MS12-020 exploit in-the-wild ...
FYI...
Tool Exploiting MS12-020 Vulnerabilities ...
- http://atlas.arbor.net/briefs/
Severity: Elevated Severity
Published: Wednesday, March 28, 2012 19:20
An easy-to-use denial of service tool for the Microsoft Remote Desktop Protocol vulnerability has been released.
Analysis: While a metasploit module has been available for some time, a new, easy-to-use point and click tool lowers the bar. Organizations that have yet to patch should do so...
Source: http://www.f-secure.com/weblog/archives/00002338.html
MS12-020 exploit in-the-wild ...
- https://www.f-secure.com/weblog/archives/00002338.html
March 27, 2012 - "Since the public release of Microsoft's MS12-020 bulletin, there have been plenty of attempts to exploit vulnerabilities in the Remote Desktop Protocol (RDP). Last week, we received a related sample, which turned out to be a tool called "RDPKill by: Mark DePalma" that was designed to kill targeted RDP service. The tool was written with Visual Basic 6.0, and has a simple user interface. We tested it on machines running on Windows XP 32-bit and Windows 7 64-bit... Both the Windows XP 32-bit and the Windows 7 64-bit computers were affected by the Denial of Service (DoS) attack. The service crashed and triggered a "Blue Screen of Death" (BSoD) condition*...
* https://www.f-secure.com/weblog/arch...pkill_bsod.png
We detect this tool as Hack-Tool:W32/RDPKill.A. (SHA-1: 1d131a5f17d86c712988a2d146dc73367f5e5917). Besides RDPKill.A, other similar tools and Metasploit module can also be found online. Due to their availability, an unpatched RDP server would be an easy target of DoS attack by attackers who might be experimenting with these tools. For those who still haven't patched their system, especially those running RDP service on their machines, we strongly advise that you to do so as soon as possible..."
:fear::fear:
MS Security Bulletin Advance Notification - April 2012
FYI...
- https://technet.microsoft.com/en-us/...letin/ms12-apr
April 05, 2012 - "This is an advance notification of security bulletins that Microsoft is intending to release on April 10, 2012... (Total of -6-)
Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 2 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 3 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework
Bulletin 4 - Critical - Remote Code Execution - May require restart - Microsoft Office, Microsoft SQL Server, Microsoft Server Software, Microsoft Developer Tools
Bulletin 5 - Important - Information Disclosure - May require restart - Microsoft Forefront United Access Gateway
Bulletin 6 - Important - Remote Code Execution - May require restart - Microsoft Office
___
- https://blogs.technet.com/b/msrc/arc...edirected=true
5 Apr 2012 - "... 6 bulletins addressing 11 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, Forefront UAG, and .NET Framework..."
.
MS Security Bulletin Summary - April 2012
FYI...
- http://technet.microsoft.com/en-us/s...letin/ms12-apr
April 10, 2012 - "This bulletin summary lists security bulletins released for April 2012...
(Total of -6-)
Critical -4-
Microsoft Security Bulletin MS12-023 - Critical
Cumulative Security Update for Internet Explorer (2675157)
- http://technet.microsoft.com/en-us/s...letin/ms12-023
Critical - Remote Code Execution- Requires restart - Microsoft Windows, Internet Explorer
Microsoft Security Bulletin MS12-024 - Critical
Vulnerability in Windows Could Allow Remote Code Execution (2653956)
- http://technet.microsoft.com/en-us/s...letin/ms12-024
Critical - Remote Code Execution- Requires restart - Microsoft Windows
Microsoft Security Bulletin MS12-025 - Critical
Vulnerability in .NET Framework Could Allow Remote Code Execution (2671605)
- http://technet.microsoft.com/en-us/s...letin/ms12-025
Critical - Remote Code Execution- May require restart - Microsoft Windows, Microsoft .NET Framework
Microsoft Security Bulletin MS12-027 - Critical
Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)
- http://technet.microsoft.com/en-us/s...letin/ms12-027
Critical - Remote Code Execution - May require restart - Microsoft Office, Microsoft SQL Server, Microsoft Server Software, Microsoft Developer Tools
Important -2-
Microsoft Security Bulletin MS12-026 - Important
Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure (2663860)
- http://technet.microsoft.com/en-us/s...letin/ms12-026
Important - Information Disclosure - May require restart - Microsoft Forefront United Access Gateway
Microsoft Security Bulletin MS12-028 - Important
Vulnerability in Microsoft Office Could Allow Remote Code Execution (2639185)
- http://technet.microsoft.com/en-us/s...letin/ms12-028
Important - Remote Code Execution - May require restart - Microsoft Office
___
- https://blogs.technet.com/b/msrc/arc...edirected=true
10 Apr 2012 - "... These bulletins will increase protection by addressing 11 CVEs. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these Critical updates:
• MS12-027 (Windows Common Controls)...
• MS12-023 (Internet Explorer)..."
Bulletin Deployment Priority
- https://blogs.technet.com/cfs-file.a..._5F00_Prio.png
Severity and Exploitability Index
- https://blogs.technet.com/cfs-file.a...ev_5F00_XI.png
___
ISC Analysis
- https://isc.sans.edu/diary.html?storyid=12949
Last Updated: 2012-04-10 18:08:35 UTC
___
- https://secunia.com/advisories/48724/ - MS12-023
- https://secunia.com/advisories/48581/ - MS12-024
- https://secunia.com/advisories/48785/ - MS12-025
- https://secunia.com/advisories/48787/ - MS12-026
- https://secunia.com/advisories/48786/ - MS12-027
- https://secunia.com/advisories/48723/ - MS12-028
- http://www.securitytracker.com/id/1026901 - MS12-023
- http://www.securitytracker.com/id/1026906 - MS12-024
- http://www.securitytracker.com/id/1026907 - MS12-025
- http://www.securitytracker.com/id/1026909 - MS12-026
- http://www.securitytracker.com/id/1026899 - MS12-027
- http://www.securitytracker.com/id/1026900 - MS12-027
- http://www.securitytracker.com/id/1026902 - MS12-027
- http://www.securitytracker.com/id/1026903 - MS12-027
- http://www.securitytracker.com/id/1026904 - MS12-027
- http://www.securitytracker.com/id/1026905 - MS12-027
- http://www.securitytracker.com/id/1026910 - MS12-028
- http://www.securitytracker.com/id/1026911 - MS12-028
___
MSRT
- http://support.microsoft.com/?kbid=890830
April 10, 2012 - Revision: 101.0
(Recent additions)
- http://www.microsoft.com/security/pc...-families.aspx
... added this release...
• Bocinex
• Claretore
• Gamarue
- https://blogs.technet.com/b/mmpc/arc...edirected=true
10 Apr 2012
Download:
- http://www.microsoft.com/download/en...ylang=en&id=16
File Name: Windows-KB890830-V4.7.exe - 14.9 MB
- https://www.microsoft.com/download/e...s.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.7.exe - 15.5 MB
.
MS12-025 .Net update affects printing ...
FYI...
MS12-025 .Net update affects printing ...
- https://isc.sans.edu/diary.html?storyid=12994
Last Updated: 2012-04-15 00:28:11 UTC - "... the most recent Microsoft .Net framework update may have affected printing from some applications. TurboTax* has released an update to address this issue in their software and Microsoft has updated the MS12-025 KB article** to indicate they are aware of the problem..."
* http://turbotax.intuit.com/support/i.../SLN61229.html
** http://support.microsoft.com/kb/2671605
Last Review: April 14, 2012 - Revision: 2.0
"... Known issues with this security update: • We are currently aware of an issue with printing from a Windows Forms application. After the installation of these security updates, certain Windows Forms applications may not print, or may not honor specified printer settings when they do print. There is no impact on systems that do not use printing functionality from a .NET Framework Windows Forms application. The investigation into this issue is ongoing.
Workaround: To print from an affected Windows Forms application, print the content to a file on your computer instead of directly printing to a printer device. For example, print to a PDF, XPS, or any other supported format file. You can then open the file that you created and print directly from there..."
.NET Framework Parameter Validation Vulnerability
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0163 - 9.3 (HIGH)
- https://technet.microsoft.com/en-us/...letin/ms12-025
V1.1 (April 13, 2012): Added a link to Microsoft Knowledge Base Article 2671605** under Known Issues in the Executive Summary.
:confused:
MS12-027 - FixIt solution Mscomctl.ocx
FYI...
Fix for an error in custom Office solutions that occurs after you install MS12-027
- http://support.microsoft.com/kb/2703186/en-us
Last Review: April 19, 2012 - Revision: 2.0 - "After you install the update solution in Office applications that use controls from Mscomctl.ocx, you may receive one or more of the following error messages:
> Object library invalid or contains references to object definitions that could not be found
> Element not found
> Cannot insert object ...
To enable or disable this fixit solution*, click the Fix it button or link under the Enable heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard...
* http://go.microsoft.com/?linkid=9806938
APPLIES TO:
Microsoft Office Excel 2003
Microsoft Office PowerPoint 2003
Microsoft Office Word 2003
Microsoft Office Excel 2007
Microsoft Office PowerPoint 2007
Microsoft Office Word 2007
Microsoft Excel 2010
Microsoft PowerPoint 2010
Microsoft Word 2010 ..."
___
- https://isc.sans.edu/diary.html?storyid=13063
Apr 26, 2012 - "Packetstorm Security and Metasploit have Exploit code for MS12-027"
- http://www.symantec.com/security_res...atconlearn.jsp
Apr 20, 2012 - "... MS12-027... Microsoft reports that this vulnerability is being exploited in the wild in specially crafted Office documents in limited, targeted attacks. Customers are advised to install all applicable updates as soon as possible..."
:fear:
MS12-027 - Exploit in the Wild...
FYI...
Microsoft Security Bulletin MS12-027 - Critical
Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)
- https://technet.microsoft.com/en-us/...letin/ms12-027
• V2.0 (April 26, 2012): Added SP1 versions of SQL Server 2008 R2 to the Affected Software and added an entry to the update FAQ to explain which SQL Server 2000 update to use based on version ranges. These are informational changes only. There were no changes to the security update files or detection logic. For a complete list of changes, see the entry to the section, Frequently Asked Questions (FAQ) Related to This Security Update.
MS12-027
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0158 - 9.3 (HIGH)
Last revised: 04/12/2012
CVE-2012-0158 Exploit in the Wild
- https://blogs.mcafee.com/mcafee-labs...it-in-the-wild
April 23, 2012 - "... many specially crafted files exploiting CVE-2012-0158, a vulnerability in MSCOMCTL.OCX in Microsoft Office and some other Microsoft products. This exploit can be implemented in a variety of file formats, including RTF, Word, and Excel files. We have already found crafted RTF and Word files in the wild. In the malicious RTF, a vulnerable OLE file is embedded with \object and \objocx tags... always exercise caution when opening unsolicited emails..."
:fear::fear:
MS Security Bulletin Advance Notification - May 2012
FYI...
- https://technet.microsoft.com/en-us/...letin/ms12-may
May 03, 2012 - "This is an advance notification of security bulletins that Microsoft is intending to release on May 8, 2012... (Total of -7-)
Bulletin 1 - Critical - Remote Code Execution - May require restart - Microsoft Office
Bulletin 2 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight, Microsoft Office
Bulletin 3 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework
Bulletin 4 - Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 5 - Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 6 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 7 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
___
- https://www.computerworld.com/s/arti..._for_next_week
May 03, 2012 - "... to patch 23 bugs in Windows, Office and its Silverlight and .Net development platforms..."
- http://h-online.com/-1568457
4 May 2012
.
MS Security Bulletin Summary - May 2012
FYI...
- https://technet.microsoft.com/en-us/...letin/ms12-may
May 08, 2012 - "This bulletin summary lists security bulletins released for May 2012...
(Total of -7-)
Critical -3-
Microsoft Security Bulletin MS12-029 - Critical
Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352)
- https://technet.microsoft.com/en-us/...letin/MS12-029
Critical - Remote Code Execution - May require restart - Microsoft Office
Microsoft Security Bulletin MS12-034 - Critical
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
- https://technet.microsoft.com/en-us/...letin/ms12-034
Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight, Microsoft Office
Microsoft Security Bulletin MS12-035 - Critical
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)
- https://technet.microsoft.com/en-us/...letin/ms12-035
Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework
Important -4-
Microsoft Security Bulletin MS12-030 - Important
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2663830)
- https://technet.microsoft.com/en-us/...letin/ms12-030
Important - Remote Code Execution - May require restart - Microsoft Office
Microsoft Security Bulletin MS12-031 - Important
Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2597981)
- https://technet.microsoft.com/en-us/...letin/MS12-031
Important - Remote Code Execution - May require restart - Microsoft Office
Microsoft Security Bulletin MS12-032 - Important
Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338)
- https://technet.microsoft.com/en-us/...letin/ms12-032
Important - Elevation of Privilege - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS12-033 - Important
Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege (2690533)
- https://technet.microsoft.com/en-us/...letin/ms12-033
Important - Elevation of Privilege - Requires restart - Microsoft Windows
___
- https://blogs.technet.com/b/msrc/arc...edirected=true
Bulletin Deployment Priority
- https://blogs.technet.com/cfs-filesy...5F00_Slide.PNG
Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesy...5F00_Slide.PNG
___
ISC Analysis
- https://isc.sans.edu/diary.html?storyid=13159
Last Updated: 2012-05-08 18:06:14 UTC
- http://blogs.iss.net/archive/2012_05_MSFT_Super_T.html
• MS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight...
-Ten- vulnerabilities are addressed in this update, three of which are listed as publicly disclosed. The updates touch many parts of the operating system...
• MS12-035: Vulnerabilities in .NET Framework Could Allow Remote Code Execution
Two more vulnerabilities in .NET are addressed... These are separate vulnerabilities, but each involve problems in code responsible for serializing/deserializing data from/into an object. Exploitation via specially crafted .NET code can result in arbitrary code execution...
• MS12-029: Vulnerability in Microsoft Word Could Allow Remote Code Execution
A single vulnerability in Microsoft Office's RTF parser is addressed... This vulnerability can be exploited for remote code execution... The RTF parser is shared among Office components so vulnerabilities in the parser can be exploited via an email in Outlook rendered as RTF as well as document attachments.
___
- https://secunia.com/advisories/49111/ - MS12-029
- https://secunia.com/advisories/49112/ - MS12-030
- https://secunia.com/advisories/49113/ - MS12-031
- https://secunia.com/advisories/49114/ - MS12-032
- https://secunia.com/advisories/49115/ - MS12-033
- https://secunia.com/advisories/49119/ - MS12-034
- https://secunia.com/advisories/49120/ - MS12-034
- https://secunia.com/advisories/49121/ - MS12-034
- https://secunia.com/advisories/49122/ - MS12-034
- https://secunia.com/advisories/49117/ - MS12-035
- http://www.securitytracker.com/id/1027035 - MS12-029
- http://www.securitytracker.com/id/1027041 - MS12-030
- http://www.securitytracker.com/id/1027042 - MS12-031
- http://www.securitytracker.com/id/1027044 - MS12-032
- http://www.securitytracker.com/id/1027043 - MS12-033
- http://www.securitytracker.com/id/1027038 - MS12-034
- http://www.securitytracker.com/id/1027039 - MS12-034
- http://www.securitytracker.com/id/1027040 - MS12-034
- http://www.securitytracker.com/id/1027048 - MS12-034
- http://www.securitytracker.com/id/1027035 - MS12-035
___
MSRT
- http://support.microsoft.com/?kbid=890830
May 8, 2012 - Revision: 102.0
(Recent additions)
- http://www.microsoft.com/security/pc...-families.aspx
... added this release...
• Dishigy
• Unruy
Download:
- http://www.microsoft.com/download/en...ylang=en&id=16
File Name: Windows-KB890830-V4.8.exe - 15.4 MB
- https://www.microsoft.com/download/e...s.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.8.exe - 16.0 MB
.
MS Security Advisory - Rollup for ActiveX Kill Bits
FYI...
Microsoft Security Advisory (2695962)
Update Rollup for ActiveX Kill Bits
- https://technet.microsoft.com/en-us/...visory/2695962
May 08, 2012
> http://support.microsoft.com/kb/2695962
:fear: