MS Security Advisories updated - 2010.07.13 ...
FYI...
Microsoft Security Advisory (2219475)
Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2219475.mspx
Published: June 10, 2010 | Updated: July 13, 2010 - "... We have issued M10-042* to address this issue..."
* http://www.microsoft.com/technet/sec.../MS10-042.mspx
Microsoft Security Advisory (2028859)
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2028859.mspx
Published: May 18, 2010 | Updated: July 13, 2010 - "... We have issued MS10-043** to address this issue..."
** http://www.microsoft.com/technet/sec.../MS10-043.mspx
>> http://forums.spybot.info/showpost.p...&postcount=144
:fear::fear:
MS Security Advisory (2286198)
FYI...
Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2286198.mspx
July 16, 2010 - "Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue. The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."
• V1.1 (July 19, 2010)... "Microsoft is currently working to develop a security update for Windows to address this vulnerability..."
- http://blogs.technet.com/b/mmpc/arch...net-sting.aspx
16 Jul 2010
- http://www.kb.cert.org/vuls/id/940193
Last Updated: 2010-07-19
- http://www.us-cert.gov/current/#micr..._vulnerability
updated July 19, 2010
0-Day exploit is public
- http://www.f-secure.com/weblog/archives/00001991.html
July 19, 2010
- http://securitytracker.com/alerts/2010/Jul/1024216.html
Updated: July 20 2010
:fear:
More 0-day malware drivers...
FYI...
More 0-day malware drivers...
- http://www.f-secure.com/weblog/archives/00001993.html
July 20, 2010 - "... another digitally signed Stuxnet* driver. This one uses a certificate from JMicron Technology Corporation. Our detection for this new binary is Rootkit:W32/Stuxnet.D... Realtek is the source of the previously used certificate which has now been revoked by VeriSign..."
* http://blogs.technet.com/b/mmpc/arch...net-sting.aspx
:fear::mad:
"Fixit" released for MS shortcut vuln ...
FYI...
"Fixit" released for MS shortcut vuln...
Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2286198.mspx
• V1.2 (July 20, 2010): Clarified the vulnerability exploit description and updated the workarounds...
• Disable the displaying of icons for shortcuts ...
Note: See Microsoft Knowledge Base Article 2286198* to use the automated Microsoft Fix it solution to enable or disable this workaround. This Fix it solution will require a restart upon completion in order to be effective. This Fix it solution deploys the workaround, and thus has the same user impact. We recommend that administrators review the KB article closely prior to deploying this Fix it solution.
NOTE: Applying the fixit will remove the graphical representation of icons on the Task bar and Start menu bar and replace them with white icons without the graphical representation of the icon...
Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk...
* http://support.microsoft.com/kb/2286198
Last Review: July 21, 2010 - Revision: 1.0
---
• Disable the WebClient service ...
---
• Block the download of .LNK and .PIF files from the internet ...
___
Embedded Shortcuts in Documents...
- http://www.f-secure.com/weblog/archives/00001994.html
July 21, 2010
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-2568
Last revised: 07/22/2010
CVSS v2 Base Score: 9.3 (HIGH)
:fear::fear:
Exploits in the wild for Windows shortcut vuln
FYI...
Exploits in the wild for Windows shortcut vuln
- http://blog.trendmicro.com/exploits-...y-in-the-wild/
July 22, 2010 - "Exploits for the recently discovered Windows shortcut vulnerability are now fully out in the wild and affecting users. While earlier samples were seen in more narrowly targeted attacks, the new samples Trend Micro analysts found are now aimed at broader audiences and pose a threat to users at large. Indonesia and India have been particularly hard-hit by this attack, accounting for more than 75 percent of the total number of infections. In addition, a recent update to Microsoft’s advisory has added a new vector for this vulnerability. File formats that support embedded shortcuts (e.g., Microsoft Office documents) can now be used to spread exploits as well. This means that users who download and open such files could find themselves the latest victim of this vulnerability. It has also been reported that this attack could be used in drive-by attack scenarios, further increasing risks... Below is a summary of these possibilities:
1. USB drive infection...
2. Network shares...
3. Malicious website...
4. Documents..."
(More detail at the URL above.)
- http://threatinfo.trendmicro.com/vin...20Exploit.html
- http://www.symantec.com/connect/de/blog-tags/w32stuxnet
July 22, 2010 - "... Within the past 72 hours we've seen close to 14,000 unique IP addresses infected with W32.Stuxnet attempt to contact the C&C server..."
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-2568
Last revised: 07/23/2010
CVSS v2 Base Score: 9.3 (HIGH)
- http://www.f-secure.com/v-descs/troj..._stuxnet.shtml
- http://www.symantec.com/security_res...123-99&tabid=2
- http://www.sophos.com/security/analy...2stuxnetb.html
:fear::fear:
MS .lnk 0-day attack vector - SEIMENS WinCC sites
FYI...
MS .lnk 0-day attack vector
- http://atlas.arbor.net/briefs/index#1754998770
Severity: Extreme Severity
Analysis: This is a serious risk, and a critical one for SEIMENS WinCC sites. We encourage all Windows sites to review the bulletin* for mitigation options in the absence of a patch..."
* http://www.microsoft.com/technet/sec...y/2286198.mspx
NEW malware families using .LNK vulnerability
- http://blogs.technet.com/b/mmpc/arch...erability.aspx
23 Jul 2010
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-2772
Last revised: 07/26/2010
- http://www.networkworld.com/news/201...icking-up.html
July 22, 2010 - "... Siemens issued a Security Update** for its customers on Thursday, but Microsoft has yet to patch the Windows bug that permits the worm to spread..."
** http://support.automation.siemens.co...83&caller=view
- http://www.symantec.com/connect/blog-tags/w32stuxnet
July 25, 2010
:fear:
SophosLabs free tool - validates MS Shortcut
FYI...
Windows Shortcut Exploit protection tool
- http://www.sophos.com/products/free-...tion-tool.html
"... The Windows Shortcut Exploit is a zero-day vulnerability in all versions of Windows that allows a Windows shortcut link to run a malicious DLL file. Our free, easy-to-use tool blocks this exploit from running on your computer..."
- http://isc.sans.edu/diary.html?storyid=9268
Last Updated: 2010-07-26 17:03:58 UTC
- http://www.sophos.com/support/knowle...le/111570.html
Last updated: 26 Jul 2010
- http://www.sophos.com/blogs/gc/g/201...oit-free-tool/
Video: 1:57
- http://www.f-secure.com/weblog/archives/00001996.html
July 26, 2010 - "... several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198). But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors*. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit..."
* http://www.virustotal.com/analisis/b...965-1280146392
File dsafnegweje.lnk received on 2010.07.26 12:13:12 (UTC)
Result: 18/42 (42.86%)
- http://blog.trendmicro.com/zeuszbot-...oit-bandwagon/
July 27, 2010 - "... exploits targeting the Windows shortcut zero-day vulnerability have risen in number. It is also now being used to spread ZBOT variants via malicious attachments to spammed messages... with the subject Microsoft Windows Security Advisory..."
.
MS shortcut/vuln fix to be released 8.2.2010
FYI...
MS shortcut/vuln fix to be released 8.2.2010
- http://blogs.technet.com/b/msrc/arch...y-2286198.aspx
29 Jul 2010 - "... we're announcing plans to release a security update to address the vulnerability discussed in Security Advisory 2286198* on Monday, August 2, 2010 at or around 10 AM PDT..."
* http://www.microsoft.com/technet/sec...y/2286198.mspx
- http://www.microsoft.com/technet/sec.../ms10-aug.mspx
July 30, 2010
- http://blogs.technet.com/b/mmpc/arch...as-sality.aspx
30 Jul 2010 - "... Microsoft announced plans to release of an out-of-band update... numbers show infection attempts upon systems -we- protect... threats are becoming more widespread...
Malicious links exploiting CVE-2010-2568
Exploit:Win32/CplLnk.A
Exploit:Win32/CplLnk.B
Stuxnet
TrojanDropper:Win32/Stuxnet.A
Trojan:WinNT/Stuxnet.A
Trojan:WinNT/Stuxnet.B (initially called VirTool:WinNT/Rootkitdrv.HK)
Trojan:Win32/Stuxnet.A
Worm:Win32/Stuxnet.A
Worm:Win32/Stuxnet.B
Sality
Virus:Win32/Sality.AU (initial detection provided by generic signature Virus:Win32/Sality.AT)
Vobfus
Worm:Win32/Vobfus.H
Worm:Win32/Vobfus.P
Chymine
Trojan:Win32/Chymine.A
TrojanSpy:Win32/Chymine.A
TrojanDownloader:Win32/Chymine.A ..."
:fear:
MS10-046 released - 2010.08.02
FYI...
Microsoft Security Bulletin MS10-046 - Critical
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
- http://www.microsoft.com/technet/sec.../MS10-046.mspx
August 02, 2010
Remote Code execution
Critical
... This vulnerability is currently being exploited...
- http://www.microsoft.com/technet/sec.../MS10-aug.mspx
August 02, 2010
ISC Analysis
- http://isc.sans.edu/diary.html?storyid=9313
Last Updated: 2010-08-02
PATCH NOW!
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-2568
Last revised: 08/03/2010
CVSS v2 Base Score: 9.3 (HIGH)
- http://blogs.technet.com/b/msrc/arch...and-today.aspx
2 Aug 2010 - "... today we released Security Bulletin MS10-046* out-of-band to address a vulnerability in Windows. This security update addresses a vulnerability in the handling of shortcuts that affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2... For customers using automatic updates, this update will automatically be applied once it is released. Customers not using automatic updates should download, test and deploy this update as quickly as possible..."
- http://www.sophos.com/security/topic/shortcut.html
August 2, 2010 - "... If you have the Sophos Windows Shortcut Exploit Protection Tool on your machine, uninstall it before deploying Microsoft's patch."
- http://atlas.arbor.net/briefs/index#1754998770
August 03, 2010
Severity: Extreme Severity
Analysis: This is a serious risk, and a critical one especially for SEIMENS WinCC sites. We encourage all Windows sites to review the bulletin for mitigation options and apply the update as soon as possible.
Stuxnet - Rootkit for SCADA Devices...
- http://www.symantec.com/connect/blog...-scada-devices
August 6, 2010
:fear:
MS Security Bulletin -Advance- Notification - August 2010
FYI...
MS Security Bulletin -Advance- Notification - August 2010
- http://www.microsoft.com/technet/sec.../MS10-aug.mspx
August 05, 2010 - "... advance notification of security bulletins that Microsoft is intending to release on August 10, 2010... (Total of -14-)
Critical -8-
Bulletin 1 / Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 / Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 3 / Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 4 / Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 5 / Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 6 / Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 7 / Critical - Remote Code Execution - May require restart - Microsoft Office
Bulletin 8 / Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft Silverlight
Important -6-
Bulletin 9 / Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 10 / Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 11 / Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 12 / Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 13 / Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 14 / Important - Elevation of Privilege - May require restart - Microsoft Windows ...
- http://www.computerworld.com/s/artic...sday_next_week
August 5, 2010 - "Microsoft today said it will deliver a record 14 security updates next week to patch a record-tying 34 vulnerabilities in Windows, Internet Explorer (IE), Office and Silverlight..."
- http://blogs.technet.com/b/msrc/arch...ification.aspx
:fear: