Old MS Alerts

MS Security Advisories - 2009.12.08

FYI...

Microsoft Security Advisory (977981)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/977981.mspx
Updated: December 08, 2009 - "Microsoft has completed investigating public reports of this vulnerability. We have issued Microsoft Security Bulletin MS09-072* to address this issue..." * http://www.microsoft.com/technet/security/bulletin/ms09-072.mspx

Microsoft Security Advisory (974926)
Credential Relaying Attacks on Integrated Windows Authentication
- http://www.microsoft.com/technet/security/advisory/974926.mspx
December 08, 2009 - "This advisory addresses the potential for attacks that affect the handling of credentials using Integrated Windows Authentication (IWA), and the mechanisms Microsoft has made available for customers to help protect against these attacks..."

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
Updated: December 08, 2009 - "Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform..."

Microsoft Security Advisory (954157)
Security Enhancements for the Indeo Codec
- http://www.microsoft.com/technet/security/advisory/954157.mspx
December 08, 2009 - "... customers who do not have a use for the codec may choose to take an additional step and deregister the codec completely. Deregistering the codec would remove all attack vectors that leverage the Indeo codec. See Microsoft Knowledge Base Article 954157* for directions on how to deregister the codec..."
* http://support.microsoft.com/kb/954157

:fear:

Additional MS Updates ???

Also now showing up at the MS Update site:

AppCompat update for Indeo codec
- http://support.microsoft.com/kb/955759
December 9, 2009 - Revision: 3.0
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4311
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4310
Last revised: 12/15/2009

Extended Protection for Authentication in Microsoft Windows HTTP Services (WinHTTP)
- http://support.microsoft.com/kb/971737
December 8, 2009 - Revision: 1.0

Extended Protection for Authentication in the HTTP Protocol Stack (http.sys)
- http://support.microsoft.com/kb/970430
December 8, 2009 - Revision: 1.0

:secret:

IIS vuln...

FYI...

New Reports of a Vulnerability in IIS
- http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx
December 27, 2009 - "On Dec. 23 we were made aware of a new claim of a vulnerability in Internet Information Services (IIS). We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration. Customers using out of the box configurations and who follow security best practices are at reduced risk of being impacted by issues like this. Once we’re done investigating, we will take appropriate action to help protect customers...
IIS 6.0 Security Best Practices
http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx
Securing Sites with Web Site Permissions
http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx
IIS 6.0 Operations Guide
http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx
Improving Web Application Security: Threats and Countermeasures
http://msdn.microsoft.com/en-us/library/ms994921.aspx ..."

- http://isc.sans.org/diary.html?storyid=7819
Last Updated: 2009-12-28 15:36:57 UTC (Version: 3) - "... they (MS) note that if the administrator had not altered the default configuration and followed best practices in the securing of the webserver, then this exploit wouldn't work. Unfortunately, we know that doesn't always wind up being the case..."

8 Basic Rules to Implement Secure File Uploads
- https://blogs.sans.org/appsecstreet...basic-rules-to-implement-secure-file-uploads/
December 28, 2009

- http://secunia.com/advisories/37831/2/
Last Update: 2009-12-28
Critical: Less critical
Impact: Security Bypass, System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Information Services (IIS) 6
Solution: Restrict file uploads to trusted users only and remove "execute" permissions for upload directories...

- http://learn.iis.net/page.aspx/583/secure-content-in-iis-through-file-system-acls/
Updated on December 23, 2009

:fear::fear:

IIS vuln - Metasploit added...

FYI...

IIS vuln - Metasploit added...
- http://www.symantec.com/connect/blo...s-module-iis-local-file-include-vulnerability
December 29, 2009 - "... There are varying reports on the severity of this issue, but according to Microsoft only poorly configured Web servers are at risk from this issue: “An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration.”
Essentially your site is at risk if it:
1. Runs on IIS.
2. Allows files to be uploaded.
3. Has execute permissions for the directory where the uploaded files are stored.
On December 28, Metasploit added support into their framework to allow exploitation of this issue. This makes it trivial to compromise badly configured servers as outlined above. This development could see a rise in exploitation of this issue..."

:fear::fear:

IIS issues - follow-up...

FYI...

Results of Investigation into Holiday IIS Claim
* http://blogs.technet.com/msrc/archi...-of-investigation-into-holiday-iis-claim.aspx
December 29, 2009 - "... there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server. The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack. However, customers who are using IIS 6.0 in the default configuration or following our recommended best practices don’t need to worry about this issue. If, however, you are running IIS in a configuration that allows both “write” and “execute” privileges on the same directory like this scenario requires, you should review our best practices and make changes to better secure your system from the threats that configuration can enable. Once again, here’s a list of best practices resources:
· IIS 6.0 Security Best Practices
http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx
· Securing Sites with Web Site Permissions
http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx
· IIS 6.0 Operations Guide
http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx
· Improving Web Application Security: Threats and Countermeasures
http://msdn.microsoft.com/en-us/library/ms994921.aspx
The IIS folks are evaluating a change to bring the behavior of IIS 6.0 in line with the other versions. In the meantime, they’ve put more information up about this on their weblog*..."
* http://blogs.iis.net/nazim/archive/...s-security-issue-with-semi-colons-in-url.aspx
December 29, 2009

- http://secunia.com/advisories/37831/2/
Last Update: 2009-12-30

- http://securitytracker.com/alerts/2009/Dec/1023387.html
Updated: Dec 29 2009

- http://www.theregister.co.uk/2009/12/30/iis_web_server_bug_rebuttal/
30 December 2009 - "... Microsoft's nothing-to-worry-about-please-move-along advisory, which helpfully provides links to best practice web server security guidelines, can be found here*."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4444

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4445

:fear::fear:

MS Bulletin Advance Notification - January 2010

FYI...

MS Bulletin Advance Notification - January 2010
- http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx
January 7, 2010 - "This is an advance notification of security bulletins that Microsoft is intending
to release on January 12, 2010...
(Total of -1-)

Critical -1-

Bulletin 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

- http://blogs.technet.com/msrc/archi...10-bulletin-release-advance-notification.aspx
January 7, 2010

:fear:

Rootkit Observations - Technet.com/mmpc

FYI...

Observations on Rootkits
- http://blogs.technet.com/mmpc/archive/2010/01/07/some-observations-on-rootkits.aspx
January 07, 2010 - "Getting hit by a live rootkit infection is among the more unfortunate fates that can befall an unsuspecting computer user. A rootkit burrows deep into the system, modifying it at a low-level in order to hide itself and other malware, and from there fights off attempts at deactivation and removal. While real-time protection can block the rootkit from becoming active to begin with, if the computer is already infected by a rootkit, things get more interesting. Antimalware technologies must use sophisticated techniques to scan for and detect, and finally to remove, a lurking rootkit. In reviewing the telemetry we receive from some of our antirootkit-related features, a few interesting things stand out.
How big is the rootkit problem?
Of all infections reported from client machines, low-level rootkits represent about 7% of infections...
We expect that malware authors will continue to seek ways to fly under the radar, just as we will continue to evolve our protection technologies to stay one step ahead of the bad guys. Regardless, here are a couple tips to avoid getting hit by a rootkit:
• Keep real-time protection enabled
While running up-to-date antimalware software is essential, it does little good if you turn off the real-time protection feature. If you lower your defenses and a rootkit does get through, finding and removing it can be a tricky endeavor. Keep your defenses up and you're much less likely to have headaches down the road.
• Run 64-bit Windows
For the time being, it appears that currently, users running 64 bit Windows are less likely to be compromised by rootkits. While the threat landscape is constantly evolving, for now you can breathe a lot easier if you're running 64-bit Windows. If you have a choice, go with 64-bit..."

(More detail available at the URL above.)

BlackLight
- http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/index.html

:fear:

MS Security Bulletin Summary - January 2010

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx
January 12, 2010 - "This bulletin summary lists security bulletins released for January 2010...
(Total of -1-) [See "Affected Software" at URL above.]

Critical -1-

Microsoft Security Bulletin MS10-001 - Critical
Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270*)
- http://www.microsoft.com/technet/security/bulletin/MS10-001.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows
* http://support.microsoft.com/kb/972270
___

Severity and exploitability index
- http://blogs.technet.com/photos/msrcteam/images/3305166/original.aspx

Deployment Priority
- http://blogs.technet.com/photos/msrcteam/images/3305167/original.aspx
___

MSRT
- http://support.microsoft.com/?kbid=890830
January 12, 2010 - Revision: 68.0
(Recent additions)
Win32/FakeScanti - October 2009 (V 3.0) Moderate
Win32/FakeVimes - November 2009 (V 3.1) Moderate
Win32/PrivacyCenter - November 2009 (V 3.1) Moderate
Win32/Hamweq - December 2009 (V 3.2) Moderate
Win32/Rimecud - January 2010 (V 3.3) Moderate

- http://blogs.technet.com/mmpc/archi...cud-msrt-s-success-story-in-january-2010.aspx
January 19, 2010
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7954
Last Updated: 2010-01-12 18:29:33 UTC
.

Microsoft Security Advisory (979267)

FYI...

Microsoft Security Advisory (979267)
Vulnerabilities in Adobe Flash Player 6 Provided in Windows XP Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/979267.mspx
January 12, 2010 - "Microsoft is aware of reports of vulnerabilities in Adobe Flash Player 6 provided in Windows XP. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time but recommend that users install the latest version of Flash Player* provided by Adobe..."
* http://get.adobe.com/flashplayer/
December 8, 2009 - Flash Player v10.0.42.34

MS Windows Flash Player multiple vulnerabilities
- http://secunia.com/advisories/27105/2/
Release Date: 2010-01-12
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS: Microsoft Windows XP Home Edition, Microsoft Windows XP Professional
Solution: Uninstall the bundled version of Flash Player and optionally install the latest supported version of Flash Player from Adobe...
Original Advisory:
Secunia Research: http://secunia.com/secunia_research/2007-77/
Other References: How to remove the Flash Player ActiveX control:
http://kb2.adobe.com/cps/127/tn_12727.html
How to uninstall the Adobe Flash Player plug-in and ActiveX control:
http://kb2.adobe.com/cps/141/tn_14157.html

:fear:

0-day vuln in IE 6, 7 and 8

FYI...

0-day vuln in IE 6, 7 and 8
- http://isc.sans.org/diary.html?storyid=7993
Last Updated: 2010-01-14 22:19:56 UTC

MS IE arbitrary code execution
- http://secunia.com/advisories/38209/2/
Release Date: 2010-01-15
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x, Microsoft Internet Explorer 7.x, Microsoft Internet Explorer 8.x
Solution: Do not browse untrusted websites or follow untrusted links.
Provided and/or discovered by: Reported as a 0-day.
Original Advisory: Microsoft (KB979352):
http://www.microsoft.com/technet/security/advisory/979352.mspx
http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx
Other References: US-CERT VU#492515:
http://www.kb.cert.org/vuls/id/492515

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249
Last revised: 01/15/2010

Microsoft Security Advisory (979352)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/979352.mspx
January 14, 2010 - "Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue. Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 -are- affected. The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes..."

- http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx
January 14, 2010 - "Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks... We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with protections against exploit of this vulnerability..."

- http://support.microsoft.com/kb/979352#FixItForMeAlways
January 14, 2010 - "... We have also created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet Explorer. You do -not- need this database if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3) or on Windows Vista SP1 or later versions. This is because Internet Explorer 8 opts-in to DEP by default on these platforms. To enable or disable DEP automatically, click the Fix it button or link..."

- http://www.krebsonsecurity.com/2010/01/mcafee-ie-0day-fueled-attacks-on-google-adobe/
January 14, 2010

:fear:

IE 0-day code public...

FYI...

(IE 0-day) Exploit code available for CVE-2010-0249
- http://isc.sans.org/diary.html?storyid=8002
Last Updated: 2010-01-15 21:35:51 UTC - "The details for CVE-2010-0249* aka Microsoft Security Advisory 979352 ( http://www.microsoft.com/technet/security/advisory/979352.mspx ) aka the Aurora exploit has been made public. It is a vulnerability in mshtml.dll that works as advertised on IE6 but if DEP is enabled on IE7 or IE8 the exploit does not execute code. I expect Microsoft will have a patch available for the standard February patch day. There will not likely be an out-of-band patch for this unless a 3rd party makes their own available."

* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249
Last revised: 01/15/2010

- http://www.symantec.com/security_response/threatconlearn.jsp
"The ThreatCon is currently at Level 2: Elevated...
Microsoft has released a security advisory and mitigation for a new unpatched vulnerability affecting Internet Explorer... On January 14, 2009, the Metasploit exploitation framework added an exploit for the bug that would allow an attacker to gain control of the system. Availability of this exploit will increase the chance of in-the-wild exploitation of this issue..."

- http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx
January 15, 2010

:fear:

MS IE Advisory 979352 Update - 2010.01.18...

FYI...

MS IE Advisory 979352 Update - January 18
- http://blogs.technet.com/msrc/archive/2010/01/18/advisory-979352-update-for-monday-january-18.aspx
January 18, 2010 - "... earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista. We are actively investigating, but cannot confirm, these claims. Today we also published a guidance page, including an online video, for home users who may be confused, or concerned, about this security vulnerability and want to know what they should do to protect themselves from the known attacks. This page is located here*..."
* http://www.microsoft.com/security/updates/ie.aspx
"Microsoft has determined that one of the technologies used in the recent criminal attacks against Google and other corporate networks was Internet Explorer 6. Customers using Internet Explorer 8 are not affected by currently known attacks. We recommend that anyone not already using Internet Explorer 8 upgrade immediately. Internet Explorer 8 offers many additional security protections..."
- http://www.microsoft.com/ie

:fear:

IE - out-of-cycle patch coming...

FYI...

IE - out-of-cycle patch coming...
- http://isc.sans.org/diary.html?storyid=8017
Last Updated: 2010-01-19 20:10:13 UTC - "No, there still isn't a patch, but there will be one before the regular Microsoft patch day in February. The MSRC has posted a note on their blog* saying the timing will be announced tomorrow. In the meantime, we are hearing that the folks at VUPEN have found a way to bypass DEP as long as javascript is enabled (no, this doesn't appear to be the .NET ones from last year) which would make even IE8 vulnerable, we don't have the details at present, but if true this is a major development. This is a concern since Microsoft's advice is for those using IE6 and IE7 to move to IE8 where DEP is on by default. In any event, we continue to monitor the situation."
* http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-979352-going-out-of-band.aspx
January 19, 2010 - "We wanted to provide a quick update on the threat landscape and announce that we will release a security update out-of-band to help protect customers from this vulnerability... We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time. We will provide the specific timing of the release tomorrow..."

- http://securitylabs.websense.com/content/Blogs/3534.aspx
01.19.2010 - "... Our ThreatSeeker network has identified two more malicious URLs that are used in live attacks, this time hxxp ://201002.[REMOVED]:2988/log/ie .html and hxxp ://m.[REMOVED].net:81/m/index .html. According to reports from our friends at Ahnlab, the second URL was spread through the Instant Messenger network Misslee Messenger, a popular IM client in South Korea... Due to the attention the new vulnerability has received, Microsoft has announced that they will release an out-of-band patch for Internet Explorer..."

- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100119
2010-01-19

- http://www.microsoft.com/technet/security/advisory/archive.mspx
Updated: January 18, 2010

:fear:

MS10-002 tomorrow...

FYI...

MS10-002 tomorrow...
- http://blogs.technet.com/msrc/archi...ication-for-out-of-band-bulletin-release.aspx
January 20, 2010 - "... we will be releasing MS10-002 tomorrow, January 21st, 2010. We are planning to release the update as close to 10:00 a.m. PST (UTC -8) as possible. This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and small subset of corporations, as well as several other vulnerabilities... Today we also updated Security Advisory 979352* to include technical details addressing additional customer questions..."
* http://www.microsoft.com/technet/security/advisory/979352.mspx
• V1.2 (January 20, 2010): Revised Executive Summary to reflect the changing nature of attacks attempting to exploit the vulnerability. Clarified information in the Mitigating Factors section for Data Execution Prevention (DEP) and Microsoft Outlook, Outlook Express, and Windows Mail. Clarified several Frequently Asked Questions to provide further details about the vulnerability and ways to limit the possibility of exploitation. Added "Enable or disable ActiveX controls in Office 2007" and "Do not open unexpected files" to the Workarounds section.

:fear:

Windows (all versions) 0-day vuln released

FYI...

Windows (all versions) 0-day vuln released...
- http://isc.sans.org/diary.html?storyid=8023
Last Updated: 2010-01-19 21:04:29 UTC - "In a posting to a public mailing list, Tavis Ormandy disclosed a zero day privilege escalation vulnerability in the Windows kernel. All versions of Windows, starting with Windows NT 3.1 up to including Windows 7, are affected...
This is not a good month for Microsoft. Tavis disclosed the vulnerability to Microsoft about 6 months ago. Microsoft's monthly bulletin's credited Tavis numerous times in the past for disclosing vulnerabilities."

(Mitigation instructions and more detail available at the URL above.)

- http://www.theregister.co.uk/2010/01/19/microsoft_escalation_bug/
19 January 2010

Microsoft Security Advisory (979682)
Vulnerability in Windows Kernel Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/979682.mspx
January 20, 2010 - "Microsoft is investigating new public reports of a vulnerability in the Windows kernel. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."
Revisions:
• V1.1 (January 22, 2010): Added links to Microsoft Knowledge Base Article 979682 in the Issue References table and Additional Suggestion Actions section. Added a link to Microsoft Knowledge Base Article 979682* to provide an automated Microsoft Fix it solution for the workaround, Disable the NTVDM subsystem.
* http://support.microsoft.com/kb/979682

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0232
Last revised: 01/22/2010
CVSS v2 Base Score: 6.6 (MEDIUM)

- http://blogs.technet.com/msrc/archive/2010/01/20/security-advisory-979682-released.aspx
January 20, 2010

- http://secunia.com/advisories/38265/2/
Release Date: 2010-01-20
Impact: Privilege escalation
Where: Local system
Solution Status: Unpatched...
Original Advisory:
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html

:fear:

More IE 0-Day exploit attacks...

FYI...

More IE 0-Day exploit attacks...
- http://blog.trendmicro.com/new-ie-zero-day-exploit-attacks-continue/
Jan. 21, 2010 - "Trend Micro has identified new malware samples that exploit the still-unpatched Internet Explorer (IE) vulnerability. These samples have been detected as JS_ELECOM.C and HTML_COMLE.CXC . Further analysis... the new scripts are versions of JS_DLOADER.FIS (the only difference being the encryption techniques used), which was widely used in the recent and still ongoing attacks targeting major organizations like Google and Adobe. In line with this, Microsoft announced that it will release an out-of-band security update to fix the issue. It is highly advised that users immediately download the security patch once released..."
More here*...
* http://threatinfo.trendmicro.com/vi...y_Internet_Explorer_Bug_Downloads_HYDRAQ.html

Malware-laced PDF files using "Operation Aurora" attacks (IE 0-day) subject as lure...
- http://www.f-secure.com/weblog/archives/00001863.html
January 21, 2010 - "... (SPAM) PDF file attachment which exploits the CVE-2009-4324 vulnerability in Adobe Reader (patched last week)..."

:fear::fear:

MS Security Bulletin MS10-002 - Critical

Get this NOW...

MS Security Bulletin MS10-002 - Critical
Cumulative Security Update for Internet Explorer (978207)
- http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
January 21, 2010
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

>>> http://update.microsoft.com/

- http://isc.sans.org/diary.html?storyid=8062
Last Updated: 2010-01-21 21:59:42 UTC

- http://secunia.com/advisories/38209/2/
Last Update: 2010-01-25
Critical: Extremely critical

- http://atlas.arbor.net/briefs/index#79796348
Severity: Extreme Severity
January 22, 2010 - "... attacks are being abused in the wild at present to download commonly seen malware in many cases. All sites using Windows should update immediately to remedy their security position.
Analysis: This is a major attack vector at present and we anticipate that it will continue to be for some time. Sites using Windows should review this update and push it out to all sites immediately to address this situation..."

:fear::fear::fear:

- http://secunia.com/advisories/38209/3/
CVE reference:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4074
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0027
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0244
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0245
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0246
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0247
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0248

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249
Last revised: 01/23/2010
CVSS v2 Base Score: 9.3 (HIGH)
.

“Aurora” exploit code: from Targeted Attacks to Mass Infection

FYI...

“Aurora” exploit code: from Targeted Attacks to Mass Infection
- http://www.eset.com/threat-center/b...-code-from-targeted-attacks-to-mass-infection
January 25, 2010 - "Last Thursday, Microsoft released an out-of-band update to fix the latest vulnerability in Internet Explorer. Since then, malware operators have been exploiting this vulnerability to install malware on thousands of PCs. So far, we have detected more than 650 different versions of the exploit code which is detected as Trojan.JS/Exploit.CVE-2010-0249... We have also identified more than 220 unique distribution points for the exploit code, mostly located in Asia. The countries which are seeing the majority of the attacks are China, Korea and Taiwan... At the time of analysis, the list of files to download and execute included 7 links, mostly online game password stealers. To sum up, if you happen to browse to a web page delivering the latest CVE-2010-0249 exploit code, and if you haven’t patched and are not using an up to date antivirus, you will end up with 8 different pieces of malware on your PC within seconds..."

- http://www.microsoft.com/technet/security/advisory/979352.mspx
"... issued MS10-002* to address this issue..."
* http://forums.spybot.info/showpost.php?p=356653&postcount=110

- http://blogs.technet.com/msrc/archi...ication-for-out-of-band-bulletin-release.aspx
Jan 21, 2010 - "... We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file. Customers would have to open a malicious file to be at risk of exploitation... To be clear, applying the update for Internet Explorer addresses the issue across all products that may use mshtml.dll. Customers should install the update to be protected..."

products that use mshtml.dll
- http://support.microsoft.com/search/?adv=1
You have searched on: All products
1920 results ...

:fear::fear:

IE - Microsoft Security Advisory (980088)

FYI...

Microsoft Security Advisory (980088)
Vulnerability in Internet Explorer Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/980088.mspx
February 03, 2010 - "Microsoft is investigating a publicly reported vulnerability in Internet Explorer for customers running Windows XP or who have disabled Internet Explorer Protected Mode. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue... The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites...
Workarounds: Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified...
Windows XP... Enable Internet Explorer Network Protocol Lockdown using automated Microsoft Fix It
See Microsoft Knowledge Base Article 980088* to use the automated Microsoft Fix it solution to enable or disable this workaround...
* http://support.microsoft.com/kb/980088
Impact of workaround. HTML content from UNC paths in the Internet / Local Intranet / Restricted zones will no longer automatically run script or ActiveX controls..."

(More detail at the URL above.)

- http://blogs.technet.com/msrc/archive/2010/02/03/security-advisory-980088-released.aspx
February 03, 2010 - "... At this time we are not aware of any attacks seeking to use the vulnerability..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0255
Last revised: 02/05/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://secunia.com/advisories/38416/2/
Release Date: 2010-02-04
Critical: Moderately critical
Impact: Exposure of system information, Exposure of sensitive information
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 5.01, 6.x, 7.x, 8.x
Solution: Enable Network Protocol Lockdown for Windows XP, and Protected Mode on Windows Vista and later. Please see the vendor's advisory for more information...

- http://www.securityfocus.com/bid/38056
- http://www.symantec.com/security_response/threatconlearn.jsp
"... The vulnerability is trivially exploitable and is likely to be exploited in the wild..."

:fear::fear:

MS Security Bulletin Advance Notification - February 2010

FYI...

MS Patch Tuesday pre-Release
- http://isc.sans.org/diary.html?storyid=8155
Last Updated: 2010-02-04 23:42:30 UTC - "Microsoft announced earlier today that they will be releasing a total of 13 bulletins next Tuesday... These bulletins will fix 26 different vulnerabilities. The bulletins affect all versions of Windows.
- http://www.microsoft.com/technet/security/Bulletin/MS10-feb.mspx
The MSRC blog has a nice table summarizing the upcoming release.
- http://blogs.technet.com/msrc/archi...10-bulletin-release-advance-notification.aspx
The Internet Explorer issue released by Microsoft yesterday will -not- be patched." *
* http://forums.spybot.info/showpost.php?p=358499&postcount=112

:fear::fear: