FYI...

- http://www.microsoft.com/technet/security/bulletin/ms07-apr.mspx
April 3, 2007
"...Summary...

...Critical (1)

Microsoft Security Bulletin MS07-017
Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
- http://www.microsoft.com/technet/security/Bulletin/ms07-017.mspx
Executive Summary: This update resolves vulnerabilities in GDI that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution ...

> http://update.microsoft.com/microsoftupdate

ISC Analysis
- http://isc.sans.org/diary.html?n&storyid=2562
Last Updated: 2007-04-03 18:06:53 UTC

.

FYI...

- http://isc.sans.org/diary.html?storyid=2565
Last Updated: 2007-04-04 00:38:52 UTC ~ "We have received several emails today from people who are having problems with the patch. One that is confirmed by Microsoft is the Realtek problem. Microsoft has been working on this problem and have provided a patch* for the problem..."
Other possible issues have been reported and are being investigated. Microsoft is asking anyone having problems after installing the patch to contact them at Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for the support relating to Microsoft Security Updates.
http://support.microsoft.com/ ."

* http://support.microsoft.com/kb/935448/
Last Review: April 3, 2007
Revision: 2.0
"...This problem may occur after you install security update 925902 (MS07-017) and security update 928843 (MS07-008). The Hhctrl.ocx file that is included in security update 928843 and the User32.dll file that is included in security update 925902 have conflicting base addresses. This problem occurs if the program loads the Hhctrl.ocx file before it loads the User32.dll file..."

.

FYI...

- http://www.microsoft.com/technet/security/bulletin/advance.mspx
Updated: April 5, 2007
"...On 10 April 2007 Microsoft is planning to release:

Security Updates
• -Four- Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates will require a restart.
• -One- Microsoft Security Bulletin affecting Microsoft Content Management Server. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS
• Microsoft will release -2- NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
• Microsoft will release -4- NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."

.

FYI...

MS07-017: Vulnerability in GDI could allow remote code execution
- http://support.microsoft.com/kb/925902
Last Review: April 6, 2007
Revision: 4.0 <<<
"...Note: As of April 5, 2007, Microsoft is aware of the following third-party programs that are affected by this problem:
• Realtek HD Audio Control Panel
• ElsterFormular 2006/2007
• TUGZip
• CD-Tag
If you receive a similar message when you use other programs, install the update that is mentioned in Microsoft Knowledge Base article 935448. If we confirm that other programs are affected by this problem, we will update Microsoft Knowledge Base article 935448* with more information..."
* http://support.microsoft.com/kb/935448/
Last Review: April 6, 2007
Revision: 3.0...

:fear:

FYI...

Microsoft Security Bulletin Summary for April 2007
- http://www.microsoft.com/technet/security/bulletin/ms07-apr.mspx
Updated: April 10, 2007
Version: 2.0
"...Critical (5)

Microsoft Security Bulletin MS07-017
Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
- http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx
Executive Summary: This update resolves vulnerabilities in GDI that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...

Microsoft Security Bulletin MS07-018
Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (925939)
- http://www.microsoft.com/technet/security/Bulletin/MS07-018.mspx
Executive Summary: This update resolves vulnerabilities in Microsoft Content Management Server that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS07-019
Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (931261)
- http://www.microsoft.com/technet/security/Bulletin/MS07-019.mspx
Executive Summary: This update resolves a vulnerability in Universal Plug and Play that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS07-020
Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168)
- http://www.microsoft.com/technet/security/Bulletin/MS07-020.mspx
Executive Summary: This update resolves a vulnerability in Microsoft Agent that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution

Microsoft Security Bulletin MS07-021
Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)
- http://www.microsoft.com/technet/security/Bulletin/MS07-021.mspx
Executive Summary: This update resolves vulnerabilities in Windows Client/Server Run-time Subsystem (CSRSS) that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...


Important (1)...

Microsoft Security Bulletin MS07-022
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784)
- http://www.microsoft.com/technet/security/Bulletin/MS07-022.mspx
Executive Summary: This update resolves a vulnerability in Windows Kernel that could allow elevation of privilege.
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...

Revisions:
• V1.0 (April 3, 2007): Bulletin summary published for the release of MS07-17.
• V2.0 (April 10, 2007): Bulletin summary revised for the release of MS07-018, MS07-019, MS07-020, MS07-021, and MS07-022."
----------------------

ISC Analysis
- http://isc.sans.org/diary.html?storyid=2598
Last Updated: 2007-04-10 17:48:53 UTC

.

FYI...

- http://www.avertlabs.com/research/blog/?p=253
April 10, 2007 ~ "Some of these flaws may allow for remote code execution. McAfee Avert Labs is investigating all these zero-days. Today is Patch Tuesday for April. So, yes: this is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximize the public’s exposure to these flaws until the next month’s Patch Tuesday.
Update, 2pm PST
Further research by Avert Labs indicates that all but one of the Office zero-days reported yesterday result in denial of service. There is one heap-overflow flaw that might be exploited for code execution. We’ll keep you updated.
Update, 5pm PST
Avert Labs has been analyzing proof-of-concept code for a zero-day vulnerability in Microsoft Windows’s handling of HLP files. This is another heap-overflow flaw that might be exploited for code execution. Stay tuned."

- http://news.com.com/2102-1002_3-6175011.html?tag=st.util.print
Apr 10 2007 ~ "... McAfee is still investigating the security vulnerabilities. They may not actually all be new, said Dave Marcus, security research and communications manager at (McAfee). "Sometimes what people claim to be zero-days may in fact be related to something that's already known," he said. Should the three Office bugs be new, the tally of zero-day vulnerabilities in the productivity suite waiting for a fix would jump to five. Microsoft did not deliver any patches for Office on Tuesday*..."

* See: http://forums.spybot.info/showpost.php?p=79219&postcount=30
----------------------------------------

- http://www.theregister.com/2007/04/11/new_microsoft_zerodays/
11th April 2007 ~ "...Microsoft says it is investigating the reports and isn't aware of any customers being targeted by the flaws. It also reiterated an advisory* deeming .HLP files as unsafe unless the user is assured they are not malicious..."

Overview of unsafe file types in Microsoft products
* http://support.microsoft.com/kb/925330/en-us

- http://support.microsoft.com/kb/883260

:spider: :fear:

FYI...

- http://isc.sans.org/diary.html?storyid=2624
Last Updated: 2007-04-12 20:50:51 UTC ...(Version: 2)
"We received a couple emails today talking about the latest Microsoft Updates and the svchost service taking up 99% of CPU Utilization after applying them... One of the other handlers pointed me to this KB article* ...Take a look at that if you are affected..."

* http://support.microsoft.com/kb/916089/
Article ID: 916089
Last Review: April 9, 2007
Revision: -6.2-
"...SYMPTOMS
When you run Microsoft Windows Update to scan for updates or to apply updates to any applications that use Microsoft Windows Installer (MSI) 3.1 together with Windows Update, CPU utilization may reach 100 percent for prolonged periods... You may experience this problem when you try to scan for Microsoft Office updates. You may also experience this problem when you use the following update mechanisms:
• The Microsoft Update Web site
• Automatic Updates through the Internet or through Windows Server Update Services (WSUS)
• Microsoft Systems Management Server Inventory Tool for Microsoft Updates (SMS ITMU)
• Microsoft Baseline Security Analyzer (MBSA)
• Any application that performs update scans by using the offline scan CAB file (Wsusscan.cab) that uses the Windows Update Agent (WUA)..."

> http://support.microsoft.com/kb/927891/

Windows Installer 3.1 v2 (3.1.4000.2435) is available
> http://support.microsoft.com/kb/893803/
Article ID: 893803
Last Review: March 19, 2007
Revision: -4.3-

:rolleyes: :spider:

FYI...

Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.
- http://www.microsoft.com/technet/security/advisory/935964.mspx
April 12, 2007 ~ "Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2..."

> http://isc.sans.org/diary.html?storyid=2627
Last Updated: 2007-04-13 04:42:08 UTC ...(Version: 2)
"...Microsoft has a few suggested actions that can mitigate the risk with the caveat that some tools may break.
1. Disable remote management over RPC for the DNS server via a registry key setting.
2. Block unsolicited inbound traffic on ports 1024-5000 using IPsec or other firewall.
3. Enable the advanced TCP/IP Filtering options on the appropriate interfaces of the server..."

> http://www.us-cert.gov/current/#winrpc

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1748
---------------------------------------------

- http://isc.sans.org/diary.html?storyid=2633
Last Updated: 2007-04-13 21:06:53 UTC ~ "...We have knowledge of a successful attack that occurred on April 4, 2007. This appears to be an opportunistic attack (instead of a targeted attack). So it's likely that others have been compromised as well. If you have a vulnerable MS DNS server (Win2K SP4 or Win2003 SP1 or SP2) accessible to the Internet and don't have ports above 1024 blocked, then you may have already been targeted in an attack. At this point, there seems to be a very small number of known compromises...
Update: If you have a large number of domain controllers and want to automate the disabling of RPC, check out this blog entry: http://preview.tinyurl.com/2ymwsv "
---------------------------------------------

- http://isc.sans.org/diary.html?storyid=2633
Last Updated: 2007-04-14 14:30:08 UTC ...(Version: 2)
"Update 2: We have two confirmed sources that were attacked on April 4th and 5th. Both were universities in the US. The initial report was from the Information Security Office at Carnegie Mellon University. Nice catch guys! The attacking source IP was the same in both cases: 61.63.227.125
Here is the attack details from the Carnegie Mellon folks. First, a TCP port scan to ports 1024-2048. Then a TCP connection to the right TCP port running the vulnerable RPC service. Shellcode binds to TCP port 1100. Attacker uploads a VBscript on this port and then runs it. VBscript downloads an executable DUP.EXE (MD5: a5ae220fec052a1f2cd22b4eb89a442e) from 203.66.151.92/images/. Executable is self-extracting and contains PWDUMP v5 and an associated DLL.
Update 3: There is now a publicly available exploit for this vulnerability in Metasploit 3"
-----------------------------------------------

- http://isc.sans.org/diary.html?storyid=2637
Last Updated: 2007-04-16 12:11:28 UTC ...(Version: 2)
"...UPDATE:
- Microsoft has now added that for users with valid authentication credentials, exploitation may be possible over port 445.
- A public exploit now appears to be available that supports the port 445 vector and support Windows 2003 Server SP2...
- Microsoft added to their advisory that DNS server local administration and configuration may not work if the computer name is 15 characters of longer. They suggest using the FQDN (Fully Qualified Domain Name) of the host to ensure this works correctly."
- http://www.microsoft.com/technet/security/advisory/935964.mspx
Revisions:
• April 15, 2007: Advisory “Suggested Actions” section updated to include additional information regarding TCP and UDP port 445 and the 15 character computer name known issue.

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1748

> http://www.us-cert.gov/current/#rpcexpl

:fear:

FYI...

New Rinbot scanning for port 1025 DNS/RPC
- http://isc.sans.org/diary.html?storyid=2643
Last Updated: 2007-04-16 22:27:56 UTC ...(Version: 3)
"We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp. Once connected, it attempts to do a Windows 2000 DnsservQuery, attempting to exploit the recent Microsoft DNS RPC vulnerability. Detection of this virus is currently very poor, and we are working with the AV vendors to improve this:
AhnLab-V3 2007.4.14.0 04.16.2007 Win32/IRCBot.worm.199680.I
AntiVir 7.3.1.52 04.16.2007 HEUR/Crypted
AVG 7.5.0.447 04.16.2007 Win32/CryptExe
DrWeb 4.33 04.16.2007 BackDoor.IRC.Sdbot.1299
eSafe 7.0.15.0 04.16.2007 Suspicious Trojan/Worm
Fortinet 2.85.0.0 04.16.2007 suspicious
Kaspersky 4.0.2.24 04.16.2007 Backdoor.Win32.VanBot.bx
Prevx1 V2 04.16.2007 Malware.Trojan.Backdoor.Gen
Symantec 10 04.16.2007 W32.Rinbot.A
Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Crypted

McAfee also has a writeup on this worm here*..."

* http://vil.nai.com/vil/content/v_142025.htm
---------------------------------------------------------

Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.
- http://www.microsoft.com/technet/security/advisory/935964.mspx
Revisions:
• April 12, 2007: Advisory published.
• April 13, 2007: Advisory updated to include additional details about Windows Small Business Server. Mitigations also updated to include additional information regarding the affected network port range and firewall configuration. Additional details also provided for registry key mitigation values. .
• April 15, 2007: Advisory “Suggested Actions” section updated to include additional information regarding TCP and UDP port 445 and the 15 character computer name known issue.
• April 16, 2007: Advisory updated: Ongoing monitoring indicates that we are seeing a new attack that is attempting to exploit this vulnerability.
---------------------------

MSRC Blog entry re: MS DNS issue
- http://preview.tinyurl.com/2beczj
April 17, 2007 8:34 PM

:fear: