Duqu TrueType 0-day exploit - notes ...
FYI... Duqu TrueType 0-day exploit - notes ..
No Microsoft patch is available (yet)
> http://windowssecrets.com/newsletter...pack-4/#inthe3
2011-12-01 - "... The workaround** denies access to t2embed.dll, causing the Duqu exploit to fail. But the Duqu Fix it also has an odd characteristic: it prompts Windows XP users to download two older Microsoft patches, MS10-001 (KB 972270) and MS10-076 (KB 982132) — patches most XP users have presumably already installed..."
** http://support.microsoft.com/kb/2639658#FixItForMe
Free Duqu detector from CrySyS
> http://windowssecrets.com/newsletter...pack-4/#inthe2
2011-12-01 - "... To see whether your system is vulnerable to Duqu, you can obtain a free Duqu detector from CrySyS*..."
* http://www.crysys.hu/duqudetector.html
:fear:
MS Security Bulletin Advance Notification - December 2011
FYI...
- https://technet.microsoft.com/en-us/...letin/ms11-dec
December 08, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on December 13, 2011...
(Total of -14-)
Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3 - Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 4 - Important - Information Disclosure - Requires restart - Microsoft Windows
Bulletin 5 - Important - Information Disclosure - May require restart - Microsoft Office
Bulletin 6 - Important - Information Disclosure - May require restart - Microsoft Office
Bulletin 7 - Important - Information Disclosure - May require restart - Microsoft Windows
Bulletin 8 - Important - Information Disclosure - May require restart - Microsoft Office
Bulletin 9 - Important - Information Disclosure - Requires restart - Microsoft Windows
Bulletin 10 -Important - Information Disclosure - May require restart - Microsoft Office
Bulletin 11 -Important - Elevation of Privilege - Requires restart- Microsoft Windows
Bulletin 12 -Important - Elevation of Privilege - Requires restart- Microsoft Windows
Bulletin 13 -Important - Elevation of Privilege - Requires restart- Microsoft Windows, Internet Explorer
Bulletin 14 -Important - Elevation of Privilege - May require restart - Microsoft Office
___
- https://www.computerworld.com/s/arti...and_BEAST_bugs
December 8, 2011 - "... Among the patches will be ones that plug the hole used by the Duqu intelligence-gathering Trojan, and fix the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 bug popularized three months ago by the BEAST, for "Browser Exploit Against SSL/TLS," hacking tool..."
TrueType: http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3402
Last revised: 11/07/2011
CVSS v2 Base Score: 9.3 (HIGH)
SSL/TLS: http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3389
Last revised: 11/24/2011
CVSS v2 Base Score: 4.3 (MEDIUM)
___
- https://isc.sans.edu/diary.html?storyid=12169
Last Updated: 2011-12-08 21:43:23 UTC - "... gifts we will be presented with next week..."
.
MS Security Bulletin Summary - December 2011
FYI...
- https://technet.microsoft.com/en-us/...letin/ms11-dec
December 13, 2011 - "This bulletin summary lists security bulletins released for December 2011...
(Total of -13- )
Critical - 3
Microsoft Security Bulletin MS11-087 - Critical
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
- https://technet.microsoft.com/en-us/...letin/ms11-087
Critical - Remote Code Execution - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS11-090 - Critical
Cumulative Security Update of ActiveX Kill Bits (2618451)
- https://technet.microsoft.com/en-us/...letin/ms11-090
Critical - Remote Code Execution - May require restart - Microsoft Windows
Microsoft Security Bulletin MS11-092 - Critical
Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)
- https://technet.microsoft.com/en-us/...letin/ms11-092
Critical - Remote Code Execution - May require restart - Microsoft Office
Important - 10
Microsoft Security Bulletin MS11-088 - Important
Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)
- https://technet.microsoft.com/en-us/...letin/ms11-088
Important - Elevation of Privilege - May require restart - Microsoft Office
Microsoft Security Bulletin MS11-089 - Important
Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)
- https://technet.microsoft.com/en-us/...letin/ms11-089
Important - Remote Code Execution - May require restart - Microsoft Office
Microsoft Security Bulletin MS11-091 - Important
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)
- https://technet.microsoft.com/en-us/...letin/ms11-091
Important - Remote Code Execution - May require restart - Microsoft Office
Microsoft Security Bulletin MS11-093 - Important
Vulnerability in OLE Could Allow Remote Code Execution (2624667)
- https://technet.microsoft.com/en-us/...letin/ms11-093
Important - Remote Code Execution - May require restart - Microsoft Windows
Microsoft Security Bulletin MS11-094 - Important
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)
- https://technet.microsoft.com/en-us/...letin/ms11-094
Important - Remote Code Execution - May require restart - Microsoft Office
Microsoft Security Bulletin MS11-095 - Important
Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)
- https://technet.microsoft.com/en-us/...letin/ms11-095
Important - Remote Code Execution - May require restart - Microsoft Windows
Microsoft Security Bulletin MS11-096 - Important
Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)
- https://technet.microsoft.com/en-us/...letin/ms11-096
Important - Remote Code Execution - May require restart - Microsoft Office
Microsoft Security Bulletin MS11-097 - Important
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
- https://technet.microsoft.com/en-us/...letin/ms11-097
Important - Elevation of Privilege - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS11-098 - Important
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)
- https://technet.microsoft.com/en-us/...letin/ms11-098
Important - Elevation of Privilege - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS11-099 - Important
Cumulative Security Update for Internet Explorer (2618444)
- https://technet.microsoft.com/en-us/...letin/ms11-099
Important - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
___
Deployment Priority
- https://blogs.technet.com/cfs-filesy...D00_12-dep.png
Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesy...D00_12-dep.png
- https://blogs.technet.com/b/msrc/arc...edirected=true
"... Why 13 bulletins and not 14, as we stated in the ANS announcement on Thursday? After that announcement, we discovered an apps-compatibility issue between one bulletin-candidate and a major third-party vendor... The issue addressed in that bulletin, which we have been monitoring and against which we have seen no active attacks in the wild, was discussed in Security Advisory 2588513*."
* https://technet.microsoft.com/en-us/...visory/2588513
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3389
Last revised: 12/13/2011
CVSS v2 Base Score: 4.3 (MEDIUM)
- https://www.computerworld.com/s/arti...fixes_Duqu_bug
December 13, 2011 - "... scrubbed security update was to fix the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 bug demonstrated in September 2011 by researchers who crafted a hacking tool dubbed BEAST... SAP... was the third-party vendor who reported compatibility problems...."
___
ISC Analysis
- https://isc.sans.edu/diary.html?storyid=12193
Last Updated: 2011-12-14 02:29:09 UTC
___
Security Advisory updates:
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
- https://technet.microsoft.com/en-us/...visory/2639658
V2.0 (December 13, 2011): Advisory updated to reflect publication of security bulletin. MS11-087.
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/...visory/2269637
V13.0 (December 13, 2011): Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-099, "Cumulative Security Update for Internet Explorer;" and MS11-094, "Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution."
___
Insecure library loading - verified Secunia List
- https://secunia.com/community/adviso...brary_loading/
Number of products affected: 293
Number of vendors affected: 113
Number of Secunia Advisories issued: 215
Solution Status ...
___
- https://secunia.com/advisories/46724/ - MS11-087
- https://secunia.com/advisories/47062/ - MS11-088
- https://secunia.com/advisories/47098/ - MS11-089
- https://secunia.com/advisories/47099/ - MS11-090
- https://secunia.com/advisories/47117/ - MS11-092
- https://secunia.com/advisories/47207/ - MS11-093
- https://secunia.com/advisories/47208/ - MS11-094
- https://secunia.com/advisories/47213/ - MS11-094
- https://secunia.com/advisories/47202/ - MS11-095
- https://secunia.com/advisories/47203/ - MS11-096
- https://secunia.com/advisories/47210/ - MS11-097
- https://secunia.com/advisories/47204/ - MS11-098
- https://secunia.com/advisories/47212/ - MS11-099
___
MSRT
- http://support.microsoft.com/?kbid=890830
December 13, 2011 - Revision: 96.0
(Recent additions)
- http://www.microsoft.com/security/pc...-families.aspx
... added this release...
• Helompy
Download:
- http://www.microsoft.com/download/en...ylang=en&id=16
File Name: windows-kb890830-v4.3.exe - 14.5 MB
- https://www.microsoft.com/download/e...s.aspx?id=9905
x64 version of MSRT:
File Name: windows-kb890830-x64-v4.3.exe - 14.8 MB
- https://blogs.technet.com/b/mmpc/arc...edirected=true
13 Dec 2011
___
Dec. 2011 Security Bulletin Q&A:
- https://blogs.technet.com/b/msrc/arc...edirected=true
Dec. 14, 2011
.
Hash collision attacks ...
FYI...
- https://www.us-cert.gov/current/#mul...erable_to_hash
Dec. 29, 2011
- http://h-online.com/-1401863
Dec. 29, 2011
___
Microsoft Security Advisory (2659883)
Vulnerability in ASP.NET Could Allow Denial of Service
- https://technet.microsoft.com/en-us/...visory/2659883
December 28, 2011 - "Microsoft is aware of detailed information that has been published describing a new method to exploit hash tables. Attacks targeting this type of vulnerability are generically known as hash collision attacks. Attacks such as these are not specific to Microsoft technologies and affect other web service software providers. This vulnerability affects all versions of Microsoft .NET Framework and could allow for an unauthenticated denial of service attack on servers that serve ASP.NET pages. Sites that only serve static content or disallow dynamic content types listed in the mitigation factors below are not vulnerable.
The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision. It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition. Microsoft is aware of detailed information available publicly that could be used to exploit this vulnerability but is not aware of any active attacks.
Details of a workaround to help protect sites against this vulnerability are provided in this article. Individual implementations for sites using ASP.NET will vary and Microsoft strongly suggests customers evaluate the impact of the workaround for applicability to their implementations...
Workarounds - Configuration-based workaround
The following workaround configures the limit of the maximum request size that ASP.NET will accept from a client. Decreasing the maximum request size will decrease the susceptibility of the ASP.NET server to a denial of service attack..."
- http://support.microsoft.com/kb/2659883
December 28, 2011 - Revision: 2.0
- http://www.kb.cert.org/vuls/id/903934
2011-12-28
- https://isc.sans.edu/diary.html?storyid=12286
Last Updated: 2011-12-28 23:02:14 UTC ...(Version: 2)
___
- https://blogs.technet.com/b/srd/arch...edirected=true
27 Dec 2011 10:29 PM - "...if your website does need to accept user uploads, this workaround is likely to block legitimate requests. In that case, you should not use this workaround and instead wait for the comprehensive security update*..."
* Advanced Notification for out-of-band release to address Security Advisory 2659883
- https://blogs.technet.com/b/msrc/arc...edirected=true
28 Dec 2011 7:51 PM - "... The release is scheduled for December 29... The bulletin has a severity rating of Critical..."
___
- http://www.securitytracker.com/id/1026469
CVE Reference: CVE-2011-3414
Date: Dec 28 2011
Impact: Denial of service via network...
- http://www.ocert.org/advisories/ocert-2011-003.html
2011-12-28
- https://secunia.com/advisories/47323/ | https://secunia.com/advisories/47404/
- https://secunia.com/advisories/47405/ | https://secunia.com/advisories/47406/
- https://secunia.com/advisories/47407/ | https://secunia.com/advisories/47408/
- https://secunia.com/advisories/47411/ | https://secunia.com/advisories/47413/
- https://secunia.com/advisories/47414/ | https://secunia.com/advisories/47415/
Release Date: 2011-12-29
:fear::fear:
MS11-100 - .NET Framework ...
FYI...
Microsoft Security Bulletin MS11-100 - Critical
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)
- https://technet.microsoft.com/en-us/.../ms11-100.mspx
December 29, 2011 - "This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site... This security update is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on -all- supported editions of Microsoft Windows...
Collisions in HashTable May Cause DoS Vulnerability
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3414 - 7.8 (HIGH)
Insecure Redirect in .NET Form Authentication Vulnerability
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3415 - 6.8
ASP.Net Forms Authentication Bypass Vulnerability
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3416 - 8.5 (HIGH)
ASP.NET Forms Authentication Ticket Caching Vulnerability
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3417 - 9.3 (HIGH)
12/30/2011
Affected Software: Windows XP (all editions), Windows Server 2003 (all editions), Windows Vista (all editions), Windows Server 2008 (all editions), Windows 7 (all editions), Windows Server 2008 R2 (all editions) ..."
• V1.1 (December 30, 2011): Added entry to the Update FAQ to address security-rated changes to functionality contained in this update and added mitigation for CVE-2011-3414.
___
MSRC: https://blogs.technet.com/b/msrc/arc...edirected=true
29 Dec 2011 - "... Consumers are -not- vulnerable unless they are running a Web server from their computer..."
MS SRD: https://blogs.technet.com/b/srd/arch...edirected=true
29 Dec 2011
___
- https://secunia.com/advisories/47323/
Last Update: 2012-01-02
Criticality level: Moderately critical
Impact: Security Bypass, Spoofing, DoS
Where: From remote...
Original Advisory: MS11-100 (KB2638420, KB2656351, KB2656352, KB2656353, KB2656355, KB2656356, KB2656358, KB2656362, KB2657424):
http://technet.microsoft.com/en-us/s...letin/MS11-100
- http://www.securitytracker.com/id/1026479
Updated: Dec 30 2011
:fear::spider:
MS Security Bulletin Advance Notification - January 2012
FYI...
- https://technet.microsoft.com/en-us/...letin/ms12-jan
January 05, 2012 - "This is an advance notification of security bulletins that Microsoft is intending to release on January 10, 2012...
(Total of -7-)
Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Important - Security Feature Bypass - Requires restart - Microsoft Windows
Bulletin 3 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 4 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 5 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 6 - Important - Information Disclosure - Requires restart - Microsoft Windows
Bulletin 7 - Important - Information Disclosure - May require restart - Microsoft Developer Tools and Software
.
MS Security Bulletin Summary - January 2012
FYI...
- https://technet.microsoft.com/en-us/...letin/ms12-jan
January 10, 2012 - "This bulletin summary lists security bulletins released for January 2012...
(Total of -7-)
Microsoft Security Bulletin MS12-004 - Critical
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
- https://technet.microsoft.com/en-us/...letin/ms12-004
Critical - Remote Code Execution - Requires restart- Microsoft Windows
Microsoft Security Bulletin MS12-001 - Important
Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)
- https://technet.microsoft.com/en-us/...letin/ms12-001
Important - Security Feature Bypass - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS12-002 - Important
Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)
- https://technet.microsoft.com/en-us/...letin/ms12-002
Important - Remote Code Execution - May require restart - Microsoft Windows
Microsoft Security Bulletin MS12-003 - Important
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)
- https://technet.microsoft.com/en-us/...letin/ms12-003
Important - Elevation of Privilege - Requires restart- Microsoft Windows
Microsoft Security Bulletin MS12-005 - Important
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)
- https://technet.microsoft.com/en-us/...letin/ms12-005
Important - Remote Code Execution - May require restart - Microsoft Windows
Microsoft Security Bulletin MS12-006 - Important
Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)
- https://technet.microsoft.com/en-us/...letin/ms12-006
Important - Information Disclosure - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS12-007 - Important
Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)
- https://technet.microsoft.com/en-us/...letin/ms12-007
Important - Information Disclosure - May require restart - Microsoft Developer Tools and Software
___
ISC Analysis
- https://isc.sans.edu/diary.html?storyid=12361
Last Updated: 2012-01-10 18:38:36 UTC
___
Deployment Priority
- https://blogs.technet.com/cfs-filesy...0_Priority.PNG
Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesy...nd_5F00_XI.PNG
- https://blogs.technet.com/b/msrc/arc...edirected=true
___
- https://secunia.com/advisories/47356/ - MS12-001
- https://secunia.com/advisories/45189/ - MS12-002
- https://secunia.com/advisories/47479/ - MS12-003
- https://secunia.com/advisories/47485/ - MS12-004
- https://secunia.com/advisories/47480/ - MS12-005
- https://secunia.com/advisories/46168/ - MS12-006
- https://secunia.com/advisories/47483/ - MS12-007
- https://secunia.com/advisories/47516/ - MS12-007
- http://www.securitytracker.com/id/1026498 - MS12-006
___
MSRT
- http://support.microsoft.com/?kbid=890830
January 10, 2012 - Revision: 97.1
(Recent additions)
- http://www.microsoft.com/security/pc...-families.aspx
... added this release...
• Sefnit*
Download:
- http://www.microsoft.com/download/en...ylang=en&id=16
File Name: windows-kb890830-v4.4.exe - 13.8 MB
- https://www.microsoft.com/download/e...s.aspx?id=9905
x64 version of MSRT:
File Name: windows-kb890830-x64-v4.4.exe - 14.2 MB
* https://blogs.technet.com/b/mmpc/arc...edirected=true
10 Jan 2012 - "... Sefnit... often installed by different exploit kits including such as "Blackhole" (detected as Blacole), or distributed on file sharing networks with enticing "keygen" or "crack" styled file names..."
.
MS SSL/TLS advisory updated
FYI...
Microsoft Security Advisory (2588513)
Vulnerability in SSL/TLS Could Allow Information Disclosure
- https://technet.microsoft.com/en-us/...visory/2588513
Published: Monday, September 26, 2011 | Updated: Tuesday, January 10, 2012 - "We have issued MS12-006* to address this issue..."
* https://technet.microsoft.com/en-us/...letin/ms12-006
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3389
* http://forums.spybot.info/showpost.p...9&postcount=33
:fear: