PDA

View Full Version : MS Alerts - Q2-2007



AplusWebMaster
2007-04-20, 03:53
FYI...

- http://www.microsoft.com/technet/security/advisory/935964.mspx
• April 19, 2007: Advisory updated: To provide information on Windows Live OneCare malware detection capability and to clarify that the registry key workaround provides protection to all attempts to exploit this vulnerability. Advisory also updated to provide additional data regarding exploitability through port 139*.

* "Block TCP and UDP port 445 and 139 as well as affected ports greater than 1024 by using IPsec on the affected systems"

---------
Identified Malware:
Silveras.A - http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Exploit:Win32/Siveras.A

Silveras.B - http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Exploit:Win32/Siveras.B

Silveras.C - http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Exploit:Win32/Siveras.C

Silveras.D - http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Exploit:Win32/Siveras.D

> http://atlas.arbor.net/service/tcp/139
-------------------------------------------------

- http://asert.arbornetworks.com/2007/04/nirbots-latest-move-ms-dns-exploits/
April 17, 2007 ~ "The latest turn in the Nirbot saga is that they’ve gone and incorporated the MS Windows DNS RPC interface exploit into their bot. We started seeing this in ATLAS starting Sunday evening GMT and it appears that this flood of MS DNS RPC exploits was seeded into an existing botnet. It appears that one of the public exploits was rolled into the bot over the weekend..."
-------------------------------------------------

New KB article to help deploy DNS remote RPC block workaround throughout enterprise
- http://preview.tinyurl.com/2a65ba
April 20, 2007 7:06 PM ~ "...You can find the KB at
http://support.microsoft.com/kb/936263 ..."
Last Review: April 21, 2007
Revision: 1.0

.

AplusWebMaster
2007-04-29, 16:44
FYI...

- http://isc.sans.org/diary.html?storyid=2699
Last Updated: 2007-04-29 12:04:19 UTC ~ "There’s been a lot of discussion over the last few hours regarding a Microsoft website that apparently got defaced. While the domain name has been taken offline, the defacement itself was rather obvious. Users browsing the page were shown a typical “0wn3d by” message with a picture taken of Bill Gates during what was probably his least pleasant visit to Belgium in 1998. The affected site displayed a remotely hosted image and the attacker’s nickname:

body onload="document.body.innerHTML='/p align=center//font size=7/Own3d by Cyber-Terrorist//font//img src=http://c2000.com/gifs!/billgates.jpg//p align=center//font size=7>--Cyb3rT--//font///p/';"//noscript/

The affected site was a subpage of ieak .microsoft .com where users could select a distribution license for the Internet Explorer Administration Kit. The server isn’t, however, located on the Microsoft network, but at a hosting partner. In addition, the source of the page mentions another third party as being responsible for the site’s development... This may be a small time issue, web site defacements have in the recent past often involved malicious code distribution. Being unavailable and looking a bit silly is one thing to reflect on a brand. Being involved in the distribution of a banking fraud trojan quite another."

AplusWebMaster
2007-05-03, 20:41
FYI...

- http://www.microsoft.com/technet/security/bulletin/advance.mspx
May 3, 2007
"...On Tuesday 8 May 2007 Microsoft is planning to release:

Security Updates
• -2- Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
• -3- Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
• -1- Microsoft Security Bulletin affecting Microsoft Exchange. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
• -1- Microsoft Security Bulletin affecting CAPICOM and BizTalk. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool.

Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS
• Microsoft will release -1- NON-SECURITY High-Priority Update for Windows on Windows Update (WU) and Software Update Services (SUS).
• Microsoft will release -6- NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS)..."

.

AplusWebMaster
2007-05-08, 21:06
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms07-may.mspx
Published: May 8, 2007
Version: 1.0
"...Critical (7)

Microsoft Security Bulletin MS07-023
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)
- http://www.microsoft.com/technet/security/Bulletin/MS07-023.mspx
Executive Summary: This update resolves vulnerabilities in Microsoft Excel that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...

Microsoft Security Bulletin MS07-024
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)
- http://www.microsoft.com/technet/security/Bulletin/MS07-024.mspx
Executive Summary: This update resolves vulnerabilities in Microsoft Word that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...

Microsoft Security Bulletin MS07-025
Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)
- http://www.microsoft.com/technet/security/Bulletin/MS07-025.mspx
Executive Summary: This update resolves a vulnerability in Microsoft Office that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...

Microsoft Security Bulletin MS07-026
Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)
- http://www.microsoft.com/technet/security/Bulletin/MS07-026.mspx
Executive Summary: This update resolves vulnerabilities in Microsoft Exchange that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...

Microsoft Security Bulletin MS07-027
Cumulative Security Update for Internet Explorer (931768)
- http://www.microsoft.com/technet/security/Bulletin/MS07-027.mspx
Executive Summary: This update resolves vulnerabilities in Internet Explorer that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...

Microsoft Security Bulletin MS07-028
Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)
- http://www.microsoft.com/technet/security/Bulletin/MS07-028.mspx
Executive Summary: This update resolves a vulnerability in the Cryptographic API Component Object Model (CAPICOM) that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...

Microsoft Security Bulletin MS07-029
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution (935966)
- http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
Executive Summary: This update resolves a vulnerability in RPC on Windows DNS Server that could allow remote code execution.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...


Revisions:
• V1.0 (May 8, 2007)...


----------------------

ISC Analysis
- http://isc.sans.org/diary.html?storyid=2769
Last Updated: 2007-05-08 18:08:06 UTC

----------------------

- http://www.us-cert.gov/current/#microsoft_releases_may_security_bulletin
May 8, 2007 ~ "...Updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Windows DNS RPC Interface, Office, Exchange, CAPICOM, and BizTalk... US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied."

.

AplusWebMaster
2007-05-11, 03:38
FYI...

- http://preview.tinyurl.com/24vtqw
May 10, 2007 (Computerworld) - "Hackers are using the file transfer component used by Windows Update to sneak malware past firewalls, Symantec researchers* said today. The Background Intelligent Transfer Service (BITS) is used by Microsoft Corp.'s operating systems to deliver patches via Windows Update. BITS, which debuted in Windows XP and is baked into Windows Server 2003 and Windows Vista, is an asynchronous file transfer service with automatic throttling -- so downloads don't impact other network chores. It automatically resumes if the connection is broken... Microsoft was unable to immediately respond to questions about unauthorized BITS use."

* http://preview.tinyurl.com/2dfohl

:fear: :mad: :spider:

AplusWebMaster
2007-05-11, 03:51
FYI...

- http://isc.sans.org/diary.html?storyid=2792
Last Updated: 2007-05-10 22:43:00 UTC ...(Version: 2) ~ "Some readers reported 99% CPU eaten up by svchost.exe after they had applied the recent batch of MS updates. Cause and effect are not quite clear, but a common thread seems to be that MS recommends a look at KBID 927891* and some readers have also pointed us to the WSUS Blog* where the same issue is mentioned. According to another ISC reader, to resolve the issue it is necessary to -first- apply 927891*, and then to do the WU client upgrade***..."

* http://support.microsoft.com/?kbid=927891

** http://blogs.technet.com/wsus/archive/2007/04/28/update-on.aspx

*** http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/WindowsUpdateAgent30-x86.exe

:sick: :mad: :fear:

AplusWebMaster
2007-05-12, 04:35
- http://preview.tinyurl.com/ywkd4m
May 11, 2007 ~ "Windows XP systems are still locking up during patch update attempts -- even after users deployed the fix suggested by Microsoft. Symptoms of the long-running problem -- which the Windows Server Update Services (WSUS) team dubbed the "svchost/msi issue" -- include 100 percent CPU usage by svchost.exe and its multiple processes during Automatic Updates scanning, update downloads, and sometimes even if AU is simply enabled on a machine... Every month at patch time, Microsoft's support boards fill with complaints from users... "Disabling Automatic Updates resolves the issue. [What] did Microsoft just release?" A hotfix*, updated just Thursday, is available on the Microsoft support site... The fix can be downloaded* and installed manually on Windows XP and Windows Server 2003 systems. Users will also need to download and install the new stand-alone WSUS 3.0 client -- even those who don't rely on the enterprise-centric WSUS for updates -- to completely patch the problem... The new client and the WSUS update to version 3.0 will be available to WSUS on May 22. Like the hotfix, the client can also be downloaded manually and installed now. Instructions and a link to the download have been posted to the MSDN (Microsoft Developers Network) site**. Thursday and Friday, however, users poured out their frustration on the WSUS blog after installing the hotfix and updating the WSUS client. "I installed both WindowsXP-KB927891-v3-x86 and WindowsUpdateAgent30-x86 on Windows XP SP2 boxes configured to get updates from a WSUS 2.0 server. The problem still exists," said Summit Tuladhar in a comment to the blog. "Doesn't appear that the fixes address the issue I experience on multiple machines," said ltpolaris. "This is clearly a very serious worldwide issue," said Alan O'Riordan. "I will advise the disabling of the Automatic Updates until a clear resolution is found"..."

* http://support.microsoft.com/?kbid=927891

** http://msdn2.microsoft.com/en-us/library/aa387285.aspx

:fear: :sad:

---------------------------------------------------------
FYI... (something else to try)

> http://isc.sans.org/diary.html?storyid=2792
Last Updated: 2007-05-11 13:03:24 UTC ~ "...David from the UK (thanks David) writes the following on the svchost.exe issue.
"The problem is due to the Automatic Update Service which uses the Generic Host Service which runs a svchost.exe process. If you switch off the Automatic Update Service the problem with svchost.exe using 100% of the CPU cycles stops. Once you have done all of the updates you can switch the Automatic Updates Service back on."

.

AplusWebMaster
2007-05-17, 19:03
FYI...

- http://blogs.technet.com/msrc/archive/2007/05/16/ans-and-security-bulletin-updates.aspx
May 16, 2007 ~ "...This month we are announcing changes to our Advanced Notification Service (ANS) as well as some changes we are planning to make to the format of our security bulletins in June.
ANS changes:
...Customers have also told us that additional information would be even more helpful. Based on that, we are incorporating additional detail about the upcoming security updates. We plan to implement this change with June’s ANS release on Thursday, June 7... the ANS subset will contain the following for each bulletin and not be grouped by just the platform:
· Maximum Severity Rating
· Impact of Vulnerability
· Detection information
· Affected Software
Once the security bulletins are released on the second Tuesday of the month, the bulletin summary page will be updated with complete details...
Security Bulletin Design Changes:
...Goals:
· Move all applicable decision making information to the top of the page
· Create a table of affected products (instead of a list) with links to the download location of the updates
· Change the section titles to be more representative of the content under them
· Re-arrange content to areas that make them more intuitive to find
· Reduce some of the repetitive content in the bulletin...

Preview:
http://www.microsoft.com/technet/security/bulletin/ms07-016-example-of-new-layout.mspx ..."


.

AplusWebMaster
2007-05-22, 02:07
FYI...

- http://preview.tinyurl.com/ypm4qk
May 21, 2007 (Computerworld) - "Office 2007 users running Windows Vista may not have realized that their systems had not received several of this month's patches, Microsoft Corp. said last week when it acknowledged that its security update services had failed to deploy the fixes.
"We have updated the detection logic for the May 8th security and non-security updates for Office 2007," said Mark Griesi, a program manager with the Microsoft Security Response Center (MSRC), in an entry on the team's blog*. "In some cases, the original detection logic may not have offered the updates or the updates may not have been installed successfully on systems running Windows Vista," Griesi added. Only Vista users with Office 2007 on their hard drives who rely on Microsoft Update or Windows Server Update Services (WSUS) for patches were affected, Microsoft said. (Window Vista calls its baked-in update service "Windows Update," but it actually uses the Microsoft Update technology.) The updates that may not have been deployed two weeks ago included ones for Excel 2007 and Office 2007 in general. All were rated "important," the second-highest ranking in Microsoft's four-level threat system... Administrators running WSUS must reapprove the updates, and end users served by WSUS will also be prompted again to install the fixes if they weren't installed correctly when the bulletins were first released. Griesi urged users to run Windows Update or WSUS again to guarantee that Office 2007 is up to date..."

MSRC Blog entry:
* http://preview.tinyurl.com/2l3seu

> http://support.microsoft.com/?kbid=934233

> http://support.microsoft.com/kb/934873

:rolleyes::sad: