0 - "This is an advance notification for one out-of-band security bulletin that Microsoft is intending to release on January 14, 2013. The bulletin addresses a security vulnerability in Internet Explorer..."

- https://blogs.technet.com/b/msrc/archive/2013/01/13/advance-notification-for-update-to-address-security-advisory-2794220.aspx?Redirected=true
"... We recommend that you install this update as soon as it is available. This update for Internet Explorer 6-8 will be made available through Windows Update and our other standard distribution channels. If you have automatic updates enabled on your PC, you won’t need to take any action. If you applied the Fix it released in Security Advisory 2794220, you won’t need to uninstall it before applying the security update..."

:fear:

FYI...

Microsoft Security Bulletin MS13-008 - Critical
Security Update for Internet Explorer (2799329)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-008
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Jan 14, 2013

:fear:

FYI...

Microsoft Security Advisory (2798897)
Fraudulent Digital Certificates Could Allow Spoofing
- http://technet.microsoft.com/en-us/security/advisory/2798897
V1.1 (January 14, 2013): Corrected the disallowed certificate list effective date to "Monday, December 31, 2012 (or later)" in the FAQ entry, "After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store?"

Microsoft Security Advisory (2794220)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://technet.microsoft.com/en-us/security/advisory/2794220
V2.0 (January 14, 2013): Advisory updated to reflect publication of security bulletin.
MS13-008

:fear:

FYI...

- http://technet.microsoft.com/en-us/security/bulletin/ms13-feb
February 12, 2013 - "This bulletin summary lists security bulletins released for February 2013...
(Total of -12-)

Microsoft Security Bulletin MS13-009 - Critical
Cumulative Security Update for Internet Explorer (2792100)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-009
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS13-010 - Critical
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (2797052)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-010
Critical - Remote Code Execution - May require restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS13-011 - Critical
Vulnerability in Media Decompression Could Allow Remote Code Execution (2780091)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-011
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS13-012 - Critical
Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2809279)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-012
Critical - Remote Code Execution - May require restart - Microsoft Server Software

Microsoft Security Bulletin MS13-020 - Critical
Vulnerability in OLE Automation Could Allow Remote Code Execution (2802968)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-020
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-013 - Important
Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (2784242)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-013
Important - Remote Code Execution - May require restart Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS13-014 - Important
Vulnerability in NFS Server Could Allow Denial of Service (2790978)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-014
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-015 - Important
Vulnerability in .NET Framework Could Allow Elevation of Privilege (2800277)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-015
Important - Elevation of Privilege - May require restart - Microsoft Windows, Microsoft .NET Framework

Microsoft Security Bulletin MS13-016 - Important
Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778344)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-016
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-017 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2799494)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-017
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-018 - Important
Vulnerability in TCP/IP Could Allow Denial of Service (2790655)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-018
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-019 - Important
Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2790113)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-019
Important - Elevation of Privilege - Requires restart - Microsoft Windows
___

Bulletin Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/0207.Overview-Slide-2-_2D00_-png.png

Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/1738.Overview-Slide-1-_2D00_-png.png

- http://blogs.technet.com/b/msrc/archive/2013/02/12/baseball-bulletins-and-the-february-2013-release.aspx?Redirected=true
"... 12 bulletins, five Critical-class and seven Important-class, addressing 57 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Exchange and .NET Framework..."
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=15142
Last Updated: 2013-02-13

- http://atlas.arbor.net/briefs/index#332003461
High Severity
Feb 13, 2013
Analysis: Many attackers are likely frustrated that their vulnerabilities have now been patched. However, those same attackers still have a significant window of opportunity because not everyone can, or will patch in a timely manner, as has been clearly demonstrated in the widespread use of commodity exploit kits as well as numerous targeted attacks that continue to reign in victims despite vulnerabilities being patched years ago in some cases. The most critical patches are for Internet Explorer, a major target for exploitation due to it's widespread use. Additional hardening in sensitive environments can help reduce the impact of exploitation attempts until patches can be deployed, and robust monitoring can help detect those exploit attempts to provide valuable security intelligence...
___

- https://secunia.com/advisories/52122/ - MS13-009
- https://secunia.com/advisories/52129/ - MS13-010
- https://secunia.com/advisories/52130/ - MS13-011
- https://secunia.com/advisories/52133/ - MS13-012
- https://secunia.com/advisories/52136/ - MS13-013
- https://secunia.com/advisories/52138/ - MS13-014
- https://secunia.com/advisories/52143/ - MS13-015
- https://secunia.com/advisories/52156/ - MS13-016
- https://secunia.com/advisories/52157/ - MS13-017
- https://secunia.com/advisories/52158/ - MS13-018
- https://secunia.com/advisories/52162/ - MS13-019
- https://secunia.com/advisories/52184/ - MS13-020

- https://secunia.com/advisories/52164/ - IE10 Flash
___

MSRT
- https://support.microsoft.com/?kbid=890830
Last Review: February 12, 2013 - Revision: 119.0
- http://www.microsoft.com/security/pc-security/malware-families.aspx
"... added in this release...
• Sirefef..."

Download:
- https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.17.exe - 17.6 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.17.exe - 18.3 MB

.

FYI...

Win7 IE10 released
- http://windows.microsoft.com/en-us/internet-explorer/downloads/ie-10/worldwide-languages
Feb 26, 2013

"Catch 22" ...
- http://arstechnica.com/information-technology/2013/02/internet-explorer-10-finally-released-for-windows-7/
Feb 26, 2013 - "... Windows Update will, in its default configuration, install it silently and automatically. Over the coming months, Microsoft will classify Internet Explorer 10 as "important" in more and more markets to ensure it is installed automatically as widely as possible. This marks a significant change from Microsoft's past practices. Traditionally, the company has released new browsers only as optional updates... Internet Explorer 10 on Windows 7 will be near-identical to its Windows 8 counterpart. This includes features such as support for the Pointer Events touch API and hardware acceleration using Direct2D and DirectWrite. To that end, installing Internet Explorer 10 on Windows 7 -requires- the installation of a platform update that brings Windows 7's version of these APIs in line with Windows 8... There will be one important difference between the versions, however. Internet Explorer 10 on Windows 8 includes an embedded version of Flash that gets its updates from Windows Update, rather than through Adobe's installer. On Windows 7, Flash will not be embedded. Instead, it will use the same ActiveX plugin as Internet Explorer 9 did. Updates will have to be installed using Adobe's updater, not Microsoft's."
___

From: Susan Bradley - http://msmvps.com/blogs/bradley/
Subject: Tracking BSOD's after KB2670838
- http://answers.microsoft.com/thread/66be9f5a-2257-4c4a-9c9c-5dc6f0f55d37
28 Feb 2013

I'd not be rushing that one out just yet

- https://www.infoworld.com/t/microsoft-windows/microsoft-pushes-another-botched-automatic-update-213802
March 04, 2013 - "... This buggy patch was part of the non-security-related patches typically released on the fourth Tuesday of the month. Since Microsoft switched the patch over to "Optional" on Thursday, it won't be offered automatically to those with Automatic Update turned on. But if you've already downloaded it, Windows may try to install it over and over again.If you've been bit by this bad patch, fortunately the solution is easy -- if you know where the problem came from and how to get rid of it.
> From a blue screen, re-start your PC. Click Start (yes, this is Windows 7) -> Control Panel -> Uninstall a Program. On the left, click the link to View Installed Updates. Scroll way down to KB 2670838, which should be at or near the top of the section marked Microsoft Windows. Double-click on the patch to uninstall it. Re-boot.
Next, just to make sure your system doesn't pick up the patch again, click Start -> Control Panel -> System and Security. Under Windows Update, click the link to Check for Updates. Click the link that says XX Optional Updates are Available. Right-click KB 2670383 and choose Hide.
And while you're at it, make sure Automatic Update is turned off. Last year, Microsoft pushed five different bad patches through Automatic Update. So far this year,the company is running at its usual rate of one really buggy patch every two or three months..."

IEv10 does not install on a hybrid graphics system
- http://support.microsoft.com/kb/2823483/en-us
Last Review: March 12, 2013 - Revision: 8.0
Applies to: Internet Explorer 10, Windows 7 Service Pack 1
___

- http://support.microsoft.com/kb/2670838
Last Review: February 26, 2013 - Revision: 4.0
"... a platform update for Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This update improves the features and performance of the following components:
• Direct2D
• DirectWrite
• Direct3D
• Windows Imaging Component (WIC)
• Windows Advanced Rasterization Platform (WARP)
• Windows Animation Manager (WAM)
• XPS Document API
• H.264 Video Decoder
• JPEG XR codec ..."

:fear::fear:

FYI...

- http://technet.microsoft.com/en-us/security/bulletin/ms13-mar
March 12, 2013 - "This bulletin summary lists security bulletins released for March 2013.
(Total of -7-)

Microsoft Security Bulletin MS13-021 - Critical
Cumulative Security Update for Internet Explorer (2809289)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-021
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS13-022 - Critical
Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-022
Critical - Remote Code Execution - Does not require restart - Microsoft Silverlight

Microsoft Security Bulletin MS13-023 - Critical
Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2801261)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-023
Critical - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS13-024 - Critical
Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2780176)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-024
Critical - Elevation of Privilege - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS13-025 - Important
Vulnerability in Microsoft OneNote Could Allow Information Disclosure (2816264)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-025
Important - Information Disclosure - May require restart - Microsoft Office

Microsoft Security Bulletin MS13-026 - Important
Vulnerability in Office Outlook for Mac Could Allow Information Disclosure (2813682)
- https://www.microsoft.com/technet/security/bulletin/MS13-026
Important - Information Disclosure - Does not require restart - Microsoft Office

Microsoft Security Bulletin MS13-027 - Important
Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2807986)
- http://technet.microsoft.com/en-us/security/bulletin/MS13-027
Important - Elevation of Privilege - Requires restart - Microsoft Windows
___

Bulletin Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/1321.DP-Slide.PNG

Severity and Exploitability index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/0878.Severity-Slide.PNG

- https://blogs.technet.com/b/msrc/archive/2013/03/12/evolving-response-and-the-march-2013-bulletin-release.aspx?Redirected=true
12 Mar 2013

- https://blogs.technet.com/b/srd/archive/2013/03/12/assessing-risk-for-the-march-2013-security-updates.aspx?Redirected=true
12 Mar 2013 - "... seven security bulletins addressing 20 CVE’s..."
- https://www.computerworld.com/s/article/9237536/Microsoft_s_latest_patches_squash_potential_USB_hijack
"... nine critical vulnerabilities in the bulletin MS13-021 for Internet Explorer. They affect -every- current version of Internet Explorer, versions 6 through 10..."
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=15385
Last Updated: 2013-03-13 08:48:46 UTC
___

MSRT
- https://support.microsoft.com/?kbid=890830
Last Review: March 12, 2013 - Revision: 120.0
- http://www.microsoft.com/security/pc-security/malware-families.aspx
"... added in this release...
• Wecykler..."

- https://blogs.technet.com/b/mmpc/archive/2013/03/11/msrt-march-13-wecykler.aspx?Redirected=true
11 Mar 2013

Download:
- https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.18.exe - 18.6 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.18.exe - 19.3 MB

.

FYI...

Windows 7 SP1 to start rolling out on Windows Update
- http://blogs.windows.com/windows/b/bloggingwindows/archive/2013/03/18/windows-7-sp1-to-start-rolling-out-on-windows-update.aspx
Mar 18, 2013 - "... Windows 7 RTM (with no service pack) will no longer be supported as of April 9th, 2013..."

:fear:

FYI...

Microsoft Security Advisory (2819682)
Security Updates for Microsoft Windows Store Applications
- http://technet.microsoft.com/en-us/security/advisory/2819682
March 26, 2013 - "Microsoft is announcing the availability of security updates for Windows Store applications running on Windows 8, Windows RT, and Windows Server 2012 (Windows Server 2012 Server Core installations are not affected). The updates address vulnerabilities that are detailed in the Knowledge Base articles associated with each update..."
> http://support.microsoft.com/kb/2832006
March 26, 2013 - Revision: 1.0
Applies to:
Windows RT
Windows 8
Windows 8 Enterprise
Windows 8 Pro
Windows Server 2012 Datacenter
Windows Server 2012 Essentials
Windows Server 2012 Foundation
Windows Server 2012 Standard
___

- https://secunia.com/advisories/52779/
Release Date: 2013-03-27
Impact: Spoofing
Where: From remote...
Original Advisory:
- http://technet.microsoft.com/en-us/security/advisory/2819682
- http://support.microsoft.com/kb/2832006

:fear:

FYI...

Skype v6.3.0.105 released
- https://secunia.com/advisories/52867/
Release Date: 2013-04-02
Criticality level: Moderately critical
Impact: Unknown
Where: From remote
... vulnerabilities are reported in versions prior to 6.3.0.105.
Solution: Update to version 6.3.0.105.
Original Advisory: http://blogs.skype.com/2013/03/14/skype-6-3-for-windows/
___

Skypemageddon by bitcoining
- https://www.securelist.com/en/blog/208194210/Skypemageddon_by_bitcoining
April 04 2013 - "... malware connects to its C2 server located in Germany... 213.165.68.138
- https://www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/
File name: skype-img-04_04-2013-exe.exe
Detection ratio: 32/46
Analysis date: 2013-04-08

:fear::fear:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms13-apr
April 04, 2013 - "This is an advance notification of security bulletins that Microsoft is intending to release on April 9, 2013...
(Total of -9-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 2 - Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3 - Important - Information Disclosure - May require restart - Microsoft Office, Microsoft Server Software
Bulletin 4 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 5 - Important - Denial of Service - Requires restart - Microsoft Windows
Bulletin 6 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 7 - Important - Elevation of Privilege - Requires restart - Microsoft Security Software
Bulletin 8 - Important - Elevation of Privilege - May require restart - Microsoft Office, Microsoft Server Software
Bulletin 9 - Important - Elevation of Privilege - Requires restart - Microsoft Windows

.

FYI...

MS - End of Support ...
- https://blogs.technet.com/b/rmilne/archive/2013/04/08/exchange-support-save-the-date-8th-april-2014.aspx?Redirected=true
8 Apr 2013 - "...
Outlook 2003 will transition out of extended support on 8th of April 2014
Exchange Server 2003 will transition out of extended support on 8th of April 2014
Windows XP will transition out of extended support on 8th of April 2014
Exchange 2010 SP2 will transition out of support on 8th April 2014
And as non Exchange specific item, please also note Windows 2003:
Windows Server 2003 will transition out of extended support on 14th of July 2015 ..."

:fear:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms13-apr
April 09, 2013 - "This bulletin summary lists security bulletins released for April 2013...
(Total of -9-)

Microsoft Security Bulletin MS13-028 - Critical
Cumulative Security Update for Internet Explorer (2817183)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-028
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS13-029 - Critical
Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-029
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS13-030 - Important
Vulnerability in SharePoint Could Allow Information Disclosure (2827663)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-030
Important - Information Disclosure - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS13-031 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2813170)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-031
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-032 - Important
Vulnerability in Active Directory Could Lead to Denial of Service (2830914)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-032
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-033 - Important
Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2820917)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-033
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-034 - Important
Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege (2823482)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-034
Important - Elevation of Privilege - Requires restart - Microsoft Security Software

Microsoft Security Bulletin MS13-035 - Important
Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2821818)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-035
Important - Elevation of Privilege - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS13-036 - Important
Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-036
Important - Elevation of Privilege - Requires restart - Microsoft Windows
V2.0 (April 11, 2013): Added links to Microsoft Knowledge Base Article 2823324 and Microsoft Knowledge Base Article 2839011 under Known Issues. Removed Download Center links for Microsoft security update 2823324. Microsoft recommends that customers uninstall this update. See the Update FAQ for details.

MS13-036: Description of the security update for the Windows file system kernel-mode driver (ntfs.sys):
* http://support.microsoft.com/kb/2823324/en-us
Last Review: April 11, 2013 - Revision: 2.1 - See: "Known issues with this security update... Microsoft recommends that customers -uninstall- this update..."

MS13-036: Description of the security update for the Windows kernel-mode driver (win32k.sys)
- http://support.microsoft.com/default.aspx?scid=kb;en-us;2808735
Last Review: April 9, 2013 - Revision: 1.0 - "Known issues with this security update: After you install this security update, certain Multiple Master fonts cannot be installed..."
___

Bulletin Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/6354.20130409_2D00_Slide2.PNG

Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8637.20130409_2D00_Slide1.PNG

- http://blogs.technet.com/b/msrc/archive/2013/04/09/out-with-the-old-in-with-the-april-2013-security-updates.aspx?Redirected=true

- http://blogs.technet.com/b/srd/archive/2013/04/09/assessing-risk-for-the-april-2013-security-updates.aspx?Redirected=true
9 Apr 2013 - "... nine security bulletins addressing 13 CVE’s..."
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=15577
Last Updated: 2013-04-09 17:59:33 UTC
___

- https://secunia.com/advisories/52874/ - MS13-028
- https://secunia.com/advisories/52911/ - MS13-029
- https://secunia.com/advisories/52914/ - MS13-030
- https://secunia.com/advisories/52916/ - MS13-031
- https://secunia.com/advisories/52917/ - MS13-032
- https://secunia.com/advisories/52919/ - MS13-033
- https://secunia.com/advisories/52921/ - MS13-034
- https://secunia.com/advisories/52928/ - MS13-035
- https://secunia.com/advisories/52930/ - MS13-036
___

MSRT
- https://support.microsoft.com/?kbid=890830
Last Review: April 9, 2013 - Revision: 121.0

- http://www.microsoft.com/security/pc-security/malware-families.aspx
"... added in this release...
• Babonock
• Redyms
• Vesenlosow..."

- https://blogs.technet.com/b/mmpc/archive/2013/04/09/msrt-april-2013-vesenlosow.aspx?Redirected=true

Download:
- https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.19.exe - 18.7 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.19.exe - 19.4 MB

.

FYI...

MS13-036 problems - KB2823324 / KB2829996
- https://isc.sans.edu/diary.html?storyid=15593
Last Updated: 2013-04-11 02:13:03 UTC

- https://isc.sans.edu/diary/KB2823324+causing+boot+issues+in+Brazil+and+some+other+locales/15593#comment
Date: Wed, 10 Apr 2013 14:53:23 -0700
From: Susan Bradley - patchmanagement.org
Subject: MS13-036 / KB2829996
Getting early unconfirmed reports in Brazil that MS13-036 / KB2829996 MS13-036 is causing system hangs that require replacing ntfs.sys to get the machines up and running again so they can perform a system restore...
___

Stop 0xc000000e startup error in Windows 7 after you install security update 2823324*
- https://support.microsoft.com/kb/2839011
Last Review: April 12, 2013 - Revision: 2.0
"Microsoft is investigating behavior wherein systems may not recover from a restart or applications cannot load after security update 2823324 is applied. We recommend that customers uninstall this update. As an added precaution, Microsoft has removed the download links to the 2823324 update while we investigate..."

MS13-036: Description of the security update for the Windows file system kernel-mode driver (ntfs.sys):
* http://support.microsoft.com/kb/2823324/en-us
Last Review: April 12, 2013 - Revision: 2.2 - See: "Known issues with this security update..."

- https://blogs.technet.com/b/msrc/archive/2013/04/11/kb2839011-released-to-address-security-bulletin-update-issue.aspx?Redirected=true
MSRCTeam | 11 Apr 2013 7:10 PM

:sad: :fear:

FYI...

Repair Disk for KB2823324 and KB2782476 (KB2840165)
To help customers who are experiencing difficulties restarting their systems after installation of security update 2823324
- https://www.microsoft.com/en-us/download/details.aspx?id=38435
4/17/2013

Thanks to Susan Bradley for posting it @ patchmanagement.org

:fear:

FYI...

Microsoft Security Bulletin MS13-036 - Important
Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-036
V3.0 (April 23, 2013): Rereleased bulletin to replace the 2823324 update with the 2840149 update for NTFS.sys when installed on supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. See the Update FAQ* for details.
* "To address known issues with security update 2823324, Microsoft rereleased bulletin MS13-036 to replace the 2823324 update with the 2840149 update for NTFS.sys when installed on all affected versions of Microsoft Windows. Security update 2823324 was expired on April 11, 2013. Microsoft strongly recommends that customers with the 2823324 update still installed should -uninstall- the update prior to applying the 2840149 update*. All customers should apply the 2840149 update, which replaces the expired 2823324 update."
** http://support.microsoft.com/kb/2840149

- https://blogs.technet.com/b/msrc/archive/2013/04/23/new-update-available-for-ms13-036.aspx?Redirected=true
23 Apr 2013
___

- http://technet.microsoft.com/en-us/security/bulletin/ms13-036
Updated: Wednesday, April 24, 2013
Revisions:
• V1.0 (April 9, 2013): Bulletin published.
• V2.0 (April 11, 2013): Added links to Microsoft Knowledge Base Article 2823324 and Microsoft Knowledge Base Article 2839011 under Known Issues. Removed Download Center links for Microsoft security update 2823324. Microsoft recommends that customers uninstall this update. See the Update FAQ for details.
• V2.1 (April 17, 2013): Added FAQs to provide additional guidance for customers who are having difficulties restarting their systems after installing security update 2823324. See the Update FAQ for details.
• V3.0 (April 23, 2013): Rereleased bulletin to replace the 2823324 update with the 2840149 update for NTFS.sys when installed on supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. See the Update FAQ for details.
• V3.1 (April 24, 2013): Corrected KB article hyperlink and incorrect KB numbers for Windows 7 for x64-based Systems and Windows Server 2008 R2 for Itanium-based Systems in the Affected Software table. These are informational changes only.

- https://windowssecrets.com/newsletter/going-google-apps-part-2-move-your-docs/#story6
April 24, 2013
MS13-036 (2808735, 2823324, 2840149)
> A Windows kernel update causes havoc for some
... recommend keeping KB 2808735, also included in MS13-036, on hold, too ..."

:fear:

FYI...

Microsoft Security Advisory (2847140)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://technet.microsoft.com/en-us/security/advisory/2847140
May 03, 2013 - "Microsoft is investigating public reports of a vulnerability in IEv8. Microsoft is aware of attacks that attempt to exploit this vulnerability. Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Explorer 10 are not affected by the vulnerability.
This is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs..."

- https://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx?Redirected=true
3 May 2013 - "... impacts Internet Explorer 8... This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message..."
___

- http://arstechnica.com/security/2013/05/internet-explorer-zero-day-exploit-targets-nuclear-weapons-researchers/
May 4, 2013

- http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/
May 3, 2013 - "... driveby download exploit of IE8... to install the Poison Ivy backdoor Trojan..."

- https://www.virustotal.com/en/file/ea80dba427e7e844a540286faaccfddb6ef2c10a4bc6b27e4b29ca2b30c777fb/analysis/
File name: stub.EXE
Detection ratio: 26/46
Analysis date: 2013-05-02

- http://www.securitytracker.com/id/1028514
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347
May 4 2013
Vendor Confirmed: Yes
Version(s): 8
Versions 6, 7, 9, and 10 are not affected.
Impact: A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: No solution was available at the time of this entry.
The vendor's advisory is available at:
http://technet.microsoft.com/en-us/security/advisory/2847140

:mad:

FYI...

IE8 0-Day update ...
- https://isc.sans.edu/diary.html?storyid=15734
Last Updated: 2013-05-06 14:33:57 UTC - "... a Metasploit module was released to exploit the recent Internet Explorer 8 vulnerability. The vulnerability has also been assigned CVE-2013-1347..."
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347 - 10.0 (HIGH)
Last revised: 05/06/2013 - "... as exploited in the wild in May 2013."

- http://technet.microsoft.com/security/advisory/2847140
May 03, 2013

:fear::fear:

FYI...

Fix it for IEv8 available
- http://support.microsoft.com/kb/2847140#FixItForMe
Last Review: May 9, 2013 - Revision: 2.0 - "... CVE-2013-1347 MSHTML Shim Workaround... To enable or disable this Fix it solution, click the Fix it button or link under the Enable heading or under the Disable heading, click Run in the File Download dialog box, and then follow the steps in the Fix it wizard..." Microsoft Fix it 50992

- https://blogs.technet.com/b/msrc/archive/2013/05/08/fix-it-for-security-advisory-2847140-is-available.aspx?Redirected=true
8 May 2013 - "... applying the Fix it does not require a reboot. We encourage all customers using Internet Explorer 8 to apply this Fix it to help protect their systems..."

- http://technet.microsoft.com/en-us/security/advisory/2847140
• V1.1 (May 8, 2013): Added link to Microsoft Fix it solution, "CVE-2013-1347 MSHTML Shim Workaround," that prevents exploitation of this issue.

- http://www.securitytracker.com/id/1028514
"... This is currently being actively exploited in targeted attacks. Solution: ... As a workaround apply the Microsoft Fix it solution "CVE-2013-1347 MSHTML Shim Workaround" to mitigate the vulnerability..."

:fear:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms13-may
May 14, 2013 - "This bulletin summary lists security bulletins released for May 2013...
(Total of -10-)

Microsoft Security Bulletin MS13-037 - Critical
Cumulative Security Update for Internet Explorer (2829530)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-037
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS13-038 - Critical
Security Update for Internet Explorer (2847204)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-038
Critical - Remote Code Execution - May require restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS13-039 - Important
Vulnerability in HTTP.sys Could Allow Denial of Service (2829254)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-039
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-040 - Important
Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-040
Important - Spoofing - May require restart - Microsoft Windows, Microsoft .NET Framework

Microsoft Security Bulletin MS13-041 - Important
Vulnerability in Lync Could Allow Remote Code Execution (2834695)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-041
Important - Remote Code Execution - May require restart - Microsoft Lync

Microsoft Security Bulletin MS13-042 - Important
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2830397)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-042
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS13-043 - Important
Vulnerability in Microsoft Word Could Allow Remote Code Execution (2830399)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-043
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS13-044 - Important
Vulnerability in Microsoft Visio Could Allow Information Disclosure (2834692)
- https://technet.microsoft.com/en-ca/security/bulletin/ms13-044
Important - Information Disclosure - May require restart - Microsoft Office

Microsoft Security Bulletin MS13-045 - Important
Vulnerability in Windows Essentials Could Allow Information Disclosure (2813707)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-045
Important - Information Disclosure - May require restart - Microsoft Windows Essentials

Microsoft Security Bulletin MS13-046 - Important
Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2840221)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-046
Important - Elevation of Privilege - Requires restart - Microsoft Windows
___

- http://blogs.technet.com/b/msrc/archive/2013/05/13/microsoft-customer-protections-for-may-2013.aspx?Redirected=true
"... 10 bulletins, addressing 33 vulnerabilities in Microsoft products..."

Bulletin Deployment Priority
> https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8787.Deployment-Priority.png

Severity and Exploitability Index
> https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/6685.Severity-and-Exploitability-Index.png

MS13-037 addressing Pwn2own vulnerabilities
- https://blogs.technet.com/b/srd/archive/2013/05/14/ms13-037-addressing-pwn2own-vulnerabilities.aspx?Redirected=true
14 May 2013
___

May 2013 Security Bulletin Webcast Q&A
- https://blogs.technet.com/b/msrc/p/may-2013-security-bulletin-q-a.aspx?Redirected=true
May 15, 2013
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=15791
Last Updated: 2013-05-14 17:52:27 UTC
___

- https://secunia.com/advisories/53327/ - MS13-037
- https://secunia.com/advisories/53314/ - MS13-038 - IE 8
- https://secunia.com/advisories/53340/ - MS13-039
- https://secunia.com/advisories/53350/ - MS13-040
- https://secunia.com/advisories/53363/ - MS13-041
- https://secunia.com/advisories/53370/ - MS13-042
- https://secunia.com/advisories/53379/ - MS13-043
- https://secunia.com/advisories/53380/ - MS13-044
- https://secunia.com/advisories/53383/ - MS13-045
- https://secunia.com/advisories/53385/ - MS13-046
___

MSRT
- https://support.microsoft.com/?kbid=890830
Last Review: May 14, 2013 - Revision: 122.0

- https://blogs.technet.com/b/mmpc/archive/2013/05/14/don-t-pay-the-rogue-scan-with-msrt.aspx?Redirected=true
14 May 2013 - "... added three new families to this month’s Malicious Software Removal Tool (MSRT): Win32/FakeDef, Win32/Vicenor, and Win32/Kexqoud..."
(More detail and Screenshots at the URL above.)

Download:
- https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx
File Name: Windows-KB890830-V4.20.exe - 19.3 MB
Windows Malicious Software Removal Tool x64:
File Name: Windows-KB890830-x64-V4.20.exe - 20.0 MB
___

- https://krebsonsecurity.com/2013/05/microsoft-adobe-push-critical-security-updates-2/
"<soapbox>On a side note..Dear Microsoft: Please stop asking people to install Silverlight every time they visit a Microsoft.com property. I realize that Silverlight is a Microsoft product, but it really is not needed to view information about security updates. In keeping with the principle of reducing the attack surface of an operating system, you should not be foisting additional software on visitors who are coming to you for information on how to fix bugs and vulnerabilities in Microsoft products that they already have installed. </soapbox>"
> https://krebsonsecurity.com/wp-content/uploads/2013/05/MSsilverlight.png

.

FYI...

Microsoft Security Advisory (2847140)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://technet.microsoft.com/en-us/security/advisory/2847140
Updated: Tuesday, May 14, 2013 Version: 2.0 - "... We have issued MS13-038* to address this issue..."
* https://technet.microsoft.com/en-us/security/bulletin/ms13-038

Microsoft Security Advisory (2820197)
Update Rollup for ActiveX Kill Bits
- http://technet.microsoft.com/en-us/security/advisory/2820197
May 14, 2013 - "... This update includes kill bits to prevent the following ActiveX controls from being run in Internet Explorer:
• Honeywell Enterprise Buildings Integrator. The following Class Identifier relates to a request by Honeywell to set a kill bit for an ActiveX control that is vulnerable. The class identifier (CLSIDs) for this ActiveX control is:
{0d080d7d-28d2-4f86-bfa1-d582e5ce4867}
• SymmetrE and ComfortPoint Open Manager. The following Class Identifier relates to a request by Honeywell to set a kill bit for an ActiveX control that is vulnerable. The class identifier (CLSIDs) for this ActiveX control is:
{29e9b436-dfac-42f9-b209-bd37bafe9317} ..."

Microsoft Security Advisory (2846338)
Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution
- http://technet.microsoft.com/en-us/security/advisory/2846338
May 14, 2013 - "... Only x64-based versions of the Malware Protection Engine are affected... The Microsoft Malware Protection Engine is a part of several Microsoft antimalware products. See the Affected Software section for a list of affected products..."

Microsoft Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
- http://technet.microsoft.com/en-us/security/advisory/2755801
Updated: Tuesday, May 14, 2013 - "... update addresses the vulnerabilities described in Adobe Security bulletin APSB13-14*..."
* https://www.adobe.com/support/security/bulletins/apsb13-14.html
"... Flash Player 11.7.700.202 for Windows 8..."

:fear::fear::fear::fear: