FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-nov.mspx
November 10, 2009 - "This bulletin summary lists security bulletins released for November 2009..." (Total of -6-)

Critical -3-

Microsoft Security Bulletin MS09-063 - Critical
Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565)
- http://www.microsoft.com/technet/security/bulletin/ms09-063.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-064 - Critical
Vulnerability in License Logging Server Could Allow Remote Code Execution (974783)
- http://www.microsoft.com/technet/security/bulletin/ms09-064.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-065 - Critical
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)
- http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Important -3-

Microsoft Security Bulletin MS09-066 - Important
Vulnerability in Active Directory Could Allow Denial of Service (973309)
- http://www.microsoft.com/technet/security/bulletin/ms09-066.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-067 - Important
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)
- http://www.microsoft.com/technet/security/bulletin/MS09-067.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS09-068 - Important
Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307)
- http://www.microsoft.com/technet/security/bulletin/MS09-068.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7564
Last Updated: 2009-11-10 18:36:34 UTC
___

Severity summary and exploitability index
- http://blogs.technet.com/photos/msrcteam/images/3292868/original.aspx
November 10, 2009

Deployment priority
- http://blogs.technet.com/photos/msrcteam/images/3292871/original.aspx
November 10, 2009
___

MSRT
- http://support.microsoft.com/?kbid=890830
November 10, 2009 - Revision: 66.0
(Recent additions)
Win32/Bredolab - September 2009 (V 2.14) - Moderate
Win32/Daurso - September 2009 (V 2.14) - Moderate
Win32/FakeScanti - October 2009 (V 3.0) - Moderate
Win32/FakeVimes - November 2009 (V 3.1) - Moderate
Win32/PrivacyCenter - November 2009 (V 3.1) - Moderate

//

FYI...

Microsoft Security Advisory (977544)
Vulnerability in SMB Could Allow Denial of Service
- http://www.microsoft.com/technet/security/advisory/977544.mspx
November 13, 2009 - "Microsoft is investigating new public reports of a possible denial of service vulnerability in the Server Message Block (SMB) protocol. This vulnerability cannot be used to take control of or install malicious software on a user’s system. However, Microsoft is aware that detailed exploit code has been published for the vulnerability. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities..."

- http://isc.sans.org/diary.html?storyid=7597
Last Updated: 2009-11-14 02:36:34 UTC - "... Assuming that you block TCP ports 139 and 445 the only impact would be an internal attacker could disable affected systems until restarted. In the grand scheme of things this would not be a critical issue unless all of a sudden your servers had to be rebooted on a regular basis, in that case you may have bigger problems because the fox would already be in the henhouse. The list of affected systems is: Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems (includig Server Core), and Windows Server 2008 R2 for Itanium-based Systems..."

:clown:

FYI...

0-Day IE exploit published
- http://www.symantec.com/connect/blogs/zero-day-internet-explorer-exploit-published
November 21, 2009 - "A new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future... To minimize the chances of being affected by this issue, Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft."

- http://secunia.com/advisories/37448/2/
Release Date: 2009-11-23
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x, Microsoft Internet Explorer 7.x ...
Solution: Disable support for active scripting for all but trusted websites...

:fear::fear:

FYI...

Microsoft Security Advisory (977981)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/977981.mspx
November 23, 2009 - "... Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected. The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code. At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers...
Mitigating Factors:
• Internet Explorer 8 is -not- affected.
• Protected Mode in Internet Explorer 7 in Windows Vista limits the impact of the vulnerability.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario..."
(Also see: Workarounds)

- http://www.us-cert.gov/current/#microsoft_internet_explorer_vulnerability
November 23, 2009

- http://blogs.iss.net/archive/IE%20CSS%200day.html
November 23, 2009 - "... For IE users, it is worthwhile to upgrade to IE8 if you haven't already."

- http://forums.spybot.info/showpost.php?p=348968&postcount=140
Updated: November 25, 2009

:fear:

FYI...

MS updates requiring reboot delivered
- http://isc.sans.org/diary.html?storyid=7645
Last Updated: 2009-11-25 21:40:37 UTC - "... received updates from Microsoft in the last 24 hours (via Automatic Update or similar) that required a reboot. Microsoft has apparently updated several of their bulletins. Two of them are related to previous updates MSXML (v3.0 or v6.0), one with MSXML Core Services 4.0 SP2, one is additional daylight saving time updates, and the 4th is also daylight saving time-related and has to do with an error in the Date and Time control panel on Vista and Windows Server 2008. While it isn't unusual for Microsoft to make some minor updates to bulletins and patches (especially detection fixes) at times other than "Patch Tuesday" some of our readers (and some of us, handlers) were surprised by updates that required reboot.

References:
http://support.microsoft.com/kb/973685
http://support.microsoft.com/kb/973687
http://support.microsoft.com/kb/973688
http://support.microsoft.com/kb/976098
http://support.microsoft.com/kb/976470 ..."

:fear:

FYI...

IE 0-day exploit released
- http://www.symantec.com/security_response/threatconlearn.jsp
Nov 26, 2009 - "An exploit has been released for the Metasploit framework that can be used to exploit the Microsoft Internet Explorer 'Style' Object Remote Code Execution Vulnerability. This exploit can leverage JavaScript heap-spray and .NET DLL memory-preparation techniques to achieve remote code execution. Customers who are prone to this issue are advised to disable JavaScript for untrusted websites. Also, setting Internet Explorer's security zone settings to high for the Internet zone will prevent the loading of .NET DLLs in Internet Explorer 7. For critical systems, consider upgrading to Internet Explorer 8, which is not vulnerable to this issue."

- http://www.pcworld.com/article/183190/attacks_appear_imminent_as_ie_exploit_is_improved.html
Nov 25, 2009

:fear::fear:

FYI...

Microsoft Security Advisory (977981)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/977981.mspx
Updated: November 25, 2009
• V1.1 (November 25, 2009): Corrected the CVE reference, added a mitigating factor concerning Web-based attacks, and clarified the workaround involving DEP*.
* "... • Enable DEP for Internet Explorer 6 or Internet Explorer 7 via automated Microsoft Fix It. See Microsoft Knowledge Base Article 977981** to use the automated Microsoft Fix it solution to enable or disable this workaround...
Impact of workaround: Some browser extensions may not be compatible with DEP and may exit unexpectedly. If this occurs, you can disable the add-on, or revert the DEP setting using the Internet Control Panel. This is also accessible using the System Control panel..."
** http://support.microsoft.com/kb/977981

- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3672

- http://isc.sans.org/diary.html?storyid=7654
Last Updated: 2009-11-26 15:11:12 UTC - "... We strongly encourage all IE users to review the new information posted by MS, especially in light of workable exploits that are starting to surface on the web."
___

FIX: Microsoft Security Bulletin MS09-072 - Critical
Cumulative Security Update for Internet Explorer (976325)
- http://www.microsoft.com/technet/security/bulletin/MS09-072.mspx
Revisions:
• V1.0 (December 8, 2009): Bulletin published.
• V1.1 (December 9, 2009): Corrected a reference to Microsoft Knowledge Base Article 976749 in the section, Frequently Asked Questions (FAQ) Related to This Security Update. Also corrected, in the Security Update Deployment section, the registry key for verification of the update for Internet Explorer 7 for all supported x64-based editions of Windows XP.

:fear::fear:

FYI...

Reports of issues with November Security Updates
- http://blogs.technet.com/msrc/archive/2009/12/01/reports-of-issues-with-november-security-updates.aspx
December 01, 2009 - "We’ve received questions about public reports that customers might be experiencing system issues with the November Security Updates (which some are referring to “Black Screen” issues). We’ve investigated these reports and found that our November Security Updates are not making changes to the system that these reports say are responsible for these issues. While these reports weren’t brought to us directly, from our research into them, it appears they’re saying that our security updates are making permission changes in the registry to the value for the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell key. We’ve conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don’t believe the updates are related to the “black screen” behavior described in these reports. We’ve also checked with our worldwide Customer Service and Support organization, and they’ve told us they’re not seeing “black screen” behavior as a broad customer issue. Because these reports were not brought to us directly, it’s impossible to know conclusively what might be causing a “black screen” in those limited instances where customers have seen it. However, we do know that “black screen” behavior is associated with some malware families such as Daonol*. This underscores the importance of our guidance to customers to contact our Customer Service and Support group any time they think they’re affected by malware or are experiencing issues with security updates. This enables us to determine what might be happening and take steps to help customers by documenting new malware families in our MMPC malware encyclopedia or documenting known issues in our security bulletins and the supporting Knowledge Base articles..."
* http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Daonol%20malware
Search Term = Daonol malware / 500 entries found

- http://isc.sans.org/diary.html?storyid=7672
Last Updated: 2009-12-02 16:43:47 UTC

:blink:

FYI...

MS Security Bulletin Advance Notification - December 2009
- http://www.microsoft.com/technet/security/bulletin/MS09-dec.mspx
December 03, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on December 8, 2009... (Total of -6-)

Critical - 3

Bulletin 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 3
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Office

Bulletin 4
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows, Internet Explorer

Important - 3

Bulletin 5
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 6
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 2
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows, Microsoft Office

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-dec.mspx
December 08, 2009 - "This bulletin summary lists security bulletins released for December 2009..." (Total of -6-)

Critical -3-

Microsoft Security Bulletin MS09-071 - Critical
Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
- http://www.microsoft.com/technet/security/bulletin/MS09-071.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-074 - Critical
Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
- http://www.microsoft.com/technet/security/bulletin/MS09-074.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS09-072 - Critical
Cumulative Security Update for Internet Explorer (976325)
- http://www.microsoft.com/technet/security/bulletin/MS09-072.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows ...
Revisions:
• V1.0 (December 8, 2009): Bulletin published.
• V1.1 (December 9, 2009): Corrected a reference to Microsoft Knowledge Base Article 976749 in the section, Frequently Asked Questions (FAQ) Related to This Security Update. Also corrected, in the Security Update Deployment section, the registry key for verification of the update for Internet Explorer 7 for all supported x64-based editions of Windows XP.

Important -3-

Microsoft Security Bulletin MS09-069 - Important
Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
- http://www.microsoft.com/technet/security/bulletin/MS09-069.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-070 - Important
Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
- http://www.microsoft.com/technet/security/bulletin/MS09-070.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-073 - Important
Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)
- http://www.microsoft.com/technet/security/bulletin/MS09-073.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Microsoft Office
___

Severity and Exploitability Index
- http://blogs.technet.com/photos/msrcteam/images/3299186/original.aspx
December 08, 2009

Deployment priority
- http://blogs.technet.com/photos/msrcteam/images/3299187/original.aspx
December 08, 2009
___

MSRT
- http://support.microsoft.com/?kbid=890830
December 8, 2009 - Revision: 67.0
(Recent additions)
Win32/FakeScanti - October 2009 (V 3.0) Moderate
Win32/FakeVimes - November 2009 (V 3.1) Moderate
Win32/PrivacyCenter - November 2009 (V 3.1) Moderate
Win32/Hamweq - December 2009 (V 3.2) Moderate
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7711
Last Updated: 2009-12-10 19:42:30 UTC
___

Microsoft Office Project Memory Validation Vuln
- http://secunia.com/advisories/37588/2/
... Original Advisory: http://www.microsoft.com/technet/security/bulletin/MS09-074.mspx
___

Microsoft WordPad / Office Text Converters Memory Corruption Vuln
- http://secunia.com/advisories/37580/2/
... Original Advisory: http://www.microsoft.com/technet/security/bulletin/MS09-073.mspx
___

Internet Explorer multiple vulns
- http://secunia.com/advisories/37448/2/
... Original Advisory: http://www.microsoft.com/technet/security/Bulletin/MS09-072.mspx
___

Microsoft Windows Internet Authentication Service Vuln
- http://secunia.com/advisories/37579/2/
... Original Advisory: http://www.microsoft.com/technet/security/bulletin/MS09-071.mspx

Microsoft Windows MS-CHAP Authentication Bypass
- http://secunia.com/advisories/37543/2/
... Original Advisory: http://www.microsoft.com/technet/security/bulletin/MS09-071.mspx
___

Microsoft Windows Local Security Authority Subsystem DoS
- http://secunia.com/advisories/37524/2/
... Original Advisory: http://www.microsoft.com/technet/security/Bulletin/MS09-069.mspx
___

FYI...

Microsoft Security Advisory (977981)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/977981.mspx
Updated: December 08, 2009 - "Microsoft has completed investigating public reports of this vulnerability. We have issued Microsoft Security Bulletin MS09-072* to address this issue..." * http://www.microsoft.com/technet/security/bulletin/ms09-072.mspx

Microsoft Security Advisory (974926)
Credential Relaying Attacks on Integrated Windows Authentication
- http://www.microsoft.com/technet/security/advisory/974926.mspx
December 08, 2009 - "This advisory addresses the potential for attacks that affect the handling of credentials using Integrated Windows Authentication (IWA), and the mechanisms Microsoft has made available for customers to help protect against these attacks..."

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
Updated: December 08, 2009 - "Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform..."

Microsoft Security Advisory (954157)
Security Enhancements for the Indeo Codec
- http://www.microsoft.com/technet/security/advisory/954157.mspx
December 08, 2009 - "... customers who do not have a use for the codec may choose to take an additional step and deregister the codec completely. Deregistering the codec would remove all attack vectors that leverage the Indeo codec. See Microsoft Knowledge Base Article 954157* for directions on how to deregister the codec..."
* http://support.microsoft.com/kb/954157

:fear:

Also now showing up at the MS Update site:

AppCompat update for Indeo codec
- http://support.microsoft.com/kb/955759
December 9, 2009 - Revision: 3.0
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4311
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4310
Last revised: 12/15/2009

Extended Protection for Authentication in Microsoft Windows HTTP Services (WinHTTP)
- http://support.microsoft.com/kb/971737
December 8, 2009 - Revision: 1.0

Extended Protection for Authentication in the HTTP Protocol Stack (http.sys)
- http://support.microsoft.com/kb/970430
December 8, 2009 - Revision: 1.0

:secret:

FYI...

New Reports of a Vulnerability in IIS
- http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx
December 27, 2009 - "On Dec. 23 we were made aware of a new claim of a vulnerability in Internet Information Services (IIS). We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration. Customers using out of the box configurations and who follow security best practices are at reduced risk of being impacted by issues like this. Once we’re done investigating, we will take appropriate action to help protect customers...
IIS 6.0 Security Best Practices
http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx
Securing Sites with Web Site Permissions
http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx
IIS 6.0 Operations Guide
http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx
Improving Web Application Security: Threats and Countermeasures
http://msdn.microsoft.com/en-us/library/ms994921.aspx ..."

- http://isc.sans.org/diary.html?storyid=7819
Last Updated: 2009-12-28 15:36:57 UTC (Version: 3) - "... they (MS) note that if the administrator had not altered the default configuration and followed best practices in the securing of the webserver, then this exploit wouldn't work. Unfortunately, we know that doesn't always wind up being the case..."

8 Basic Rules to Implement Secure File Uploads
- https://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/
December 28, 2009

- http://secunia.com/advisories/37831/2/
Last Update: 2009-12-28
Critical: Less critical
Impact: Security Bypass, System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Information Services (IIS) 6
Solution: Restrict file uploads to trusted users only and remove "execute" permissions for upload directories...

- http://learn.iis.net/page.aspx/583/secure-content-in-iis-through-file-system-acls/
Updated on December 23, 2009

:fear::fear:

FYI...

IIS vuln - Metasploit added...
- http://www.symantec.com/connect/blogs/metasploit-releases-module-iis-local-file-include-vulnerability
December 29, 2009 - "... There are varying reports on the severity of this issue, but according to Microsoft only poorly configured Web servers are at risk from this issue: “An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration.”
Essentially your site is at risk if it:
1. Runs on IIS.
2. Allows files to be uploaded.
3. Has execute permissions for the directory where the uploaded files are stored.
On December 28, Metasploit added support into their framework to allow exploitation of this issue. This makes it trivial to compromise badly configured servers as outlined above. This development could see a rise in exploitation of this issue..."

:fear::fear:

FYI...

Results of Investigation into Holiday IIS Claim
* http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx
December 29, 2009 - "... there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server. The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack. However, customers who are using IIS 6.0 in the default configuration or following our recommended best practices don’t need to worry about this issue. If, however, you are running IIS in a configuration that allows both “write” and “execute” privileges on the same directory like this scenario requires, you should review our best practices and make changes to better secure your system from the threats that configuration can enable. Once again, here’s a list of best practices resources:
· IIS 6.0 Security Best Practices
http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx
· Securing Sites with Web Site Permissions
http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx
· IIS 6.0 Operations Guide
http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx
· Improving Web Application Security: Threats and Countermeasures
http://msdn.microsoft.com/en-us/library/ms994921.aspx
The IIS folks are evaluating a change to bring the behavior of IIS 6.0 in line with the other versions. In the meantime, they’ve put more information up about this on their weblog*..."
* http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx
December 29, 2009

- http://secunia.com/advisories/37831/2/
Last Update: 2009-12-30

- http://securitytracker.com/alerts/2009/Dec/1023387.html
Updated: Dec 29 2009

- http://www.theregister.co.uk/2009/12/30/iis_web_server_bug_rebuttal/
30 December 2009 - "... Microsoft's nothing-to-worry-about-please-move-along advisory, which helpfully provides links to best practice web server security guidelines, can be found here*."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4444

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4445

:fear::fear:

FYI...

MS Bulletin Advance Notification - January 2010
- http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx
January 7, 2010 - "This is an advance notification of security bulletins that Microsoft is intending
to release on January 12, 2010...
(Total of -1-)

Critical -1-

Bulletin 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

- http://blogs.technet.com/msrc/archive/2010/01/07/january-2010-bulletin-release-advance-notification.aspx
January 7, 2010

:fear:

FYI...

Observations on Rootkits
- http://blogs.technet.com/mmpc/archive/2010/01/07/some-observations-on-rootkits.aspx
January 07, 2010 - "Getting hit by a live rootkit infection is among the more unfortunate fates that can befall an unsuspecting computer user. A rootkit burrows deep into the system, modifying it at a low-level in order to hide itself and other malware, and from there fights off attempts at deactivation and removal. While real-time protection can block the rootkit from becoming active to begin with, if the computer is already infected by a rootkit, things get more interesting. Antimalware technologies must use sophisticated techniques to scan for and detect, and finally to remove, a lurking rootkit. In reviewing the telemetry we receive from some of our antirootkit-related features, a few interesting things stand out.
How big is the rootkit problem?
Of all infections reported from client machines, low-level rootkits represent about 7% of infections...
We expect that malware authors will continue to seek ways to fly under the radar, just as we will continue to evolve our protection technologies to stay one step ahead of the bad guys. Regardless, here are a couple tips to avoid getting hit by a rootkit:
• Keep real-time protection enabled
While running up-to-date antimalware software is essential, it does little good if you turn off the real-time protection feature. If you lower your defenses and a rootkit does get through, finding and removing it can be a tricky endeavor. Keep your defenses up and you're much less likely to have headaches down the road.
• Run 64-bit Windows
For the time being, it appears that currently, users running 64 bit Windows are less likely to be compromised by rootkits. While the threat landscape is constantly evolving, for now you can breathe a lot easier if you're running 64-bit Windows. If you have a choice, go with 64-bit..."

(More detail available at the URL above.)

BlackLight
- http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/index.html

:fear::mad:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx
January 12, 2010 - "This bulletin summary lists security bulletins released for January 2010...
(Total of -1-) [See "Affected Software" at URL above.]

Critical -1-

Microsoft Security Bulletin MS10-001 - Critical
Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270*)
- http://www.microsoft.com/technet/security/bulletin/MS10-001.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows
* http://support.microsoft.com/kb/972270
___

Severity and exploitability index
- http://blogs.technet.com/photos/msrcteam/images/3305166/original.aspx

Deployment Priority
- http://blogs.technet.com/photos/msrcteam/images/3305167/original.aspx
___

MSRT
- http://support.microsoft.com/?kbid=890830
January 12, 2010 - Revision: 68.0
(Recent additions)
Win32/FakeScanti - October 2009 (V 3.0) Moderate
Win32/FakeVimes - November 2009 (V 3.1) Moderate
Win32/PrivacyCenter - November 2009 (V 3.1) Moderate
Win32/Hamweq - December 2009 (V 3.2) Moderate
Win32/Rimecud - January 2010 (V 3.3) Moderate

- http://blogs.technet.com/mmpc/archive/2010/01/19/win32-rimecud-msrt-s-success-story-in-january-2010.aspx
January 19, 2010
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7954
Last Updated: 2010-01-12 18:29:33 UTC
.

FYI...

Microsoft Security Advisory (979267)
Vulnerabilities in Adobe Flash Player 6 Provided in Windows XP Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/979267.mspx
January 12, 2010 - "Microsoft is aware of reports of vulnerabilities in Adobe Flash Player 6 provided in Windows XP. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time but recommend that users install the latest version of Flash Player* provided by Adobe..."
* http://get.adobe.com/flashplayer/
December 8, 2009 - Flash Player v10.0.42.34

MS Windows Flash Player multiple vulnerabilities
- http://secunia.com/advisories/27105/2/
Release Date: 2010-01-12
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS: Microsoft Windows XP Home Edition, Microsoft Windows XP Professional
Solution: Uninstall the bundled version of Flash Player and optionally install the latest supported version of Flash Player from Adobe...
Original Advisory:
Secunia Research: http://secunia.com/secunia_research/2007-77/
Other References: How to remove the Flash Player ActiveX control:
http://kb2.adobe.com/cps/127/tn_12727.html
How to uninstall the Adobe Flash Player plug-in and ActiveX control:
http://kb2.adobe.com/cps/141/tn_14157.html

:fear:

FYI...

0-day vuln in IE 6, 7 and 8
- http://isc.sans.org/diary.html?storyid=7993
Last Updated: 2010-01-14 22:19:56 UTC

MS IE arbitrary code execution
- http://secunia.com/advisories/38209/2/
Release Date: 2010-01-15
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x, Microsoft Internet Explorer 7.x, Microsoft Internet Explorer 8.x
Solution: Do not browse untrusted websites or follow untrusted links.
Provided and/or discovered by: Reported as a 0-day.
Original Advisory: Microsoft (KB979352):
http://www.microsoft.com/technet/security/advisory/979352.mspx
http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx
Other References: US-CERT VU#492515:
http://www.kb.cert.org/vuls/id/492515

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249
Last revised: 01/15/2010

Microsoft Security Advisory (979352)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/979352.mspx
January 14, 2010 - "Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue. Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 -are- affected. The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes..."

- http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx
January 14, 2010 - "Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks... We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with protections against exploit of this vulnerability..."

- http://support.microsoft.com/kb/979352#FixItForMeAlways
January 14, 2010 - "... We have also created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet Explorer. You do -not- need this database if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3) or on Windows Vista SP1 or later versions. This is because Internet Explorer 8 opts-in to DEP by default on these platforms. To enable or disable DEP automatically, click the Fix it button or link..."

- http://www.krebsonsecurity.com/2010/01/mcafee-ie-0day-fueled-attacks-on-google-adobe/
January 14, 2010

:fear:

FYI...

(IE 0-day) Exploit code available for CVE-2010-0249
- http://isc.sans.org/diary.html?storyid=8002
Last Updated: 2010-01-15 21:35:51 UTC - "The details for CVE-2010-0249* aka Microsoft Security Advisory 979352 ( http://www.microsoft.com/technet/security/advisory/979352.mspx ) aka the Aurora exploit has been made public. It is a vulnerability in mshtml.dll that works as advertised on IE6 but if DEP is enabled on IE7 or IE8 the exploit does not execute code. I expect Microsoft will have a patch available for the standard February patch day. There will not likely be an out-of-band patch for this unless a 3rd party makes their own available."

* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249
Last revised: 01/15/2010

- http://www.symantec.com/security_response/threatconlearn.jsp
"The ThreatCon is currently at Level 2: Elevated...
Microsoft has released a security advisory and mitigation for a new unpatched vulnerability affecting Internet Explorer... On January 14, 2009, the Metasploit exploitation framework added an exploit for the bug that would allow an attacker to gain control of the system. Availability of this exploit will increase the chance of in-the-wild exploitation of this issue..."

- http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx
January 15, 2010

:fear::mad:

FYI...

MS IE Advisory 979352 Update - January 18
- http://blogs.technet.com/msrc/archive/2010/01/18/advisory-979352-update-for-monday-january-18.aspx
January 18, 2010 - "... earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista. We are actively investigating, but cannot confirm, these claims. Today we also published a guidance page, including an online video, for home users who may be confused, or concerned, about this security vulnerability and want to know what they should do to protect themselves from the known attacks. This page is located here*..."
* http://www.microsoft.com/security/updates/ie.aspx
"Microsoft has determined that one of the technologies used in the recent criminal attacks against Google and other corporate networks was Internet Explorer 6. Customers using Internet Explorer 8 are not affected by currently known attacks. We recommend that anyone not already using Internet Explorer 8 upgrade immediately. Internet Explorer 8 offers many additional security protections..."
- http://www.microsoft.com/ie

:fear:

FYI...

IE - out-of-cycle patch coming...
- http://isc.sans.org/diary.html?storyid=8017
Last Updated: 2010-01-19 20:10:13 UTC - "No, there still isn't a patch, but there will be one before the regular Microsoft patch day in February. The MSRC has posted a note on their blog* saying the timing will be announced tomorrow. In the meantime, we are hearing that the folks at VUPEN have found a way to bypass DEP as long as javascript is enabled (no, this doesn't appear to be the .NET ones from last year) which would make even IE8 vulnerable, we don't have the details at present, but if true this is a major development. This is a concern since Microsoft's advice is for those using IE6 and IE7 to move to IE8 where DEP is on by default. In any event, we continue to monitor the situation."
* http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-979352-going-out-of-band.aspx
January 19, 2010 - "We wanted to provide a quick update on the threat landscape and announce that we will release a security update out-of-band to help protect customers from this vulnerability... We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time. We will provide the specific timing of the release tomorrow..."

- http://securitylabs.websense.com/content/Blogs/3534.aspx
01.19.2010 - "... Our ThreatSeeker network has identified two more malicious URLs that are used in live attacks, this time hxxp ://201002.[REMOVED]:2988/log/ie .html and hxxp ://m.[REMOVED].net:81/m/index .html. According to reports from our friends at Ahnlab, the second URL was spread through the Instant Messenger network Misslee Messenger, a popular IM client in South Korea... Due to the attention the new vulnerability has received, Microsoft has announced that they will release an out-of-band patch for Internet Explorer..."

- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100119
2010-01-19

- http://www.microsoft.com/technet/security/advisory/archive.mspx
Updated: January 18, 2010

:fear:

FYI...

MS10-002 tomorrow...
- http://blogs.technet.com/msrc/archive/2010/01/20/advance-notification-for-out-of-band-bulletin-release.aspx
January 20, 2010 - "... we will be releasing MS10-002 tomorrow, January 21st, 2010. We are planning to release the update as close to 10:00 a.m. PST (UTC -8) as possible. This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and small subset of corporations, as well as several other vulnerabilities... Today we also updated Security Advisory 979352* to include technical details addressing additional customer questions..."
* http://www.microsoft.com/technet/security/advisory/979352.mspx
• V1.2 (January 20, 2010): Revised Executive Summary to reflect the changing nature of attacks attempting to exploit the vulnerability. Clarified information in the Mitigating Factors section for Data Execution Prevention (DEP) and Microsoft Outlook, Outlook Express, and Windows Mail. Clarified several Frequently Asked Questions to provide further details about the vulnerability and ways to limit the possibility of exploitation. Added "Enable or disable ActiveX controls in Office 2007" and "Do not open unexpected files" to the Workarounds section.

:fear:

FYI...

Windows (all versions) 0-day vuln released...
- http://isc.sans.org/diary.html?storyid=8023
Last Updated: 2010-01-19 21:04:29 UTC - "In a posting to a public mailing list, Tavis Ormandy disclosed a zero day privilege escalation vulnerability in the Windows kernel. All versions of Windows, starting with Windows NT 3.1 up to including Windows 7, are affected...
This is not a good month for Microsoft. Tavis disclosed the vulnerability to Microsoft about 6 months ago. Microsoft's monthly bulletin's credited Tavis numerous times in the past for disclosing vulnerabilities."

(Mitigation instructions and more detail available at the URL above.)

- http://www.theregister.co.uk/2010/01/19/microsoft_escalation_bug/
19 January 2010

Microsoft Security Advisory (979682)
Vulnerability in Windows Kernel Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/979682.mspx
January 20, 2010 - "Microsoft is investigating new public reports of a vulnerability in the Windows kernel. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."
Revisions:
• V1.1 (January 22, 2010): Added links to Microsoft Knowledge Base Article 979682 in the Issue References table and Additional Suggestion Actions section. Added a link to Microsoft Knowledge Base Article 979682* to provide an automated Microsoft Fix it solution for the workaround, Disable the NTVDM subsystem.
* http://support.microsoft.com/kb/979682

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0232
Last revised: 01/22/2010
CVSS v2 Base Score: 6.6 (MEDIUM)

- http://blogs.technet.com/msrc/archive/2010/01/20/security-advisory-979682-released.aspx
January 20, 2010

- http://secunia.com/advisories/38265/2/
Release Date: 2010-01-20
Impact: Privilege escalation
Where: Local system
Solution Status: Unpatched...
Original Advisory:
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html

:fear:

FYI...

More IE 0-Day exploit attacks...
- http://blog.trendmicro.com/new-ie-zero-day-exploit-attacks-continue/
Jan. 21, 2010 - "Trend Micro has identified new malware samples that exploit the still-unpatched Internet Explorer (IE) vulnerability. These samples have been detected as JS_ELECOM.C and HTML_COMLE.CXC . Further analysis... the new scripts are versions of JS_DLOADER.FIS (the only difference being the encryption techniques used), which was widely used in the recent and still ongoing attacks targeting major organizations like Google and Adobe. In line with this, Microsoft announced that it will release an out-of-band security update to fix the issue. It is highly advised that users immediately download the security patch once released..."
More here*...
* http://threatinfo.trendmicro.com/vinfo/web_attacks/Zero-Day_Internet_Explorer_Bug_Downloads_HYDRAQ.html

Malware-laced PDF files using "Operation Aurora" attacks (IE 0-day) subject as lure...
- http://www.f-secure.com/weblog/archives/00001863.html
January 21, 2010 - "... (SPAM) PDF file attachment which exploits the CVE-2009-4324 vulnerability in Adobe Reader (patched last week)..."

:fear::fear:

Get this NOW...

MS Security Bulletin MS10-002 - Critical
Cumulative Security Update for Internet Explorer (978207)
- http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
January 21, 2010
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

>>> http://update.microsoft.com/

- http://isc.sans.org/diary.html?storyid=8062
Last Updated: 2010-01-21 21:59:42 UTC

- http://secunia.com/advisories/38209/2/
Last Update: 2010-01-25
Critical: Extremely critical

- http://atlas.arbor.net/briefs/index#79796348
Severity: Extreme Severity
January 22, 2010 - "... attacks are being abused in the wild at present to download commonly seen malware in many cases. All sites using Windows should update immediately to remedy their security position.
Analysis: This is a major attack vector at present and we anticipate that it will continue to be for some time. Sites using Windows should review this update and push it out to all sites immediately to address this situation..."

:fear::fear::fear:

- http://secunia.com/advisories/38209/3/
CVE reference:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4074
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0027
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0244
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0245
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0246
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0247
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0248

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249
Last revised: 01/23/2010
CVSS v2 Base Score: 9.3 (HIGH)
.

FYI...

“Aurora” exploit code: from Targeted Attacks to Mass Infection
- http://www.eset.com/threat-center/blog/2010/01/25/aurora-exploit-code-from-targeted-attacks-to-mass-infection
January 25, 2010 - "Last Thursday, Microsoft released an out-of-band update to fix the latest vulnerability in Internet Explorer. Since then, malware operators have been exploiting this vulnerability to install malware on thousands of PCs. So far, we have detected more than 650 different versions of the exploit code which is detected as Trojan.JS/Exploit.CVE-2010-0249... We have also identified more than 220 unique distribution points for the exploit code, mostly located in Asia. The countries which are seeing the majority of the attacks are China, Korea and Taiwan... At the time of analysis, the list of files to download and execute included 7 links, mostly online game password stealers. To sum up, if you happen to browse to a web page delivering the latest CVE-2010-0249 exploit code, and if you haven’t patched and are not using an up to date antivirus, you will end up with 8 different pieces of malware on your PC within seconds..."

- http://www.microsoft.com/technet/security/advisory/979352.mspx
"... issued MS10-002* to address this issue..."
* http://forums.spybot.info/showpost.php?p=356653&postcount=110

- http://blogs.technet.com/msrc/archive/2010/01/20/advance-notification-for-out-of-band-bulletin-release.aspx
Jan 21, 2010 - "... We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file. Customers would have to open a malicious file to be at risk of exploitation... To be clear, applying the update for Internet Explorer addresses the issue across all products that may use mshtml.dll. Customers should install the update to be protected..."

products that use mshtml.dll
- http://support.microsoft.com/search/?adv=1
You have searched on: All products
1920 results ...

:fear::fear:

FYI...

Microsoft Security Advisory (980088)
Vulnerability in Internet Explorer Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/980088.mspx
February 03, 2010 - "Microsoft is investigating a publicly reported vulnerability in Internet Explorer for customers running Windows XP or who have disabled Internet Explorer Protected Mode. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue... The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites...
Workarounds: Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified...
Windows XP... Enable Internet Explorer Network Protocol Lockdown using automated Microsoft Fix It
See Microsoft Knowledge Base Article 980088* to use the automated Microsoft Fix it solution to enable or disable this workaround...
* http://support.microsoft.com/kb/980088
Impact of workaround. HTML content from UNC paths in the Internet / Local Intranet / Restricted zones will no longer automatically run script or ActiveX controls..."

(More detail at the URL above.)

- http://blogs.technet.com/msrc/archive/2010/02/03/security-advisory-980088-released.aspx
February 03, 2010 - "... At this time we are not aware of any attacks seeking to use the vulnerability..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0255
Last revised: 02/05/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://secunia.com/advisories/38416/2/
Release Date: 2010-02-04
Critical: Moderately critical
Impact: Exposure of system information, Exposure of sensitive information
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 5.01, 6.x, 7.x, 8.x
Solution: Enable Network Protocol Lockdown for Windows XP, and Protected Mode on Windows Vista and later. Please see the vendor's advisory for more information...

- http://www.securityfocus.com/bid/38056
- http://www.symantec.com/security_response/threatconlearn.jsp
"... The vulnerability is trivially exploitable and is likely to be exploited in the wild..."

:fear::fear:

FYI...

MS Patch Tuesday pre-Release
- http://isc.sans.org/diary.html?storyid=8155
Last Updated: 2010-02-04 23:42:30 UTC - "Microsoft announced earlier today that they will be releasing a total of 13 bulletins next Tuesday... These bulletins will fix 26 different vulnerabilities. The bulletins affect all versions of Windows.
- http://www.microsoft.com/technet/security/Bulletin/MS10-feb.mspx
The MSRC blog has a nice table summarizing the upcoming release.
- http://blogs.technet.com/msrc/archive/2010/02/04/february-2010-bulletin-release-advance-notification.aspx
The Internet Explorer issue released by Microsoft yesterday will -not- be patched." *
* http://forums.spybot.info/showpost.php?p=358499&postcount=112

:fear::fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-feb.mspx
February 09, 2010 - "This bulletin summary lists security bulletins released for February 2010... (Total of -13-)

Critical -5-

Microsoft Security Bulletin MS10-006 - Critical
Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
- http://www.microsoft.com/technet/security/Bulletin/MS10-006.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-007 - Critical
Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
- http://www.microsoft.com/technet/security/bulletin/MS10-007.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-008 - Critical
Cumulative Security Update of ActiveX Kill Bits (978262)
- http://www.microsoft.com/technet/security/bulletin/ms10-008.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-009 - Critical
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)
- http://www.microsoft.com/technet/security/Bulletin/MS10-009.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-013 - Critical
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
- http://www.microsoft.com/technet/security/bulletin/MS10-013.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Important -7-

Microsoft Security Bulletin MS10-003 - Important
Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214)
- http://www.microsoft.com/technet/security/bulletin/MS10-003.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS10-004 - Important
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416)
- http://www.microsoft.com/technet/security/Bulletin/MS10-004.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS10-010 - Important
Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894)
- http://www.microsoft.com/technet/security/bulletin/MS10-010.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-011 - Important
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037)
- http://www.microsoft.com/technet/security/Bulletin/MS10-011.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-012 - Important
Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)
- http://www.microsoft.com/technet/security/Bulletin/MS10-012.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-014 - Important
Vulnerability in Kerberos Could Allow Denial of Service (977290)
- http://www.microsoft.com/technet/security/bulletin/MS10-014.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-015 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
- http://www.microsoft.com/technet/security/Bulletin/MS10-015.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Moderate -1-

Microsoft Security Bulletin MS10-005 - Moderate
Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706)
- http://www.microsoft.com/technet/security/bulletin/ms10-005.mspx
Maximum Severity Rating: Moderate
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows
___

Severity and Exploitability Index
- http://blogs.technet.com/photos/msrcteam/images/3311615/original.aspx

Deployment Priority
- http://blogs.technet.com/photos/msrcteam/images/3311613/original.aspx
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=8197
Last Updated: 2010-02-09 19:28:42 UTC
___

MSRT
- http://support.microsoft.com/?kbid=890830
February 9, 2010 - Revision: 69.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
Win32/Hamweq - December 2009 (V 3.2) Moderate
Win32/Rimecud - January 2010 (V 3.3) Moderate
Win32/Pushbot - February 2010 (V 3.4) Severe
- http://go.microsoft.com/fwlink/?LinkId=40587
File Name: windows-kb890830-v3.4.exe
Version: 3.4
___

Secunia advisory references - MS Security Bulletins - Feb. 2010
MS10-003 - http://secunia.com/advisories/38481/2/
MS10-004 - http://secunia.com/advisories/38493/2/
MS10-004 - http://secunia.com/advisories/35115/2/
MS10-005 - http://secunia.com/advisories/36634/2/
MS10-006 - http://secunia.com/advisories/38500/2/
MS10-007 - http://secunia.com/advisories/38501/2/
MS10-008 - http://secunia.com/advisories/38485/2/
MS10-009 - http://secunia.com/advisories/38506/2/
MS10-010 - http://secunia.com/advisories/38508/2/
MS10-011 - http://secunia.com/advisories/38509/2/
MS10-012 - http://secunia.com/advisories/38510/2/
MS10-013 - http://secunia.com/advisories/38511/2/
MS10-014 - http://secunia.com/advisories/38512/2/
MS10-015 - http://secunia.com/advisories/38265/2/

.

FYI...

Microsoft Security Advisory (979682)
Vulnerability in Windows Kernel Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/979682.mspx
Updated: February 09, 2010 - "... We have issued MS10-015* to address this issue..."
* http://blogs.technet.com/msrc/archive/2010/03/02/update-ms10-015-security-update-re-released-with-new-detection-logic.aspx
• V1.2 (March 2, 2010): Added an item to the Frequently Asked Questions (FAQ) About this Security Update to announce the offering of revised packages on Windows Update. Customers who have already successfully updated their systems do not need to take any action.
• V1.3 (March 17, 2010): Added verification registry keys for the revised packages released March 2, 2010 for Microsoft Windows 2000, Windows XP, and Windows Server 2003. This is an informational change only.

Microsoft Security Advisory (977377)
Vulnerability in TLS/SSL Could Allow Spoofing
- http://www.microsoft.com/technet/security/advisory/977377.mspx
2/9/2010 - "Microsoft is investigating public reports of a vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. At this time, Microsoft is not aware of any attacks attempting to exploit the reported vulnerability. As an issue affecting an Internet standard, we recognize that this issue affects multiple vendors... The TLS and SSL protocols are implemented in several Microsoft products, both client and server, and this advisory will be updated as our investigation continues... As part of this security advisory, Microsoft is making available a workaround which enables system administrators to disable TLS and SSL renegotiation functionality. However, as renegotiation is required functionality for some applications, this workaround* is not intended for wide implementation and should be tested extensively prior to implementation..."
* http://support.microsoft.com/kb/977377

- http://secunia.com/advisories/38365/2/
Release Date: 2010-02-09
Critical: Less critical
Solution Status: Unpatched
Original Advisory:
http://www.microsoft.com/technet/security/advisory/977377.mspx

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=8215
Last Updated: 2010-02-11 20:24:17 UTC - "UPDATE: I have been in contact with Microsoft and they have insured me that there were no updates done outside of their normal updates. They said that if the Auto Update was turned off - then NO updates were done. So the plot thickens. How is it that NO updates were done either by the software vendor or by Microsoft and yet the machines Blue Screened. Just what is it that happened to our Windows XP -and- Windows Vista machines that rendered them blue. I will update again as soon as more information becomes available from either Microsoft or the Vendor..."
Last Updated: 2010-02-11 19:12:54 UTC - Deborah Hale - "... I did finally get a call back from the company as well as a couple of emails indicating that the problem -was- a result of the Microsoft updates. This really puzzles me because most of our machines are setup to NOT download and install the updates for this very reason. We prefer to wait a few days after the update is released before we actually install. We prefer to wait to see if there are problems and give Microsoft an opportunity to fix it before it breaks computers. So my question is: "Did Microsoft force an update despite our auto updates being turned off?" I have verified that the majority of the computers APPEAR to have not had the patches applied. I have present(ed) this question to Microsoft and have no answer back yet. As soon as I do I will update..."

MS10-015 may cause Windows XP to blue screen
- http://isc.sans.org/diary.html?storyid=8209
Last Updated: 2010-02-11 14:56:42 UTC - "We have heard about reports that MS10-015* causes some Windows XP machines to blue screen. If you are seeing this issue, please let us know. (I am filling in for Deborah on this diary as she is ironically busy dealing with lots of blue screens in her organization, which may be related). See for example:
- http://www.krebsonsecurity.com/2010/02/new-patches-cause-bsod-for-some-windows-xp-users/
-and-
- http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1 "

Microsoft Security Bulletin MS10-015 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
* http://www.microsoft.com/technet/security/Bulletin/MS10-015.mspx
• V1.1 (February 10, 2010): Corrected the verification registry key for all supported x64-based editions of Windows XP. This is an informational change only.

:sad::fear:

FYI...

MSRC: Restart issues after installing MS10-015
- http://blogs.technet.com/msrc/archive/2010/02/11/restart-issues-after-installing-ms10-015.aspx
February 11, 2010 - "... we are aware that after installing the February security updates a limited number of users are experiencing issues restarting their computers. Our initial analysis suggests that the issue occurs after installing MS10-015 (KB977165). However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software. Our teams are working to resolve this as quickly as possible. We also stopped offering this update through Windows Update as soon as we discovered the restart issues. However, those using enterprise deployment systems such as SMS or WSUS will still see and be able to deploy these packages... While we work to address this issue, customers who choose not to install the update can implement the workaround outlined in the bulletin. CVE-2010-0232 was publicly disclosed and we previously issued Security Advisory 979682 in response. Customers can disable the NTVDM subsystem as a workaround and we have provided an automated method of doing that with a Microsoft Fix It that you can find here:
http://support.microsoft.com/kb/979682 ..."

:fear:

FYI...

MSRC - Update - Restart Issues After Installing MS10-015
- http://blogs.technet.com/msrc/archive/2010/02/12/update-restart-issues-after-installing-ms10-015.aspx
February 12, 2010 - "In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating... This can be a difficult issue to solve once a computer is in an un-bootable state so we encourage customers who feel they have been impacted by this to contact our Customer Service and Support group... Keep an eye on this blog for more updates as we have them."

- http://www.krebsonsecurity.com/2010/02/rootkit-may-be-culprit-in-recent-windows-crashes/
February 12, 2010

:fear:

FYI...

MS10-015 and the Alureon Rootkit
- http://blogs.technet.com/msrc/archive/2010/02/17/update-restart-issues-after-installing-ms10-015-and-the-alureon-rootkit.aspx
February 17, 2010 6:29 PM - "...Our investigation has concluded that the reboot occurs because the system is infected with malware, specifically the Alureon rootkit*. We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software. The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state. In every investigated incident, we have not found quality issues with security update MS10-015... While this issue could impact any 32bit Windows system that was infected with the malware, since reports are predominately on 32bit versions of Windows XP this test process is described at a high level focusing on that version in the... table (shown at the URL above)... the presence of Alureon does -not- allow for a successful boot of the compromised system. The Windows Engineering team continued testing different configurations, as well as retesting several third party applications, leading to our firm conclusion that the blue screen issue is the result of the Alureon rootkit. A malware compromise of this type is serious, and if customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk..."
* http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Alureon.A

[ > Of course, it never occurred to their marketing "genius" that they might think to use their own product to lay the groundwork for a clean install. Maybe this should be their blueprint/template for future MS Update rollouts - force the MSRT -first-. :- ( ]
- http://isc.sans.org/diary.html?storyid=8266
Last Updated: 2010-02-19 01:39:31 UTC
> http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html
2/16/2010

MS MMPC blog - February 17, 2010:
http://blogs.technet.com/mmpc/archive/2010/02/17/restart-issues-on-an-alureon-infected-machine-after-ms10-015-is-applied.aspx
"...For the most common system configuration (for machines using ATA hard disk drives), the ATA miniport driver ‘atapi.sys’ is the file which is targeted... ‘atapi.sys’ resides at the following location: %windir%\system32\drivers\atapi.sys "

(Was) Cleaned by the MSRT ( ... probably not now, since the malware authors have changed their footprint.)
- http://www.microsoft.com/security/malwareremove/families.aspx
• Alureon...
> http://go.microsoft.com/fwlink/?LinkId=40587
Date Published: 2/9/2010
File Name: windows-kb890830-v3.4.exe
Version: 3.4

:fear:

FYI...

New win32hlp and IE issue
- http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx
February 28, 2010 - "On Friday 2/26/2010, an issue was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box. We are not aware of any attacks seeking to exploit this issue at this time and in the current state of our investigation, we have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue. The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as “unsafe file types”. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. To help customers better understand unsafe file types, we have published a white paper on the topic which you can find by clicking this link*. Once we have completed our investigation, we will take appropriate action to protect customers..."
* http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b7d03027-9791-443b-8bbe-0542b3aa4bfe

- http://secunia.com/advisories/38727/
Release Date: 2010-03-01
Criticality level: Moderately critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Systems affected: XP Home, XP Professional
Solution: Avoid pressing F1 on untrusted websites. Disable Active Scripting support

Also:
- http://isc.sans.org/diary.html?storyid=8329
"Microsoft will drop support for Vista (without any Service Packs) on April 13 and support for XP SP2 ends July 13. (i.e. no more security updates). If you are still running these, it is time to update."

:fear:

FYI...

Microsoft Security Advisory (981169)
Vulnerability in VBScript Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/981169.mspx
March 01, 2010 - "Microsoft is investigating new public reports of a vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer. Our investigation has shown that the vulnerability cannot be exploited on Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008. The main impact of the vulnerability is remote code execution. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.
The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user. On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers...
Affected Software:
Microsoft Windows 2000 SP4, Windows XP SP2, Windows XP SP3, and Windows XP Pro x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition SP2..."

IE 0-day using .hlp files
- http://isc.sans.org/diary.html?storyid=8332
Last Updated: 2010-03-01 23:12:47 UTC

- http://preview.tinyurl.com/ybnajys
March 01, 2010 - MSRC Engineering

- http://securitytracker.com/alerts/2010/Mar/1023668.html
Mar 2 2010

- http://secunia.com/advisories/38916/
Release Date: 2010-03-11
Solution: Avoid pressing F1 inside documents or images placed in untrusted directories...

:fear:

FYI...

MS10-015 re-released with new detection logic
- http://blogs.technet.com/msrc/archive/2010/03/02/update-ms10-015-security-update-re-released-with-new-detection-logic.aspx
March 02, 2010 - "... we have revised the installation packages for MS10-015 with new logic that prevents the security update from being installed on systems if certain abnormal conditions exist. Such conditions could be the result of an infection with a computer virus such as the Alureon rootkit. If these conditions are detected, the update will not be installed and the result will be a standard Windows Update error. If a user receives this error, they should go to the following landing page for additional help:
http://www.microsoft.com/security/updates/015
At this time, we have resumed offering the update to all affected systems via Automatic Updates. We have also released a Microsoft Fix It* as a standalone scanning tool that reports on the compatibility of a system with the MS10-015 update. The scanning tool can also be deployed through enterprise deployment systems allowing administrators to detect compatibility with the update before deploying broadly. The Fix It and deployment information are available at Microsoft Knowledge Base Article 980966..."
* http://support.microsoft.com/kb/980966
"... This Fix it solution does not resolve the issue. Instead, this Fix it solution only notifies you of a possible issue and suggests next steps..."

- http://www.microsoft.com/technet/security/bulletin/MS10-015.mspx?pubDate=2010-03-02
• V1.2 (March 2, 2010): Added an item to the Frequently Asked Questions (FAQ) About this Security Update to announce the offering of revised packages on Windows Update. Customers who have already successfully updated their systems do not need to take any action. [ KB 977165 ]

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0232
Last revised: 02/23/2010
CVSS v2 Base Score: 7.2 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0233
Last revised: 02/16/2010
CVSS v2 Base Score: 7.2 (HIGH)

:fear:

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx
March 04, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on March 9, 2010... (Total of -2-)

Important (2)

Bulletin 1
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 2
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Office

- http://blogs.technet.com/msrc/archive/2010/03/04/march-2010-bulletin-release-advance-notification.aspx
"... Both bulletins are rated Important and address a total of 8 vulnerabilities..."

MS to end support for Vista0 and XPSP2...
- http://isc.sans.org/diary.html?date=2010-03-01
2010-03-01 - "Microsoft will drop support for Vista (without any Service Packs) on April 13 and support for XP SP2 ends July 13. (i.e. no more security updates). If you are still running these, it is time to update."

:fear:

FYI...

- https://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx
March 09, 2010 - "This bulletin summary lists security bulletins released for March 2010... (Total of -2-)

Important -2-

Microsoft Security Bulletin MS10-016 - Important
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)
- http://www.microsoft.com/technet/security/bulletin/ms10-016.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows, Microsoft Office

Microsoft Security Bulletin MS10-017 - Important
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)
- http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Deployment Priority
- http://blogs.technet.com/photos/msrcteam/images/3317885/original.aspx

Severity and Exploitability Index
- http://blogs.technet.com/photos/msrcteam/images/3317884/original.aspx

- http://blogs.technet.com/msrc/archive/2010/03/09/march-2010-security-bulletin-release.aspx
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=8392
Last Updated: 2010-03-09 18:10:05 UTC
___

MSRT
- http://support.microsoft.com/?kbid=890830
March 9, 2010 - Revision: 70.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release
• Helpud: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fHelpud

- http://go.microsoft.com/fwlink/?LinkId=40587
File Name: windows-kb890830-v3.5.exe
Version: 3.5
___

Movie Maker
- http://secunia.com/advisories/38791/
MS10-016

Excel
- http://secunia.com/advisories/38805/
MS10-017

.

FYI...

Microsoft Security Advisory (981374)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/981374.mspx
March 09, 2010 | Updated: March 10, 2010 - "Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7. Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected. The main impact of the vulnerability is remote code execution. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue..."
- http://blogs.technet.com/msrc/archive/2010/03/09/security-advisory-981374-released.aspx
KB 981374:
- http://support.microsoft.com/kb/981374
See "APPLIES TO"...
• V1.1 (March 10, 2010): Restated the mitigation concerning the e-mail vector. Added a new workaround for disabling the peer factory class in iepeers.dll.

- http://blog.trendmicro.com/new-ie-zero-day-exploit-cve-2010-0806/
03/11/2010 - "... malicious JavaScript file as JS_SHELLCODE.CD... exploits CVE-2010-0806*"
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0806
Last revised: 03/11/2010
CVSS v2 Base Score: 9.3 (HIGH)

IE 0-day - IE6, IE7...
- http://www.krebsonsecurity.com/2010/03/microsoft-warns-of-internet-explorer-0day/
March 9, 2010

- http://secunia.com/advisories/38860/
Last Update: 2010-03-12
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: MS IE6, IE7 ...

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
August 11, 2009 | Updated: March 09, 2010 - "This advisory was released to announce to customers the release of a non-security update to make available a new feature, Extended Protection for Authentication, on the Windows platform...
•V1.3 (March 9, 2010): Updated the FAQ to announce the rerelease (see "Affected Software") of the update that enables Internet Information Services to opt in to Extended Protection for Authentication. For more information, see Known issues in Microsoft Knowledge Base Article 973917*
* ( http://support.microsoft.com/kb/973917 )
- http://support.microsoft.com/kb/973811

:fear:

FYI...

Microsoft Security Advisory (981374)
Vulnerability in Internet Explorer Could Allow Remote Code Execution - IEv6-IEv7
- http://www.microsoft.com/technet/security/advisory/981374.mspx
Published: March 09, 2010 | Updated: March 12, 2010
• V1.2 (March 12, 2010): Added an automated Microsoft Fix it solution* to apply or undo the workaround for disabling the peer factory class on Windows XP or Windows Server 2003. (See "Workarounds")
* http://support.microsoft.com/kb/981374

- http://blogs.technet.com/msrc/archive/2010/03/12/update-on-security-advisory-981374.aspx
March 12, 2010 - "... we are working hard to produce an update which is now in testing..."

- http://www.sophos.com/support/knowledgebase/article/110399.html

:fear:

FYI...

MS10-017-Excel-updated-fixed...
Non-English Text in Add or Remove Programs tool
- http://blogs.technet.com/office_sustained_engineering/archive/2010/03/12/non-english-text-in-add-or-remove-programs-tool.aspx
March 12, 2010 - "We have received reports from some of our Excel 2003 and Excel 2002 customers that after installing update KB978471 or KB978474, they are seeing non-English text in the Add or Remove Programs tool (WinXP) or the Programs and Features --> Installed Updates view (Vista, Win7). The title text being displayed for this update is Chinese Simplified. It’s very important to note that this cosmetic issue does not affect the functionality of the update. All of the security fixes in this bulletin (MS10-017) are included in the update. If English text in your Add or Remove Programs tool (WinXP) or the Programs and Features --> Installed Updates view (Vista, Win7) is a requirement, there is a two-part workaround available.
1. Un-install this update
2. Navigate to the link below and install a corrected version of the update from the Download Center.
EXCEL 2002: http://download.microsoft.com/download/5/B/7/5B7734BA-56C4-4BAD-8297-C399BE081880/officexp-KB978471-FullFile-ENU.exe
EXCEL 2003: http://download.microsoft.com/download/C/E/0/CE01DE50-B144-424C-BF19-A243927626BD/office2003-KB978474-FullFile-ENU.exe "

:sad:

FYI...

IE 0-Day status: IEv6, IEv7...
- http://securitylabs.websense.com/content/Blogs/3585.aspx
03.19.2010 - "... Internet Explorer zero-day exploits are not new to the world: we have been suffering from them since the beginning of IE... Just a week after the exploit code was exposed to the world we have seen many variants come out..."

- http://www.microsoft.com/technet/security/advisory/981374.mspx
Updated: March 12, 2010
• V1.2 (March 12, 2010): Added an automated Microsoft Fix it* solution to apply or undo the workaround for disabling the peer factory class on Windows XP or Windows Server 2003.
* http://support.microsoft.com/kb/981374
Last Review: March 13, 2010 - Revision: 4.0

- http://secunia.com/advisories/38860
Last Update: 2010-03-15
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Internet Explorer 6.x, Microsoft Internet Explorer 7.x

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0806
Last revised: 03/16/2010
CVSS v2 Base Score: 9.3 (HIGH)

:fear::fear:

FYI...

IE update to be released March 30, 2010
- http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx
March 29, 2010 - "This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on March 30, 2010. The bulletin is being released to address attacks against customers of Internet Explorer 6 and Internet Explorer 7... described in Microsoft Security Advisory 981374. The out-of-band security bulletin is a cumulative security update for Internet Explorer and will also contain fixes for privately reported vulnerabilities rated Critical on -all- versions of Internet Explorer that are not related to this attack..."

- http://blogs.technet.com/msrc/archive/2010/03/29/internet-explorer-cumulative-update-releasing-out-of-band.aspx
March 29, 2010 - "... Security Bulletin MS10-18 is a cumulative update, it will also address nine other vulnerabilities in Internet Explorer..."

:fear:

FYI...

Microsoft Security Bulletin MS10-018 - Critical
Cumulative Security Update for Internet Explorer (980182)
- http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx
March 30, 2010 - "This security update resolves nine privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer... The security update addresses these vulnerabilities by modifying the way that Internet Explorer verifies the origin of scripts and handles objects in memory, content using encoding strings, and long URL... This security update also addresses the vulnerability first described in Microsoft Security Advisory 981374..."
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer
* http://support.microsoft.com/kb/980182

Aggregate severity on Internet Explorer 6, 7, and 8
Graphic: http://blogs.technet.com/photos/msrcteam/images/3322077/original.aspx

- http://isc.sans.org/diary.html?storyid=8533
Last Updated: 2010-03-30 17:19:30 UTC
Uninitialized Memory Corruption Vulnerability - CVE-2010-0267
Post Encoding Information Disclosure Vulnerability - CVE-2010-0488
Race Condition Memory Corruption Vulnerability - CVE-2010-0489
Uninitialized Memory Corruption Vulnerability - CVE-2010-0490
HTML Object Memory Corruption Vulnerability - CVE-2010-0491
HTML Object Memory Corruption Vulnerability - CVE-2010-0492
HTML Element Cross-Domain Vulnerability - CVE-2010-0494
Memory Corruption Vulnerability - CVE-2010-0805
Uninitialized Memory Corruption Vulnerability - CVE-2010-0806
HTML Rendering Memory Corruption Vulnerability - CVE-2010-0807

- http://secunia.com/advisories/38860
Last Update: 2010-03-30
Criticality level: Extremely critical
Impact: Exposure of sensitive information, System access
Where: From remote
Software: MS IE 5.01, 6.x, 7.x, 8.x
Solution: Apply patches.
Advisory: MS10-018 (KB980182):
http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx

- http://atlas.arbor.net/briefs/index#-443267133
March 31, 2010 - "Analysis: This is a critical fix for -all- users of IE and Windows that we encourage people to apply immediately. Exploits are in use in the wild."

Active Exploitation of CVE-2010-0806
- http://blogs.technet.com/blogfiles/mmpc/WindowsLiveWriter/ActiveExploitationofCVE20100806_9A4A/image_2.png
March 10-28, 2010

:fear:

FYI...

MS Security Bulletin Advance Notification - April 2010
- http://www.microsoft.com/technet/security/bulletin/ms10-apr.mspx
April 08, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on April 13, 2010..." (5 Critical, 5 Important, 1 Moderate)

- http://blogs.technet.com/msrc/archive/2010/04/08/april-2010-bulletin-release-advance-notification.aspx
April 08, 2010 - "... next Tuesday we will release 11 bulletins addressing 25 vulnerabilities in Windows, Microsoft Office, and Microsoft Exchange... we will be closing the following open Security Advisories with next week’s updates:
· Microsoft Security Advisory (981169) - Vulnerability in VBScript Could Allow Remote Code Execution.
· Microsoft Security Advisory (977544) - Vulnerability in SMB Could Allow Denial of Service ..."

:fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-apr.mspx
April 13, 2010 - "This bulletin summary lists security bulletins released for April 2010... (Total of -11-)

Critical -5-

Microsoft Security Bulletin MS10-019 - Critical
Vulnerabilities in Windows Could Allow Remote Code Execution (981210)
- http://www.microsoft.com/technet/security/Bulletin/MS10-019.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-020 - Critical
Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)
- http://www.microsoft.com/technet/security/Bulletin/MS10-020.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-025 - Critical
Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)
- http://www.microsoft.com/technet/security/Bulletin/MS10-025.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-026 - Critical
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)
- http://www.microsoft.com/technet/security/Bulletin/MS10-026.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-027 - Critical
Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)
- http://www.microsoft.com/technet/security/Bulletin/MS10-027.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Important -5-

Microsoft Security Bulletin MS10-021 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)
- http://www.microsoft.com/technet/security/Bulletin/MS10-021.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-022 - Important
Vulnerability in VBScript Could Allow Remote Code Execution (981169)
- http://www.microsoft.com/technet/security/Bulletin/MS10-022.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-023 - Important
Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160)
- http://www.microsoft.com/technet/security/bulletin/ms10-023.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

]Microsoft Security Bulletin MS10-024 - Important
Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
- http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Microsoft Exchange

Microsoft Security Bulletin MS10-028 - Important
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)
- http://www.microsoft.com/technet/security/bulletin/ms10-028.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Moderate -1-

Microsoft Security Bulletin MS10-029 - Important
Vulnerabilities in Windows ISATAP Component Could Allow Spoofing (978338)
- http://www.microsoft.com/technet/security/bulletin/ms10-029.mspx
Maximum Severity Rating: Moderate
Vulnerability Impact: Spoofing
Restart Requirement: Requires restart
Affected Software: Microsoft Windows
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=8626
Last Updated: 2010-04-13 17:32:12 UTC
___

Deployment priority
- http://blogs.technet.com/photos/msrcteam/images/3324789/original.aspx

Severity and Exploitability Index
- http://blogs.technet.com/photos/msrcteam/images/3324790/original.aspx
___

MS10-019 (KB981210, KB978601, KB979309) MS Windows Authentication Verification Two Vulnerabilities
- http://secunia.com/advisories/39371/
MS10-020 (KB980232) MS Windows SMB Client Multiple vulns
- http://secunia.com/advisories/39372/
MS10-021 (KB979683) MS Windows Kernel Privilege Escalation and Denial of Service vulns
- http://secunia.com/advisories/39373/
MS10-021 (KB979683) MS Windows Kernel Denial of Service vulns
- http://secunia.com/advisories/39374/
MS10-022 (KB981169, KB981350, KB981350, KB981349): Vuln in VBScript Could Allow Remote Code Exec
- http://secunia.com/advisories/38727/
MS10-023 (KB980466, KB980469, KB980470) MS Office Publisher File Parsing Buffer Overflow Vulnerability
- http://secunia.com/advisories/39375/
MS10-024 (KB976703, KB981832) MS Exchange Server 2000 Information Disclosure vuln
- http://secunia.com/advisories/39253/
MS10-024 (KB976323, KB976702, KB981407, KB981832) MS Exchange/Windows SMTP Service 2 vulns
- http://secunia.com/advisories/39376/
MS10-025 (KB980858) MS Windows Media Services Buffer Overflow Vulnerability
- http://secunia.com/advisories/39377/
MS10-026 (KB977816) MS Windows MPEG Layer-3 Codecs Buffer Overflow
- http://secunia.com/advisories/39379/
MS10-027 (KB979402) - Windows Media Player Hosted Media Content Handling vuln
- http://secunia.com/advisories/39380/
MS10-028 (KB980094, KB979356, KB979364, KB979365) MS Office Visio 2 Memory Corruption vulns
- http://secunia.com/advisories/39381/
MS10-029 (KB978338) MS Windows ISATAP Component IP Address Spoofing Vulnerability
- http://secunia.com/advisories/39382/
___

MSRT
- http://support.microsoft.com/?kbid=890830
April 13, 2010 - Revision: 71.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release
• Magania: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fMagania

- http://go.microsoft.com/fwlink/?LinkId=40587
File Name: windows-kb890830-v3.6.exe
Version: 3.6

.

FYI...

Microsoft Security Advisory (981169)
Vulnerability in VBScript Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/981169.mspx
Updated: 4/13/2010 - "... We have issued MS10-022* to address this issue..."

Microsoft Security Advisory (977544)
Vulnerability in SMB Could Allow Denial of Service
- http://www.microsoft.com/technet/security/advisory/981169.mspx
Updated: 4/13/2010 - "... We have issued MS10-020* to address this issue..."

* http://forums.spybot.info/showpost.php?p=367591&postcount=126

:fear:

FYI...

MS10-021 ...failed WinXP Update
- http://isc.sans.org/diary.html?storyid=8644
Last Updated: 2010-04-16 17:01:19 UTC - "... there is a general statement concerning the prevention of the update from installing "if certain abnormal conditions exist on 32-bit systems"... if you happened to be using WinXP and encountered an error while performing an update for MS10-021, Microsoft has provided a link here* to officially explain what the error means and what resolution steps can be taken..."
* http://www.microsoft.com/security/updates/015/

- http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
• V1.1 (April 9, 2008): Bulletin updated to add a Known Issues link to Microsoft Knowledge Base Article 948590, to add a Known Issues section to the FAQ, to update the uninstall registry path, and to update the Acknowledgments.
• V1.2 (April 11, 2008): Bulletin updated to remove a reference to unsupported software in the Vulnerability FAQs.
(See: "Known Issues"): http://support.microsoft.com/kb/948590

- http://news.bbc.co.uk/2/hi/technology/8624560.stm
16 April 2010

- http://www.theregister.co.uk/2010/04/16/ms_kernel_patch_bypasses_pwned_pcs/
16 April 2010

:sad::fear:

FYI...

MS10-025 Security Update to be Re-released
- http://blogs.technet.com/msrc/archive/2010/04/21/ms10-025-security-update-to-be-re-released.aspx
April 21, 2010 - "MS10-025* is a security update that only affects Windows 2000 Server customers who have installed Windows Media Services (this is a non-default configuration). Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week. Customers should review the bulletin for mitigations and workarounds and those with internet facing systems with Windows Media Services installed should evaluate and use firewall best practices to limit their overall exposure..."

Microsoft Security Bulletin MS10-025 - Critical
Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)
* http://www.microsoft.com/technet/security/Bulletin/MS10-025.mspx
Published: April 13, 2010 | Updated: April 21, 2010
• V2.0 (April 21, 2010): Revised bulletin to inform customers that the original security update did not protect systems from the vulnerability described in this bulletin. Microsoft recommends that customers apply one of the workarounds described in this bulletin to help mitigate the impact to affected systems until a revised security update is made available.

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0478
CVSS v2 Base Score: 9.3 (HIGH)

:confused:

FYI...

MS Security Intelligence Report - 2H09
- http://www.networkworld.com/community/node/60529
04/26/10 - "Conficker was far and away the most prevalent threat found on Windows machines in the second half of 2009 in the enterprise, Microsoft says. The company's security tools cleaned the Conficker worm from [25%] of enterprise Windows machines. That was one of the findings in Microsoft's semi-annual security report card, the Microsoft Security Intelligence Report*, published on Monday... both Conficker and Autorun were found to be the worms of choice for hackers that gained the ability of downloading malware onto a machine by gaining access through another hole... Scareware, also known as rogue security software, is a fake security warning that pretends to detect a threat and asks the user to install it and then proceeds to try to talk the user into paying for registration or other services. Microsoft says its security products cleaned scareware from 7.8 million computers in 2H09, up from 5.3 million computers in 1H09 — an increase of 46.5 percent... vulnerabilities against Microsoft continue to be a growing hacker favorite. Microsoft released 47 security bulletins in second half of 2009 that addressed 104 individual vulnerabilities compared to 27 in the first half that fixed about 84 holes. Of these nearly 81% were reported to Microsoft first adhering to its "responsible disclosure practices" compared to 79.5 in the first half. In straight numbers, this still leaves more holes discovered out in the wild before Microsoft can fix them. Hackers find more success in attacking applications than they do the operating systems or the browsers. Of those browser-based exploits, holes in Adobe reader account for the lion's share, according to Microsoft. Ironically, the Microsoft Security Intelligence Report, Volume 8, is available as a PDF..."

* http://www.microsoft.com/security/about/sir.aspx
"... (SIR v8) covers July 2009 through December 2009..."

:fear:

FYI...

MS Security Bulletin MS10-025 - Critical
Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)
- http://www.microsoft.com/technet/security/bulletin/ms10-025.mspx
Updated: April 27, 2010
• V3.0 (April 27, 2010): Revised bulletin to offer the re-released security update for Windows Media Services running on Microsoft Windows 2000 Server Service Pack 4. Microsoft recommends that customers running the affected software apply the re-released security update immediately."

:fear:

FYI...

Microsoft Security Advisory (983438)
Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/983438.mspx
April 29, 2010 - "Microsoft is investigating new public reports of a possible vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. The vulnerability could allow an attacker to run arbitrary script that could result in elevation of privilege within the SharePoint site, as opposed to elevation of privilege within the workstation or server environment. We are actively working with partners in our Microsoft Active Protections Program (MAPP)* to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."
* http://www.microsoft.com/security/msrc/collaboration/mapp.aspx

- http://blogs.technet.com/msrc/archive/2010/04/29/security-advisory-983438-released.aspx
April 29, 2010 - "... Customers running SharePoint Server 2007 or SharePoint Services 3.0 are encouraged to review and apply the mitigations and workarounds discussed in the Security Advisory..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0817

:fear:

FYI...

MSRT results - April 2010
- http://blogs.technet.com/mmpc/archive/2010/04/30/msrt-april-threat-reports-alureon.aspx
April 30, 2010 - "... results from the April edition of MSRT. As part of our ongoing updates to families already in MSRT, we have added support for more variants of the Win32/Alureon rootkit/infector, including the ones responsible for the issues widely reported with Microsoft Security Bulletin MS10-015...
Variant Computers Cleaned
Virus:Win32/Alureon.A 43,620
Virus:Win32/Alureon.B 7,297
Virus:Win32/Alureon.F 36,586
Virus:Win32/Alureon.G 102,549
Alureon Trojans and Droppers 72,917
Total 262,969
---
... although the Alureon family has been around for years, some variants (.A-.F) gained a lot of attention since they conflicted with Microsoft Security Bulletin MS10-015 and rendered machines unbootable after applying updates to ntoskrnl.exe. Within a few days, the rootkit authors updated Win32/Alureon.G to avoid the issue since it was attracting a lot of unwanted attention. Moreover, Microsoft also re-released Microsoft Security Bulletin MS10-015 with new heuristic checks included in the installer identifying symptoms of the rootkit, preventing the patch from being applied to the affected users while warning them of the issues. The recently released Microsoft Security Bulletin MS10-021 also demonstrates a similar behavior. The good news however, is that once MSRT April installs and cleans Alureon from the machine, these patches can be installed successfully to secure the machines...
Apart from tackling the Alureon variants, the newly added threat family for this month, Win32/Magania, was cleaned from 43,394 machines. In total, MSRT April cleaned malware infections from 3,168,563 machines since it was released on the 13th of this month. Below are the top six most prevalent threat families cleaned with MSRT in April.
Family Computers Cleaned
Frethog 831,289
Taterf 372,597
Alureon 262,969
Rimecud 250,603
Hamweq 225,104
Four out of the top five, Frethog, Taterf, Rimecud and Hamweq, are worms taking advantage of propagation mechanisms that traditionally lead to outbreaks. These worms use shared/mapped drives, removable devices, autorun behaviors, all of which are common attack surfaces that we’ve combated for years. We highly recommend reading the section “Protecting Against Malicious and Potentially Unwanted Software” in the latest edition of the Microsoft Security Intelligence Report* which provides great advice on preventing the spread of infections and tackling malware in general to ensure you and any users you may support stay fully protected."
* http://www.microsoft.com/security/portal/Threat/SIR.aspx

:fear:

FYI...

Update on MS10-016 for Microsoft Producer
- http://blogs.technet.com/msrc/archive/2010/05/03/update-on-ms10-016-for-microsoft-producer.aspx
May 03, 2010 - "... update on MS10-016*, a Windows Movie Maker bulletin we released in March 2010. At the time, we did not have an update for Microsoft Producer 2003. Today we have released a new version of Microsoft Producer that replaces the old version. We recommend that all customers using Producer 2003 upgrade to the new version located here*. For those customers who do not wish to upgrade to the new version, we recommend that you apply the workaround available as a Microsoft FixIt in KB975561**. The FixIt removes the file association from the application to prevent files from being opened in Producer when you double click on them. Users who apply the FixIt can still open their projects by first launching Producer and then opening the file from within the application. For more information, please review the security bulletin."
* http://www.microsoft.com/technet/security/bulletin/ms10-016.mspx
• V2.0 (May 3, 2010): Corrected installation switches for Movie Maker 2.6 on Windows Vista and Windows 7. Also, announced availability of Microsoft Producer. Microsoft recommends that users of Microsoft Producer 2003 upgrade to the new version, Microsoft Producer.

** http://support.microsoft.com/kb/975561

:fear:

FYI...

MS10-024 patch - Windows SMTP Service DNS query Id vuln
- http://www.theregister.co.uk/2010/05/05/secret_microsoft_patch/
5 May 2010 - "... "These vulnerabilities were fixed by the patches referenced in MS10-024 but were not disclosed in the vendor's security bulletin and did not have a unique vulnerability identifier assigned to them," the Core advisory stated*. "As a result, the guidance and the assessment of risk derived from reading the vendor's security bulletin may overlook or misrepresent actual threat scenarios."
Microsoft issued the following statement:
"The purpose of security bulletins is to help customers accurately assess their risk as part of their planning. We do not include comprehensive information about all variants addressed as part of our investigation, but the information we do provide around severity, and risk accurately pertains to the vulnerabilities discussed in the bulletin and any variants that are addressed as part of the investigation. In other words, no variant represents a greater severity than the vulnerability discussed in the bulletin."
* http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0058.html
May 04 2010

- http://www.microsoft.com/technet/security/Bulletin/MS10-024.mspx
Published: April 13, 2010 | Updated: April 15, 2010
Version: 1.2

:fear::fear:

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms10-may.mspx
May 06, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on May 11, 2010...
(Total of -2-)

Critical (2)

Bulletin 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 2
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Office, Microsoft Visual Basic for Applications

- http://blogs.technet.com/msrc/archive/2010/05/06/advance-notification-for-the-may-2010-security-bulletin-release.aspx
May 06, 2010

:fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-may.mspx
May 11, 2010 - "This bulletin summary lists security bulletins released for May 2010...
(Total of -2-)

Critical -2-

Microsoft Security Bulletin MS10-030 - Critical
Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542)
- http://www.microsoft.com/technet/security/bulletin/MS10-030.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows
• V1.1 (May 12, 2010): Corrected restart requirements for Microsoft Windows 2000, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Also corrected the verification registry key for Microsoft Outlook Express 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4.

Microsoft Security Bulletin MS10-031 - Critical
Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213)
- http://www.microsoft.com/technet/security/bulletin/ms10-031.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Office, Microsoft Visual Basic for Applications

Deployment Priority
- http://blogs.technet.com/photos/msrcteam/images/3331833/original.aspx

Severity and Exploitability Index
- http://blogs.technet.com/photos/msrcteam/images/3331832/original.aspx
___

MS10-030 (KB978542) Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution
- http://secunia.com/advisories/39766/
MS10-031 (KB974945, KB976321, KB976380, KB976382, KB978213) Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution
- http://secunia.com/advisories/39663/
___

MS10-030: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0816

MS10-031: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0815
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=8776
Last Updated: 2010-05-11 18:05:49 UTC
___

MSRT
- http://support.microsoft.com/?kbid=890830
May 11, 2010 - Revision: 72.2
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release
Oficla*
* http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fOficla

Download:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.7.exe
Version: 3.7
Date Published: 5/11/2010
To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.7.exe
___

.

FYI...

Microsoft Security Advisory (2028859)
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2028859.mspx
May 18, 2010 - "Microsoft is investigating a new public report of a vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."

- http://www.theregister.co.uk/2010/05/18/windows_7_security_bug/
18 May 2010 - "... users can prevent attacks by disabling the Windows Aero Theme. To turn it off, choose Start > Control Panel and click on Appearance and Personalization. Then click on Change the Theme. Then select one of the Basic and High Contrast Themes."

:fear:

FYI...

MSRT Threat Report - May 2010
- http://blogs.technet.com/mmpc/archive/2010/05/21/msrt-may-threat-reports-and-alureon.aspx
May 21, 2010 - "... In total, MSRT May cleaned malware infections from 1,961,243 machines and below are the top most prevalent threat families cleaned with MSRT in May.
Family - Machines Cleaned
Alureon 356,959
Frethog 321,600
Taterf 261,553
Rimecud 225,005 ..."

:fear:

FYI...

MS Security Bulletin Advance Notification - June 2010

- http://blogs.technet.com/b/msrc/archive/2010/06/03/june-2010-security-bulletin-advance-notification.aspx
3 Jun 2010 - "... This month’s release includes ten bulletins addressing 34 vulnerabilities.
• Six of the bulletins affect Windows; of those, two carry a Critical severity rating and four are rated Important.
• Two bulletins, both with a severity rating of Important, affect Microsoft Office.
• One bulletin, again with a severity rating of Important, affects both Windows and Office.
• One bulletin, with a severity rating of Critical, affects Internet Explorer...
We will also be acting on two Security Advisories this month.
• We are closing Security Advisory 983438 (Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege) with the June bulletins.
• We are also addressing Security Advisory 980088 (Vulnerability in Internet Explorer Could Allow Information Disclosure)..."

- http://www.microsoft.com/technet/security/bulletin/ms10-jun.mspx
June 3, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on June 8, 2010... (Total of -10-)

Critical -3-

Bulletin 2
Critical
Remote Code Execution
May require restart
Microsoft Windows

Bulletin 3
Critical
Remote Code Execution
May require restart
Microsoft Windows

Bulletin 4
Critical
Remote Code Execution
Requires restart
Microsoft Windows, Internet Explorer

Important -7-

Bulletin 1
Important
Elevation of Privilege
Requires restart
Microsoft Windows

Bulletin 5
Important
Remote Code Execution
May require restart
Microsoft Office

Bulletin 6
Important
Elevation of Privilege
May require restart
Microsoft Windows

Bulletin 7
Important
Remote Code Execution
May require restart
Microsoft Office

Bulletin 8
Important
Elevation of Privilege
May require restart
Microsoft Office, Microsoft Server Software

Bulletin 9
Important
Remote Code Execution
May require restart
Microsoft Windows

Bulletin 10
Important
Tampering
May require restart
Microsoft Windows

.

FYI...

MS Security Bulletin Summary - June 2010
- http://www.microsoft.com/technet/security/Bulletin/MS10-jun.mspx
June 08, 2010 - "This bulletin summary lists security bulletins released for June 2010... (Total of -10-)

Critical -3-

Microsoft Security Bulletin MS10-033 - Critical
Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
- http://www.microsoft.com/technet/security/bulletin/MS10-033.mspx
Critical
Remote Code Execution
May require restart
Microsoft Windows

Microsoft Security Bulletin MS10-034 - Critical
Cumulative Security Update of ActiveX Kill Bits (980195)
- http://www.microsoft.com/technet/security/bulletin/ms10-034.mspx
Critical
Remote Code Execution
May require restart
Microsoft Windows

Microsoft Security Bulletin MS10-035 - Critical
Cumulative Security Update for Internet Explorer (982381)
- http://www.microsoft.com/technet/security/bulletin/ms10-035.mspx
Critical
Remote Code Execution
Requires restart
Microsoft Windows, Internet Explorer

Important -7-

Microsoft Security Bulletin MS10-032 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)
- http://www.microsoft.com/technet/security/bulletin/ms10-032.mspx
Important
Elevation of Privilege
Requires restart
Microsoft Windows

Microsoft Security Bulletin MS10-036 - Important
Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)
- http://www.microsoft.com/technet/security/bulletin/ms10-036.mspx
Important
Remote Code Execution
May require restart
Microsoft Office
...For XP systems w/Office XP, also see:
- http://support.microsoft.com/kb/983235
June 8, 2010 - Revision: 3.0 - MS10-036 - "... We are providing a Microsoft Fix it solution for users on Windows XP systems that have Microsoft Office XP installed... The Fix it solution applies to Office XP on Windows XP-based systems, and the Fix it solution addresses issues in Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, and Microsoft Visio..."

Microsoft Security Bulletin MS10-037 - Important
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218)
- http://www.microsoft.com/technet/security/bulletin/ms10-037.mspx
Important
Elevation of Privilege
May require restart
Microsoft Windows

Microsoft Security Bulletin MS10-038 - Important
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)
- http://www.microsoft.com/technet/security/bulletin/ms10-038.mspx
Important
Remote Code Execution
May require restart
Microsoft Office

Microsoft Security Bulletin MS10-039 - Important
Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
- http://www.microsoft.com/technet/security/bulletin/ms10-039.mspx
Important
Elevation of Privilege
May require restart
Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS10-040 - Important
Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)
- http://www.microsoft.com/technet/security/bulletin/MS10-040.mspx
Important
Remote Code Execution
May require restart
Microsoft Windows

Microsoft Security Bulletin MS10-041 - Important
Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)
- http://www.microsoft.com/technet/security/bulletin/ms10-041.mspx
Important
Tampering
May require restart
Microsoft Windows, Microsoft .NET Framework
___

Severity and Exploitability Index
Deployment Priority
- http://blogs.technet.com/b/msrc/archive/2010/06/08/june-2010-security-bulletin-release.aspx
___

MSRT
- http://support.microsoft.com/?kbid=890830
June 8, 2010 - Revision: 73.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release
FakeInit *
* http://go.microsoft.com/fwlink/?LinkId=37020&Name=Win32/FakeInit
Download:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.8.exe
Version: 3.8
Date Published: 6/8/2010
To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.8.exe
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=8929
Last Updated: 2010-06-08 18:24:24 UTC

.

FYI...

MS Security Advisory (2219475)
Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2219475.mspx
June 10, 2010 - "Microsoft is investigating new public reports of a possible vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. Microsoft is aware that proof of concept exploit code has been published for the vulnerability. However, Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary..."
- http://www.microsoft.com/technet/security/advisory/2219475.mspx
• V1.1 (June 11, 2010): Added a link to Microsoft Knowledge Base Article 2219475 to provide an automated Microsoft Fix it solution* for the workaround, Unregister the HCP Protocol. * http://support.microsoft.com/kb/2219475
• V1.2 (June 15, 2010): Revised Executive Summary to reflect awareness of limited, targeted active attacks that use published proof-of-concept exploit code.

- http://www.kb.cert.org/vuls/id/578319
Date Last Updated: 2010-06-10
- http://www.h-online.com/security/news/item/Windows-Help-used-as-attack-surface-1019381.html
10 June 2010

Microsoft Security Advisory (983438)
Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/983438.mspx
Updated: June 08, 2010 - "... We have issued MS10-039* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/ms10-039.mspx

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
• V1.5 (June 8, 2010): Updated the FAQ with information about six non-security updates enabling .NET Framework to opt in to Extended Protection for Authentication.
See FAQ: "... updates released by Microsoft on June 8, 2010...", re: .NET Framework 2.0 ...

:fear::fear::fear:

FYI...

CVE 2010-1885 exploit in the wild
- http://www.sophos.com/blogs/sophoslabs/?p=10045
June 15, 2010 - "The recent Microsoft Windows Help and Support Center vulnerability (CVE 2010-1885) is being exploited in the wild... Today, we got the first pro-active detection (Sus/HcpExpl-A) on malware that is spreading via a compromised website. This malware downloads and executes an additional malicious component... on the victim’s computer, by exploiting this vulnerability. More details about CVE 2010-1885 can be found in our report here*."
* http://www.sophos.com/support/knowledgebase/article/111188.html

- http://support.microsoft.com/kb/2219475
Last Review: July 13, 2010 - Revision: 3.0 - "... We have released security bulletin MS10-042* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/MS10-042.mspx

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885
... Windows XP and Windows Server 2003 ...
Last revised: 07/20/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://atlas.arbor.net/briefs/index#-2114420025
Severity: High Severity
... active exploitation on the Internet. This affects Window users, especially Windows XP and Server 2003. Mitigations and workarounds have been described by Microsoft.
Analysis: This is a major issue for all Windows users, and we encourage sites to update as soon as possible once a fix is released, or to apply the mitigations.

- http://securitytracker.com/alerts/2010/Jun/1024084.html
Jun 10 2010

- http://blog.trendmicro.com/microsoft-help-center-zero-day-exploits-loose/
June 15, 2010

- http://www.avast.com/pr-legitimate-websites-outscore-the-adult
28 June 2010 - "... HTML:Script-inf... infection is widespread and accounts for 20% of all infected UK pages. The infection takes advantage of a two week old Microsoft Windows vulnerability... CVE-2010-1885..."

- http://pandalabs.pandasecurity.com/hcp-vulnerability-exploited-in-the-wild/
06/28/10 - "... cyber criminals are quick to adapt new exploit methods and in this case it literally took one day before we started seeing examples being exploited in the wild..."

:fear::fear::fear:

FYI...

How to obtain the latest Windows XP service pack
- http://support.microsoft.com/kb/322389

- http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3

- http://blogs.technet.com/b/lifecycle/archive/2010/02/25/end-of-support-for-windows-xp-sp2-and-windows-vista-with-no-service-packs-installed.aspx
"... Windows XP SP2 reached the end of support on July 13, 2010..."

- http://www.microsoft.com/downloads/details.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en
File Name: WindowsXP-KB936929-SP3-x86-ENU.exe
Download Size: 316.4 MB
Knowledge Base (KB) Articles: http://support.microsoft.com/?kbid=936929
Last Review: March 9, 2010 - Revision: 8.0

:fear::fear::fear:

FYI...

CVE-2010-1885 attack status...
- http://blogs.technet.com/b/mmpc/archive/2010/06/30/attacks-on-the-windows-help-and-support-center-vulnerability-cve-2010-1885.aspx
30 Jun 2010 - "... attacks have picked up and are no longer limited to specific geographies or targets, and we would like to ensure that customers are aware of this broader distribution. If you have not yet considered the countermeasures listed in the Microsoft Security Advisory (2219475*), you should consider them. As of today, over 10,000 distinct computers have reported seeing this attack at least one time. The following list shows some of the payloads we've detected:
• Trojan:Win32/Swrort.A
• TrojanDownloader:Win32/Obitel.gen!A
• Spammer:Win32/Tedroo.AB
• Trojan:Win32/Oficla.M
• TrojanSpy:Win32/Neetro.A
• Virus:JS/Decdec.A ..."

* http://support.microsoft.com/kb/2219475
Last Review: July 13, 2010 - Revision: 3.0 - "... We have released security bulletin MS10-042* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/MS10-042.mspx

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885
Last revised: 07/20/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://krebsonsecurity.com/2010/07/microsoft-warns-of-uptick-in-attacks-on-unpatched-windows-flaw/
July 5, 2010

- http://community.websense.com/blogs/securitylabs/archive/2010/07/05/article-alley-compromised.aspx
5 Jul 2010 - "... Articlealley .com has been compromised and injected with obfuscated code. Article Alley is a free article directory that aims to help authors promote and syndicate their content. It allows authors and promoters to get their articles out on the Web with the potential of being read by millions of readers. This site was compromised from the root domain, and as a result all subsequent sub-pages were infected by the attack.... attack is targeting the Microsoft Help and Support Center 0-day vulnerability CVE-2010-1885..."
(Screenshots available at the Websense URL above.)

:fear::mad:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-jul.mspx
July 8, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on July 13, 2010..." (Total of -4-)

(Critical -3-)

Bulletin 1 - Critical
Remote Code Execution
May require restart
Microsoft Windows

Bulletin 2 - Critical
Remote Code Execution
Requires restart
Microsoft Windows

Bulletin 3 - Critical
Remote Code Execution
May require restart
Microsoft Office

(Important -1-)

Bulletin 4 - Important
Remote Code Execution
May require restart
Microsoft Office

- http://blogs.technet.com/b/msrc/archive/2010/07/08/july-2010-bulletin-release-advance-notification.aspx
8 Jul 2010 - "... We will close out two Security Advisories this month.
• We are closing Security Advisory 2028859 (Vulnerability in Canonical Display Driver Could Allow Remote Code Execution) in the July bulletins.
• We are also closing Security Advisory 2219475 (Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution) with a comprehensive update that addresses the issue currently under attack...
Also, July marks the end of Microsoft support for the Windows 2000 and Windows XP SP2 platforms. Customers should actively seek out either a supported operating system or the latest service pack in order to keep receiving necessary security updates..."

.

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-jul.mspx
July 13, 2010 - "This bulletin summary lists security bulletins released for July 2010...
(Total of -4-)

(Critical -3-)

Microsoft Security Bulletin MS10-042 - Critical
Vulnerability in Help and SupportCenter Could Allow Remote Code Execution (2229593)
- http://www.microsoft.com/technet/security/bulletin/MS10-042.mspx
Critical
Remote Code Execution
May require restart
Microsoft Windows
- http://blogs.technet.com/b/mmpc/archive/2010/07/13/update-on-the-windows-help-and-support-center-vulnerability-cve-2010-1885.aspx
"... As of midnight on July 12 (GMT), over 25,000 distinct computers in over 100 countries/regions have reported this attack attempt at least one time..." (See chart).

Microsoft Security Bulletin MS10-043 - Critical
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276)
- http://www.microsoft.com/technet/security/bulletin/MS10-043.mspx
Critical
Remote Code Execution
Requires restart
Microsoft Windows

Microsoft Security Bulletin MS10-044 - Critical
Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335)
- http://www.microsoft.com/technet/security/bulletin/MS10-044.mspx
Critical
Remote Code Execution
May require restart
Microsoft Office

(Important -1-)

Microsoft Security Bulletin MS10-045 - Critical
Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)
- http://www.microsoft.com/technet/security/bulletin/MS10-045.mspx
Important
Remote Code Execution
May require restart
Microsoft Office
___

Severity and Exploitability index
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/7737.se83773621.png

Deployment priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/6253.dp3897663.png
___

MSRT
- http://support.microsoft.com/?kbid=890830
July 13, 2010 - Revision: 76.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
• Bubnix
added this release
* http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fBubnix
Download:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.9.exe
Version: 3.9
Date Published: 7/13/2010
To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.9.exe
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=9166
Last Updated: 2010-07-13 17:30:42 UTC
"... no more patches for XPSP2 after today..."

'Same for W2K systems.

W2K: http://support.microsoft.com/lifecycle/?p1=3071 - 7/13/2010
XPSP2: http://support.microsoft.com/lifecycle/?p1=6794 - 7/13/2010
XP : http://support.microsoft.com/lifecycle/?p1=3221 - 4/8/2014
- http://support.microsoft.com/lifecycle/

.

FYI...

Microsoft Security Advisory (2219475)
Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2219475.mspx
Published: June 10, 2010 | Updated: July 13, 2010 - "... We have issued M10-042* to address this issue..."
* http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx

Microsoft Security Advisory (2028859)
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2028859.mspx
Published: May 18, 2010 | Updated: July 13, 2010 - "... We have issued MS10-043** to address this issue..."
** http://www.microsoft.com/technet/security/Bulletin/MS10-043.mspx

>> http://forums.spybot.info/showpost.php?p=377301&postcount=144

:fear::fear:

FYI...

Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2286198.mspx
July 16, 2010 - "Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue. The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."
• V1.1 (July 19, 2010)... "Microsoft is currently working to develop a security update for Windows to address this vulnerability..."

- http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx
16 Jul 2010

- http://www.kb.cert.org/vuls/id/940193
Last Updated: 2010-07-19

- http://www.us-cert.gov/current/#microsoft_windows_lnk_vulnerability
updated July 19, 2010

0-Day exploit is public
- http://www.f-secure.com/weblog/archives/00001991.html
July 19, 2010

- http://securitytracker.com/alerts/2010/Jul/1024216.html
Updated: July 20 2010

:fear:

FYI...

More 0-day malware drivers...
- http://www.f-secure.com/weblog/archives/00001993.html
July 20, 2010 - "... another digitally signed Stuxnet* driver. This one uses a certificate from JMicron Technology Corporation. Our detection for this new binary is Rootkit:W32/Stuxnet.D... Realtek is the source of the previously used certificate which has now been revoked by VeriSign..."
* http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx

:fear::mad:

FYI...

"Fixit" released for MS shortcut vuln...
Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2286198.mspx
• V1.2 (July 20, 2010): Clarified the vulnerability exploit description and updated the workarounds...
• Disable the displaying of icons for shortcuts ...
Note: See Microsoft Knowledge Base Article 2286198* to use the automated Microsoft Fix it solution to enable or disable this workaround. This Fix it solution will require a restart upon completion in order to be effective. This Fix it solution deploys the workaround, and thus has the same user impact. We recommend that administrators review the KB article closely prior to deploying this Fix it solution.
NOTE: Applying the fixit will remove the graphical representation of icons on the Task bar and Start menu bar and replace them with white icons without the graphical representation of the icon...
Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk...
* http://support.microsoft.com/kb/2286198
Last Review: July 21, 2010 - Revision: 1.0
---
• Disable the WebClient service ...
---
• Block the download of .LNK and .PIF files from the internet ...
___

Embedded Shortcuts in Documents...
- http://www.f-secure.com/weblog/archives/00001994.html
July 21, 2010

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2568
Last revised: 07/22/2010
CVSS v2 Base Score: 9.3 (HIGH)

:fear::fear:

FYI...

Exploits in the wild for Windows shortcut vuln
- http://blog.trendmicro.com/exploits-for-windows-shortcut-vulnerability-in-the-wild/
July 22, 2010 - "Exploits for the recently discovered Windows shortcut vulnerability are now fully out in the wild and affecting users. While earlier samples were seen in more narrowly targeted attacks, the new samples Trend Micro analysts found are now aimed at broader audiences and pose a threat to users at large. Indonesia and India have been particularly hard-hit by this attack, accounting for more than 75 percent of the total number of infections. In addition, a recent update to Microsoft’s advisory has added a new vector for this vulnerability. File formats that support embedded shortcuts (e.g., Microsoft Office documents) can now be used to spread exploits as well. This means that users who download and open such files could find themselves the latest victim of this vulnerability. It has also been reported that this attack could be used in drive-by attack scenarios, further increasing risks... Below is a summary of these possibilities:
1. USB drive infection...
2. Network shares...
3. Malicious website...
4. Documents..."

(More detail at the URL above.)

- http://threatinfo.trendmicro.com/vinfo/web_attacks/Worm%20Propagates%20via%20Windows%20Shortcut%20Vulnerability%20Exploit.html

- http://www.symantec.com/connect/de/blog-tags/w32stuxnet
July 22, 2010 - "... Within the past 72 hours we've seen close to 14,000 unique IP addresses infected with W32.Stuxnet attempt to contact the C&C server..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2568
Last revised: 07/23/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://www.f-secure.com/v-descs/trojan-dropper_w32_stuxnet.shtml
- http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99&tabid=2
- http://www.sophos.com/security/analyses/viruses-and-spyware/w32stuxnetb.html

:fear::fear:

FYI...

MS .lnk 0-day attack vector
- http://atlas.arbor.net/briefs/index#1754998770
Severity: Extreme Severity
Analysis: This is a serious risk, and a critical one for SEIMENS WinCC sites. We encourage all Windows sites to review the bulletin* for mitigation options in the absence of a patch..."
* http://www.microsoft.com/technet/security/advisory/2286198.mspx

NEW malware families using .LNK vulnerability
- http://blogs.technet.com/b/mmpc/archive/2010/07/23/protection-for-new-malware-families-using-lnk-vulnerability.aspx
23 Jul 2010

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2772
Last revised: 07/26/2010

- http://www.networkworld.com/news/2010/072310-virus-writers-are-picking-up.html
July 22, 2010 - "... Siemens issued a Security Update** for its customers on Thursday, but Microsoft has yet to patch the Windows bug that permits the worm to spread..."
** http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view

- http://www.symantec.com/connect/blog-tags/w32stuxnet
July 25, 2010

:fear:

FYI...

Windows Shortcut Exploit protection tool
- http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html
"... The Windows Shortcut Exploit is a zero-day vulnerability in all versions of Windows that allows a Windows shortcut link to run a malicious DLL file. Our free, easy-to-use tool blocks this exploit from running on your computer..."

- http://isc.sans.edu/diary.html?storyid=9268
Last Updated: 2010-07-26 17:03:58 UTC

- http://www.sophos.com/support/knowledgebase/article/111570.html
Last updated: 26 Jul 2010

- http://www.sophos.com/blogs/gc/g/2010/07/26/shortcut-exploit-free-tool/
Video: 1:57

- http://www.f-secure.com/weblog/archives/00001996.html
July 26, 2010 - "... several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198). But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors*. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit..."
* http://www.virustotal.com/analisis/bbe8069f457c8cd3d1162419626da72b1041304c558a1be74cb3b553dbb29965-1280146392
File dsafnegweje.lnk received on 2010.07.26 12:13:12 (UTC)
Result: 18/42 (42.86%)

- http://blog.trendmicro.com/zeuszbot-and-sality-jump-on-the-lnk-exploit-bandwagon/
July 27, 2010 - "... exploits targeting the Windows shortcut zero-day vulnerability have risen in number. It is also now being used to spread ZBOT variants via malicious attachments to spammed messages... with the subject Microsoft Windows Security Advisory..."

.

FYI...

MS shortcut/vuln fix to be released 8.2.2010
- http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx
29 Jul 2010 - "... we're announcing plans to release a security update to address the vulnerability discussed in Security Advisory 2286198* on Monday, August 2, 2010 at or around 10 AM PDT..."
* http://www.microsoft.com/technet/security/advisory/2286198.mspx

- http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx
July 30, 2010

- http://blogs.technet.com/b/mmpc/archive/2010/07/30/stuxnet-malicious-lnks-and-then-there-was-sality.aspx
30 Jul 2010 - "... Microsoft announced plans to release of an out-of-band update... numbers show infection attempts upon systems -we- protect... threats are becoming more widespread...
Malicious links exploiting CVE-2010-2568
Exploit:Win32/CplLnk.A
Exploit:Win32/CplLnk.B
Stuxnet
TrojanDropper:Win32/Stuxnet.A
Trojan:WinNT/Stuxnet.A
Trojan:WinNT/Stuxnet.B (initially called VirTool:WinNT/Rootkitdrv.HK)
Trojan:Win32/Stuxnet.A
Worm:Win32/Stuxnet.A
Worm:Win32/Stuxnet.B
Sality
Virus:Win32/Sality.AU (initial detection provided by generic signature Virus:Win32/Sality.AT)
Vobfus
Worm:Win32/Vobfus.H
Worm:Win32/Vobfus.P
Chymine
Trojan:Win32/Chymine.A
TrojanSpy:Win32/Chymine.A
TrojanDownloader:Win32/Chymine.A ..."

:fear:

FYI...

Microsoft Security Bulletin MS10-046 - Critical
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
- http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx
August 02, 2010
Remote Code execution
Critical
... This vulnerability is currently being exploited...

- http://www.microsoft.com/technet/security/Bulletin/MS10-aug.mspx
August 02, 2010

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=9313
Last Updated: 2010-08-02
PATCH NOW!

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2568
Last revised: 08/03/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://blogs.technet.com/b/msrc/archive/2010/08/02/ms10-046-released-out-of-band-today.aspx
2 Aug 2010 - "... today we released Security Bulletin MS10-046* out-of-band to address a vulnerability in Windows. This security update addresses a vulnerability in the handling of shortcuts that affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2... For customers using automatic updates, this update will automatically be applied once it is released. Customers not using automatic updates should download, test and deploy this update as quickly as possible..."

- http://www.sophos.com/security/topic/shortcut.html
August 2, 2010 - "... If you have the Sophos Windows Shortcut Exploit Protection Tool on your machine, uninstall it before deploying Microsoft's patch."

- http://atlas.arbor.net/briefs/index#1754998770
August 03, 2010
Severity: Extreme Severity
Analysis: This is a serious risk, and a critical one especially for SEIMENS WinCC sites. We encourage all Windows sites to review the bulletin for mitigation options and apply the update as soon as possible.

Stuxnet - Rootkit for SCADA Devices...
- http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices
August 6, 2010

:fear:

FYI...

MS Security Bulletin -Advance- Notification - August 2010
- http://www.microsoft.com/technet/security/Bulletin/MS10-aug.mspx
August 05, 2010 - "... advance notification of security bulletins that Microsoft is intending to release on August 10, 2010... (Total of -14-)

Critical -8-
Bulletin 1 / Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 / Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 3 / Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 4 / Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 5 / Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 6 / Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 7 / Critical - Remote Code Execution - May require restart - Microsoft Office
Bulletin 8 / Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft Silverlight

Important -6-
Bulletin 9 / Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 10 / Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 11 / Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 12 / Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 13 / Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 14 / Important - Elevation of Privilege - May require restart - Microsoft Windows ...

- http://www.computerworld.com/s/article/9180210/Microsoft_slates_record_setting_monster_Patch_Tuesday_next_week
August 5, 2010 - "Microsoft today said it will deliver a record 14 security updates next week to patch a record-tying 34 vulnerabilities in Windows, Internet Explorer (IE), Office and Silverlight..."
- http://blogs.technet.com/b/msrc/archive/2010/08/05/august-2010-bulletin-release-advance-notification.aspx

:fear:

FYI...

LNK vuln (MS10-046) now leveraged by botnet...
- http://www.symantec.com/connect/blogs/sality-goes-lnk
August 9, 2010 - "... The discovery of the LNK vulnerability (BID 41732*), initially used by Stuxnet, gave malware authors a cheap, easy, and effective way to propagate their creations. The Sality gang didn’t waste much time and jumped on the bandwagon in the early days of August. However, it seems that it was only this weekend that they decided to leverage their botnet to potentially infect even more computers. The latest package downloaded by Sality (sequence ID 122) refers to a few URLs, including Sality-standard hack tools (mail relay, HTTP proxy), but also to a dropper for Sality itself... make sure your operating system is properly patched..."
* http://www.securityfocus.com/bid/41732/references

- http://forums.spybot.info/showpost.php?p=379430&postcount=153
"Critical ... This vulnerability is currently being exploited..."

:fear::fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-aug.mspx
• V2.0 (August 10, 2010): Added the bulletins, MS10-047 to MS10-060.
... (Total of -14-)

Critical -8-

Microsoft Security Bulletin MS10-049 - Critical
Vulnerabilities in SChannel could allow Remote Code Execution (980436)
- http://www.microsoft.com/technet/security/Bulletin/MS10-049.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-051 - Critical
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)
- http://www.microsoft.com/technet/security/Bulletin/MS10-051.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-052 - Critical
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)
- http://www.microsoft.com/technet/security/Bulletin/MS10-052.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-053 - Critical
Cumulative Security Update for Internet Explorer (2183461)
- http://www.microsoft.com/technet/security/Bulletin/MS10-053.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS10-054 - Critical
Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)
- http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-055 - Critical
Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)
- http://www.microsoft.com/technet/security/Bulletin/MS10-055.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-056 - Critical
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)
- http://www.microsoft.com/technet/security/Bulletin/MS10-056.mspx
Critical - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS10-060 - Critical
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)
- http://www.microsoft.com/technet/security/Bulletin/MS10-060.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight

Important -6-

Microsoft Security Bulletin MS10-047 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)
- http://www.microsoft.com/technet/security/Bulletin/MS10-047.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-048 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)
- http://www.microsoft.com/technet/security/Bulletin/MS10-048.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-050 - Important
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)
- http://www.microsoft.com/technet/security/Bulletin/MS10-050.mspx
Important - Elevation of Privilege - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-057 - Important
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)
- http://www.microsoft.com/technet/security/Bulletin/MS10-057.mspx
Important - Elevation of Privilege - May require restart - Microsoft Office

Microsoft Security Bulletin MS10-058 - Important
Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)
- http://www.microsoft.com/technet/security/Bulletin/MS10-058.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-059 - Important
Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)
- http://www.microsoft.com/technet/security/Bulletin/MS10-059.mspx
Important - Elevation of Privilege - May require restart - Microsoft Windows
___

Severity and Exploitability index
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/8816.August-2010-Severity-XI.png

Deployment priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/0601.August-2010-Overview-Deployment.png
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=9361
Last Updated: 2010-08-16 15:15:31 UTC ...(Version: -5-)
___

MSRT
- http://support.microsoft.com/?kbid=890830
August 10, 2010 - Revision: 77.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release...
• Stuxnet
• CplLnk
• Vobfus.A
• Vobfus.B
• Vobfus.C
• Vobfus!dll
• Worm:Win32/Sality.AU
• Virus:Win32/Sality.AU
• Trojan:WinNT/Sality

Download:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.10.exe
Version: 3.10
Date Published: 8/10/2010
To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.10.exe
___

10th Aug, 2010
http://secunia.com/advisories/40871/ - MS10-047
http://secunia.com/advisories/40878/ - MS10-048
http://secunia.com/advisories/40879/ - MS10-049
http://secunia.com/advisories/40883/ - MS10-049
http://secunia.com/advisories/38931/ - MS10-050

http://secunia.com/advisories/40893/ - MS10-051
http://secunia.com/advisories/40934/ - MS10-052
http://secunia.com/advisories/40895/ - MS10-053
http://secunia.com/advisories/40935/ - MS10-054
http://secunia.com/advisories/40936/ - MS10-055

http://secunia.com/advisories/40937/ - MS10-056
http://secunia.com/advisories/40750/ - MS10-057
http://secunia.com/advisories/40904/ - MS10-058
http://secunia.com/advisories/40817/ - MS10-059
http://secunia.com/advisories/40872/ - MS10-060

.

FYI...

Microsoft Security Advisory (2264072)
Elevation of Privilege Using Windows Service Isolation Bypass
- http://www.microsoft.com/technet/security/advisory/2264072.mspx
August 10, 2010 - "Microsoft is aware of the potential for attacks that leverage the Windows Service Isolation feature to gain elevation of privilege... Although, in most situations, untrusted code is not running under the NetworkService identity, the following scenarios have been identified as possible exceptions:
• Systems running Internet Information Services (IIS) in a non-default configuration are at an increased risk, particularly if IIS is running on Windows Server 2003 and Windows Server 2008, because the default worker process identity on these systems is NetworkService.
• Systems running SQL Server where users are granted SQL Server administrative privileges are at an increased risk.
• Systems running Windows Telephony Application Programming Interfaces (TAPI) are at an increased risk...
For the TAPI scenario, Microsoft is providing a non-security update*...
(FAQ) The Windows Service Isolation feature is an optional configuration that some customers may choose to deploy. This feature is not appropriate for all customers..."
- http://support.microsoft.com/kb/2264072

* TAPI non-security update: http://support.microsoft.com/kb/982316

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1886
Last revised: 08/17/2010
CVSS v2 Base Score: 6.8 (MEDIUM)
___

Microsoft Security Advisory (977377)
Vulnerability in TLS/SSL Could Allow Spoofing
- http://www.microsoft.com/technet/security/advisory/977377.mspx
Published: February 09, 2010 | Updated: August 10, 2010 - "... We have issued MS10-049* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/MS10-049.mspx
___

Update on the publicly disclosed Win32k.sys EoP Vulnerability
- http://blogs.technet.com/b/msrc/archive/2010/08/10/update-on-the-publicly-disclosed-win32k-sys-eop-vulnerability.aspx
10 Aug 2010 - "... investigating a publicly disclosed vulnerability in the Windows Kernel-mode drivers (win32k.sys) affecting all supported operating systems. We are not aware of attacks that try to use the reported vulnerability or of any customer impact at this time... we are now able to report that this is a local elevation of privilege vulnerability only. This type of issue allows attackers to gain system-level privileges after they have already obtained an account on the target system. For this issue to be exploited, an attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system. The vulnerability cannot be exploited remotely, or by anonymous users. We will not be releasing a security advisory for this issue, but it will be included in a future security update...."

:fear:

FYI...

MSRT August - One Week Later...
- http://blogs.technet.com/b/mmpc/archive/2010/08/19/one-week-later-broken-lnks-and-msrt-august.aspx
19 Aug 2010 - "... Within the first week of release, MSRT cleaned 12,283,167 files in 2,005,960 infected machines..."

Graphic
- http://www.microsoft.com/security/portal/blog-images/msrt-aug.png
19 Aug 2010

:fear:

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
August 23, 2010 - "Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries. This issue is caused by specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks". These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location. This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security*, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected. In addition to this guidance, Microsoft is releasing a tool** that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.
Mitigating Factors:
• This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security*, that recommend alternate methods to load libraries that are safe against these attacks.
• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
• The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability..."

* http://msdn.microsoft.com/en-us/library/ff919712(VS.85).aspx
8/19/2010

** http://support.microsoft.com/kb/2264107
Last Review: August 25, 2010 - Revision: 3.0

More... DLL Preloading remote attack vector
- http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
23 Aug 2010

- http://isc.sans.edu/diary.html?storyid=9445
Last Updated: 2010-08-24 17:01:04 UTC ...(Version: 3) - "... UPDATE 2: We received some e-mails about active exploitation of this vulnerability in the wild... it appears that the attackers so far are exploiting uTorrent, Microsoft Office and Windows Mail... applications for which Proof of Concept exploits have been published... be very careful about files you open from network shares..."

- http://www.us-cert.gov/current/#microsoft_releases_security_advisory5
August 24, 2010 - "... publicly available exploit code for this vulnerability... workarounds may reduce the functionality of the affected systems. Workarounds include:
• disabling the loading of libraries from WebDAV and remote network shares
• disabling the WebClient service
• blocking TCP ports 139 and 445 at the firewall ...

- http://securitytracker.com/alerts/2010/Aug/1024355.html
Aug 24 2010
___

- http://blog.eset.com/wp-content/media_files/DLLvuln.png
August 26, 2010
___

Insecure Library Loading Vulnerability:
Release Date: 2010-08-25

Microsoft Windows Address Book...
- http://secunia.com/advisories/41050/
uTorrent...
- http://secunia.com/advisories/41051/
Adobe Photoshop...
- http://secunia.com/advisories/41060/
Microsoft Office PowerPoint...
- http://secunia.com/advisories/41063/
Wireshark...
- http://secunia.com/advisories/41064/
Opera...
- http://secunia.com/advisories/41083/
Mozilla Firefox...
- http://secunia.com/advisories/41095/
Windows Live Mail...
- http://secunia.com/advisories/41098/
Microsoft Office Groove...
- http://secunia.com/advisories/41104/
VLC Media Player...
- http://secunia.com/advisories/41107/
avast! Antivirus...
- http://secunia.com/advisories/41109/
Adobe Dreamweaver...
- http://secunia.com/advisories/41110/
TeamViewer...
- http://secunia.com/advisories/41112/

... Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
___

- http://secunia.com/blog/120
24 August 2010 - "... the discovery of the remote vector just made this serious... The vulnerability is not in the Windows OS itself, but is caused by bad (insecure) programming practises in applications when loading libraries combined with how the library search order works in Windows. Ideally, when loading a library (or running an executable), a fully qualified path should be passed to the APIs used (e.g. LoadLibrary()). In case a programmer refrains from doing so and only supplies the library name, Windows searches for the file in a number of directories in a particular order. These directories may include the current working directory, which leads to the core of the problem related to the new, remote attack vector as Windows eventually searches for the file on e.g. a remote SMB or WebDAV share if that happens to be the current directory. This is the case if a user e.g. is tricked into opening a file located on a remote share. By placing a malicious library, which a vulnerable application searches for, on the share it is loaded into the application and code is executed with the privileges of the user running it. As the core problem is not in Windows, but rather caused by applications loading libraries insecurely (i.e. not supplying a fully qualified path or not initially calling SetDllDirectory() with a blank path), Secunia will not be issuing a general advisory for Windows. Instead, (likely, quite a lot of) advisories will be issued as affected applications are identified. Currently, we are seeing reports from various researchers having identified everywhere between 40 to 200 vulnerable applications, but the actual number may be a lot higher..."

- http://www.kb.cert.org/vuls/id/707943
Date Last Updated: 2010-08-25

:fear::fear:

FYI...

ESET graphic: DLL loading vulnerability
- http://blog.eset.com/wp-content/media_files/DLLvuln.png
August 26, 2010

(One picture worth a thousand words.)

:fear:

FYI...

- http://www.computerworld.com/s/article/9181918/Windows_DLL_exploits_boom_hackers_post_attacks_for_40_plus_apps
August 25, 2010 - "... The flaws stem from the way many Windows applications call code libraries - dubbed "dynamic-link library," or "DLL" - that give hackers wiggle room they can exploit by tricking an application into loading a malicious file with the same name as a required DLL. If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive - and in some cases con them into opening a file - they can hijack a PC and plant malware on it... As of 3 p.m. ET, more than 30 exploits had been posted on Wednesday alone..."

- http://www.kb.cert.org/vuls/id/707943
Date Last Updated: 2010-08-30

- http://secunia.com/advisories/search/?search=Insecure+Library+Loading+Vulnerability
> Updated Jan. 22, 2011 - (Count is now -170-)

Microsoft apps... DLL hijacking attack vuln
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3138
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3139
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3140
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3141
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3142
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3143
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3144
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3145
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3146
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3147
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3148
Last revised: 08/30-31/2010
CVSS v2 Base Score: 9.3 (HIGH)

:fear:

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
"...Workarounds:
• Disable loading of libraries from WebDAV and remote network shares...
• Disable the WebClient service...
• Block TCP ports 139 and 445 at the firewall...
(See "Impact of workaround" for each one)..."
• V1.1 (August 31, 2010) Added a link to Microsoft Knowledge Base Article 2264107* to provide an automated Microsoft Fix it solution for the workaround, Disable loading of libraries from WebDAV and remote network shares.
* http://support.microsoft.com/kb/2264107
August 31, 2010 - Revision: 4.0

MS SRD - Update on the DLL-preloading remote attack vector
- http://blogs.technet.com/b/srd/archive/2010/08/31/an-update-on-the-dll-preloading-remote-attack-vector.aspx
31 Aug 2010 - "... Note: The Fix-it itself does not install the workaround tool. You’ll need to separately download and install the tool beforehand.
To instead completely block all DLL-preloading attack vectors, including the threat of malicious files on a USB thumb drive or files arriving via email as a ZIP attachment, set CWDIllegalInDllSearch to 0xFFFFFFFF. This will address any DLL preloading vulnerabilities that may exist in applications running on your system. However, it may have some unintended consequences for applications that require this behavior, so we do recommend thorough testing..."
- http://go.microsoft.com/?linkid=9742148

- http://techblog.avira.com/2010/09/02/mitigation-for-windows-applications-dll-search-path-vulnerabilities/en/
September 2, 2010 - "... the company released a Fix-it tool which can be executed after the patch has been applied. It lessens the restrictions introduced by the patch so that most applications do work again. Windows then still blocks loading DLLs from network shares or WebDAV, but if a malicious DLL is located within a local working directory, an attack may still succeed..."

Verified Secunia List:
- http://secunia.com/advisories/windows_insecure_library_loading/
(tables are automatically updated as Secunia issues new advisories)
Number of products affected...
Number of vendors affected...
Number of Secunia Advisories issued...

:fear:

FYI...

Microsoft Security Bulletin MS10-056 - Critical
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)
- http://www.microsoft.com/technet/security/bulletin/MS10-056.mspx?pubDate=2010-09-01
Updated: September 01, 2010
• V1.3 (September 1, 2010): Added note to the affected software table to inform customers using Word 2007 that in addition to security update package KB2251419, they also need to install the security update package KB2277947* to be protected from the vulnerabilities described in this bulletin.
* http://support.microsoft.com/?kbid=2277947

:fear:

FYI...

MS Security Bulletin Advance Notification - September 2010
- http://www.microsoft.com/technet/security/Bulletin/MS10-sep.mspx
September 09, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on September 14, 2010... (Total of -9-)

Critical -4-
Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft Office
Bulletin 4 - Critical - Remote Code Execution - May require restart - Microsoft Office

Important -5-
Bulletin 5 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 6 - Important - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 7 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 8 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 9 - Important - Elevation of Privilege - Requires restart - Microsoft Windows

.

FYI...

MS Security Bulletin Summary - September 2010
- http://www.microsoft.com/technet/security/Bulletin/MS10-sep.mspx
September 14, 2010 - "This bulletin summary lists security bulletins released for September 2010...
(Total of -9-)
• V2.0 (September 22, 2010): Raised the Exploitability Index assessment rating for CVE-2010-2738, lowered the Exploitability Index assessment rating for CVE-2010-2730, and revised the Exploitability Index key note for CVE-2010-0818.

Critical -4-

Microsoft Security Bulletin MS10-061 - Critical
Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290)
- http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx
Remote Code Execution - Requires restart - Microsoft Windows
- http://blogs.technet.com/b/srd/archive/2010/09/14/ms10-061-printer-spooler-vulnerability.aspx

Microsoft Security Bulletin MS10-062 - Critical
Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558)
- http://www.microsoft.com/technet/security/bulletin/MS10-062.mspx
Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-063 - Critical
Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2320113)
- http://www.microsoft.com/technet/security/bulletin/MS10-063.mspx
Remote Code Execution - May require restart - Microsoft Windows, Microsoft Office

Microsoft Security Bulletin MS10-064 - Critical
Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011)
- http://www.microsoft.com/technet/security/bulletin/ms10-064.mspx
Remote Code Execution - May require restart - Microsoft Office

Important -5-

Microsoft Security Bulletin MS10-065 - Important
Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)
- http://www.microsoft.com/technet/security/bulletin/MS10-065.mspx
Remote Code Execution - May require restart - Microsoft Windows
- http://blogs.technet.com/b/srd/archive/2010/09/14/ms10-065-vulnerability-in-iis-s-fastcgi-handler.aspx

Microsoft Security Bulletin MS10-066 - Important
Vulnerability in Remote Procedure Call Could Allow Remote Code Execution (982802)
- http://www.microsoft.com/technet/security/bulletin/ms10-066.mspx
Remote Code Execution - Requires Restart - Microsoft Windows

Microsoft Security Bulletin MS10-067 - Important
Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2259922)
- http://www.microsoft.com/technet/security/bulletin/MS10-067.mspx
Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-068 - Important
Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539)
- http://www.microsoft.com/technet/security/bulletin/MS10-068.mspx
Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-069 - Important
Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546)
- http://www.microsoft.com/technet/security/bulletin/MS10-069.mspx
Elevation of Privilege - Requires restart - Microsoft Windows
___

Severity and Exploitability index
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/5482.Sept-2010-Risk-and-Impact.png

Deployment priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/3580.Sept-2010-Overview-Final.png
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=9547
Last Updated: 2010-09-14 18:00:03 UTC
___

- http://secunia.com/advisories/41292/ - MS10-061
- http://secunia.com/advisories/41395/ - MS10-062
- http://secunia.com/advisories/41396/ - MS10-063
- http://secunia.com/advisories/34075/ - MS10-064
- http://secunia.com/advisories/41375/ - MS10-065
- http://secunia.com/advisories/41399/ - MS10-065
- http://secunia.com/advisories/41412/ - MS10-066
- http://secunia.com/advisories/41416/ - MS10-067
- http://secunia.com/advisories/41419/ - MS10-068
- http://secunia.com/advisories/41420/ - MS10-069
___

MSRT
- http://support.microsoft.com/?kbid=890830
September 14, 2010 - Revision: 78.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release...
• FakeCog
• Vobfus
- http://blogs.technet.com/b/mmpc/archive/2010/09/14/msrt-sets-its-sights-on-fakecog.aspx

Download:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.11.exe
Version: 3.11
Date Published: 9/14/2010
To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.11.exe

.

FYI...

Microsoft Security Advisory (2401593)
Vulnerability in Outlook Web Access Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/2401593.mspx
September 14, 2010 - "Microsoft has completed the investigation of a publicly disclosed vulnerability in Outlook Web Access (OWA) that may affect Microsoft Exchange customers. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session. The attacker could then perform actions on behalf of the authenticated user without the user's knowledge, within the security context of the active OWA session. This vulnerability affects supported editions of Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 (except Microsoft Exchange Server 2007 Service Pack 3). Microsoft Exchange Server 2000, Microsoft Exchange Server 2007 Service Pack 3, and Microsoft Exchange Server 2010 are -not- affected by the vulnerability. For more information, see the section, Affected and Non-Affected Software. Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability. Customers who are unable to upgrade at this time can refer to the Workarounds section for options that can help limit how an attacker can exploit the vulnerability. At this time, we are unaware of any attacks attempting to exploit this vulnerability."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3213
- http://secunia.com/advisories/41421/
"... Solution: The vulnerability is fixed in Microsoft Exchange Server 2007 SP3..."

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
• V1.7 (October 12, 2010): Updated the FAQ with information about a non-security update enabling Windows Server Message Block (SMB) to opt in to Extended Protection for Authentication.

:fear:

FYI...

Microsoft Security Advisory (2416728)
Vulnerability in ASP.NET Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/2416728.mspx
September 17, 2010 - "Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs...
CVE Reference: CVE-2010-3332..."

- http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

:fear:

FYI...

Microsoft Security Advisory (2416728)
Vulnerability in ASP.NET Could Allow Information Disclosure
- https://www.microsoft.com/technet/security/advisory/2416728.mspx
Published: September 17, 2010 | Updated: September 20, 2010
• V1.1 (September 20, 2010): "Revised Executive Summary to communicate that Microsoft is aware of limited, active attacks. Also added additional entries to the Frequently Asked Questions section and additional clarification to the workaround."

- http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx
September 20, 2010

- http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx
20 Sep 2010

:fear::fear:

FYI...

Microsoft Security Advisory (2416728)
Vulnerability in ASP.NET Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/2416728.mspx
Updated: September 28, 2010 - "... We have issued MS10-070 to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3332
Last revised: 09/22/2010
CVSS v2 Base Score: 5.0 (MEDIUM)

- http://blogs.technet.com/b/msrc/archive/2010/09/24/security-advisory-2416728-workaround-update.aspx
24 Sep 2010 3:27 PM

- http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx
** Updated 9/24/2010 4:30PM ** – Updated with additional defensive workaround published by the ASP.NET team valid for ALL affected versions of SharePoint...
** Updated 9/22/2010 10:40AM ** – Updated verification step for SharePoint Server 2007 and Windows SharePoint Services 3.0 and added an exception in the workaround for Windows SharePoint Services 2.0 running under ASP.NET 1.1.
** Updated 9/21/2010 11:05PM ** – Updated with workaround for SharePoint Server 2007 and Windows SharePoint Services 3.0 and updated SharePoint 2010 workaround.
** Updated 9/21/2010 3:06PM ** – Included details for previous releases and workaround for WSS 2.0.

- http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx
September 24, 2010 4:13 PM

- http://securitytracker.com/alerts/2010/Sep/1024459.html
Updated: Sep 28 2010

:fear::fear:

FYI...

Out of Band Release to Address Microsoft Security Advisory 2416728
- http://blogs.technet.com/b/msrc/archive/2010/09/27/out-of-band-release-to-address-microsoft-security-advisory-2416728.aspx
27 Sep 2010 - "... we will release an out-of-band security update to address the vulnerability discussed in Security Advisory 2416728*..."
* http://www.microsoft.com/technet/security/advisory/2416728.mspx

- http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx
September 27, 2010 - "This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on September 28, 2010...
(rated Important)..."

:fear:

FYI...

MS Security Bulletin Summary - September 2010
- http://www.microsoft.com/technet/security/Bulletin/MS10-sep.mspx
• V4.0 (September 30, 2010): Revised this Bulletin Summary to announce that the updates for MS10-070 are now available through all distribution channels, including Windows Update and Microsoft Update. Also revised the details of updates KB2418240, KB2418241, KB2416470, and KB2416474 for MS10-070.
___

Microsoft Security Bulletin MS10-070 - Important
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
- http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx
Information Disclosure - May require restart - Microsoft Windows, Microsoft .NET Framework

- http://blogs.technet.com/b/msrc/archive/2010/09/28/ms10-070-released-out-of-band-today.aspx
28 Sep 2010 - "... The update will be made available initially only through the Microsoft Download Center* and then released through Windows Update and Windows Server Update Services within the next few days..." :scratch:
* http://www.microsoft.com/downloads/en/default.aspx
10 results found (MS10-070)...

- http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx
September 28, 2010 - "... What is the impact of applying the update to a live web-server?
If you apply the update to a live web-server, there will be some period of time when the web-server will be offline (although an OS reboot should not be required). You’ll want to schedule and coordinate your updates appropriately. Importantly – if your site or application is running across multiple web-servers in a web-farm, you’ll want to make sure the update is applied to all of the machines (and not just some of them)... Once the update is on Windows Update, you can simply run Windows Update on your computer/server and Windows Update will automatically choose the right update to download/apply based on what you have installed. If you download the updates directly from the Microsoft Download Center, then you need to manually select and download the appropriate updates..."

- http://isc.sans.edu/diary.html?storyid=9625
Last Updated: 2010-09-28 18:37:49 UTC ...(Version: -4-)

:fear:

FYI...

MS Security Bulletin Advance Notification - October 2010
- http://www.microsoft.com/technet/security/Bulletin/MS10-oct.mspx
October 7, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on October 12, 2010... (Total of -16-)

(Critical -4-)
Bulletin 1
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 2
Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3
Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 4
Critical - Remote Code Execution - May require restart - Microsoft Windows

(Important -10-)
Bulletin 5
Important - Information Disclosure - May require restart - Microsoft Server Software
Bulletin 6
Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 7
Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 8
Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 9
Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 10
Important - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 11
Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 12
Important - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 13
Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 14
Important - Denial of Service - Requires restart - Microsoft Windows

(Moderate -2-)
Bulletin 15
Moderate - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 16
Moderate - Tampering - Requires restart - Microsoft Windows
___

- http://news.cnet.com/8301-27080_3-20018933-245.html
October 7, 2010 - "Microsoft will fix a record 49 vulnerabilities in its Patch Tuesday release next week..."
.

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-oct.mspx
October 12, 2010 - "This bulletin summary lists security bulletins released for October 2010... (Total of -16-)

Critical -4-

Microsoft Security Bulletin MS10-071 - Critical
Cumulative Security Update for Internet Explorer (2360131)
- http://www.microsoft.com/technet/security/bulletin/MS10-071.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS10-075 - Critical
Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679)
- http://www.microsoft.com/technet/security/bulletin/MS10-075.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-076 - Critical
Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)
- http://www.microsoft.com/technet/security/bulletin/MS10-076.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-077 - Critical
Vulnerability in .NET Framework Could Allow Remote Code Execution (2160841)
- http://www.microsoft.com/technet/security/bulletin/MS10-077.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework

Important -10-

Microsoft Security Bulletin MS10-072 - Important
Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048)
- http://www.microsoft.com/technet/security/bulletin/ms10-072.mspx
Important - Information Disclosure - May require restart - Microsoft Server Software

Microsoft Security Bulletin MS10-073 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)
- http://www.microsoft.com/technet/security/bulletin/MS10-073.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-078 - Important
Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)
- http://www.microsoft.com/technet/security/bulletin/MS10-078.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-079 - Important
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2293194)
- http://www.microsoft.com/technet/security/bulletin/MS10-079.mspx
Important - Remote Code Execution - Requires restart - Microsoft Office

Microsoft Security Bulletin MS10-080 - Important
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2293211)
- http://www.microsoft.com/technet/security/bulletin/ms10-080.mspx
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS10-081 - Important
Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011)
- http://www.microsoft.com/technet/security/bulletin/MS10-081.mspx
Important - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-082 - Important
Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111)
- http://www.microsoft.com/technet/security/bulletin/MS10-082.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-083 - Important
Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)
- http://www.microsoft.com/technet/security/bulletin/MS10-083.mspx
Important - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-084 - Important
Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937)
- http://www.microsoft.com/technet/security/bulletin/MS10-084.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-085 - Important
Vulnerability in SChannel Could Allow Denial of Service (2207566)
- http://www.microsoft.com/technet/security/bulletin/MS10-085.mspx
Important - Denial of Service - Requires restart - Microsoft Windows

Moderate -2-

Microsoft Security Bulletin MS10-074 - Moderate
Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149)
- http://www.microsoft.com/technet/security/bulletin/MS10-074.mspx
Moderate - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-086 - Moderate
Vulnerability in Windows Shared Cluster Disks Could Allow Tampering (2294255)
- http://www.microsoft.com/technet/security/bulletin/MS10-086.mspx
Moderate - Tampering - Requires restart - Microsoft Windows
___

Severity and Exploitability Index
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/2480.October-2010-Severity-and-Exploitability.png

Deployment Priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/1638.October-2010-Deployment-Priority.png
___

- http://blogs.iss.net/archive/MSFT_SuperTuesday_Oc.html
October 12, 2010
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=9736
Last Updated: 2010-10-13 18:35:58 UTC ...(Version: 2)
___

- http://krebsonsecurity.com/2010/10/microsoft-plugs-a-record-49-security-holes/
"... at least eight of the vulnerabilities were publicly disclosed prior to the release of today’s patches..."
- http://blogs.technet.com/b/srd/archive/2010/10/12/assessing-the-risk-of-the-october-security-updates.aspx
12 Oct 2010
___

- http://secunia.com/advisories/41271/ - MS10-071
- http://secunia.com/advisories/41746/ - MS10-072
- http://secunia.com/advisories/41775/ - MS10-073
- http://secunia.com/advisories/40298/ - MS10-074
- http://secunia.com/advisories/41776/ - MS10-075
- http://secunia.com/advisories/41777/ - MS10-076
- http://secunia.com/advisories/41751/ - MS10-077
- http://secunia.com/advisories/41778/ - MS10-078
- http://secunia.com/advisories/41785/ - MS10-079
- http://secunia.com/advisories/41788/ - MS10-079
- http://secunia.com/advisories/41789/ - MS10-079
- http://secunia.com/advisories/41790/ - MS10-079
- http://secunia.com/advisories/39303/ - MS10-080
- http://secunia.com/advisories/40217/ - MS10-081
- http://secunia.com/advisories/41779/ - MS10-082
- http://secunia.com/advisories/41786/ - MS10-083
- http://secunia.com/advisories/41700/ - MS10-084
- http://secunia.com/advisories/41787/ - MS10-085
- http://secunia.com/advisories/41781/ - MS10-086
___

MSRT
- http://support.microsoft.com/?kbid=890830
October 12, 2010 - Revision: 79.1
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release...
• Zbot
- http://blogs.technet.com/b/mmpc/archive/2010/10/12/msrt-on-zbot-the-botnet-in-a-box.aspx

Download:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.12.exe - 11.2MB
Version: 3.12
Date Published: 10/12/2010
To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.12.exe - 11.5MB

> http://forums.spybot.info/showpost.php?p=385953&postcount=40
___

An Early Look at the Impact of MSRT on Zbot
- http://blogs.technet.com/b/mmpc/archive/2010/10/17/an-early-look-at-the-impact-of-msrt-on-zbot.aspx
17 Oct 2010 - "... we added Win32/Zbot to MSRT this month... Since the release of MSRT on Tuesday we have removed Zbot 281,491 times from 274,873 computers... Approximately 86 million computers have run this version of MSRT..."

.

FYI...

Microsoft Security Advisory (2458511)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2458511.mspx
• V1.1 (November 3, 2010): Added the opening of HTML mail in the Restricted sites zone as a mitigating factor, the automated Microsoft Fix it solution to the CSS workaround, and a finder acknowledgment. Removed reading e-mail in plain text as a workaround. Also clarified content in the EMET, DEP, and CSS workarounds.
"Microsoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer. The main impact of the vulnerability is remote code execution. This advisory contains workarounds and mitigations for this issue. The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
At this time, we are aware of targeted attacks attempting to use this vulnerability... Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update..."
(Workarounds listed at the URL above.)

- http://support.microsoft.com/kb/2458511
Last Review: November 4, 2010 - Revision: 3.0 - "...Two fixit solutions are available:
• Fix it solution for the user-defined CSS
- http://support.microsoft.com/kb/2458511#FixItForMe1
• Fixit solution for Data Execution Prevention in Internet Explorer 7
- http://support.microsoft.com/kb/2458511#FixItForMeAlways

• Enhanced Mitigation Experience Toolkit
- http://support.microsoft.com/kb/2458544/
November 2, 2010 - Revision: 1.0

CVE-2010-3962

IE 0-Day used in Targeted Attacks
- http://www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks
Nov. 3, 2010

- http://www.securitytracker.com/id?1024676
Updated: Nov 4 2010 - "... This vulnerability is being actively exploited..."
- http://secunia.com/advisories/42091/
Last Update: 2010-11-04
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround ...
NOTE: The vulnerability is currently being actively exploited...

- http://blogs.technet.com/b/srd/archive/2010/11/03/dep-emet-protect-against-attacks-on-the-latest-internet-explorer-vulnerability.aspx

- http://isc.sans.edu/diary.html?storyid=9874
Last Updated: 2010-11-07 14:30:10 UTC ...(Version: 6) - "... would likely be leveraged in a drive-by-exploit scenario..."

:fear:

FYI...

MS Security Bulletin Advance Notification - November 2010
- http://www.microsoft.com/technet/security/Bulletin/MS10-nov.mspx
November 04, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on November 9, 2010... (Total of -3-)

Bulletin 1 - Critical - Remote Code Execution - May require restart - Microsoft Office

Bulletin 2 - Important - Remote Code Execution - May require restart - Microsoft Office

Bulletin 3 - Important - Elevation of Privilege - May require restart - Microsoft Forefront Unified Access Gateway ...

- http://blogs.technet.com/b/msrc/archive/2010/11/04/advance-notification-service-for-november-2010-bulletins.aspx
4 Nov 2010 - "... three updates addressing 11 vulnerabilities..."

:fear:

FYI...

IE 0-day fix due out Dec. 14, 2010
- http://blogs.technet.com/b/mmpc/archive/2010/12/09/cve-2010-3962-the-weekend-warrior.aspx
9 Dec 2010 - "... the bulletin addressing this issue is planned to be released on Tuesday, Dec. 14 ..."
- http://www.microsoft.com/security/portal/blog-images/CVE-2010-3962-geo.jpg
CVE-2010-3942 0-day - Attacks thru 12.8.2010 - MMPC charts
- http://www.microsoft.com/security/portal/blog-images/CVE-2010-3962-OS.jpg
___

IE 0-day in exploit kit...
- http://thompson.blog.avg.com/2010/11/heads-up-0-day-in-an-exploit-kit.html
November 07, 2010 - "... CVE-2010-3962* is in the Wild, but over the last couple of days, we've begun detecting it in the Eleonore Exploit Kit. This raises the stakes considerably..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3962
Last revised: 11/11/2010
CVSS v2 Base Score: 9.3 (HIGH) "... as exploited in the wild in November 2010..."
• Fix it solution for the user-defined CSS
- http://support.microsoft.com/kb/2458511#FixItForMe1
November 4, 2010 - Revision: 3.0

- http://www.microsoft.com/technet/security/advisory/2458511.mspx
• V1.1 (November 3, 2010): Added the opening of HTML mail in the Restricted sites zone as a mitigating factor, the automated Microsoft Fix it solution to the CSS workaround, and a finder acknowledgment. Removed reading e-mail in plain text as a workaround. Also clarified content in the EMET, DEP, and CSS workarounds.

:fear::fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-nov.mspx
November 9, 2010 - "This bulletin summary lists security bulletins released for November 2010... (Total of -3-)

Critical -1-

Microsoft Security Bulletin MS10-087 - Critical
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)
- http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx
Critical - Remote Code Execution - May require restart - Microsoft Office
• V1.1 (November 17, 2010): Corrected the severity table and vulnerability section to add CVE-2010-2573 as a vulnerability addressed by this update. This is an informational change only.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2573
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3334
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3335
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3336
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3337
CVSS v2 Base Score: 9.3 (HIGH)

Important -2-

Microsoft Security Bulletin MS10-088 - Important
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)
- http://www.microsoft.com/technet/security/bulletin/MS10-088.mspx
Important - Remote Code Execution - May require restart - Microsoft Office
• V1.2 (November 17, 2010): Clarified that for Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003, customers also need to install the Microsoft Office update provided in MS10-087 to be protected from the vulnerability described in CVE-2010-2573. This is an informational change only. Customers who have already successfully applied the MS10-087 and the MS10-088 updates do not need to take any action.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2572
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2573
CVSS v2 Base Score: 9.3 (HIGH)

Microsoft Security Bulletin MS10-089 - Important
Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)
- http://www.microsoft.com/technet/security/bulletin/MS10-089.mspx
Important - Elevation of Privilege - May require restart - Microsoft Forefront United Access Gateway
___

Deployment Priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/0537.1011-deployment-slide.png
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=9910
Last Updated: 2010-11-09 18:41:02 UTC
___

- http://www.securitytracker.com/id?1024705
- http://www.securitytracker.com/id?1024706
- http://www.securitytracker.com/id?1024707
Nov 9 2010
___

MSRT
- http://support.microsoft.com/?kbid=890830
November 9, 2010 - Revision: 81.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release...
• FakePAV
• Worm:Win32/Sality.AT
• Virus:Win32/Sality.AT

- http://blogs.technet.com/b/mmpc/archive/2010/11/09/msrt-tackles-fake-microsoft-security-essentials.aspx

Download:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.13.exe

To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.13.exe
___

Microsoft Security Advisory (2269637)
[DLL] Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
• V2.0 (November 9, 2010) Added Microsoft Security Bulletin MS10-087, "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution," to the Updates relating to Insecure Library Loading section.

.

FYI...

EMET v2.0.0.3 released
- http://blogs.technet.com/b/srd/archive/2010/11/17/emet-update-2-0-0-3-released.aspx
17 Nov 2010 - "... some Enhanced Mitigation Experience Toolkit (EMET) v2.0 users may have potential issues with the update functionality of specific applications from Adobe and Google. As a result, today we released a new version of EMET that will help ensure these updaters work as expected when EMET is in place for added protection. No other behavior is being changed with this release. You can download version 2.0.0.3 of EMET here*..."
* http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4a8a9171-5a11-4d58-aa34-95c855f69c39

> http://www.computerworld.com/s/article/9197118/Microsoft_fixes_security_tool_after_Google_reports_Chrome_problems
November 18, 2010

- http://www.theregister.co.uk/2010/11/19/ms_security_tool_chrome_adobe_conflicts/
Enterprise Security, 19 November 2010

:fear::fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-dec.mspx
December 9, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on December 14, 2010... (Total of -17-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart
Microsoft Windows, Internet Explorer
Bulletin 2 - Critical - Remote Code Execution - Requires restart
Microsoft Windows
Bulletin 3 - Important - Elevation of Privilege - Requires restart
Microsoft Windows
Bulletin 4 - Important - Remote Code Execution - May require restart
Microsoft Windows
Bulletin 5 - Important - Remote Code Execution - May require restart
Microsoft Windows
Bulletin 6 - Important - Remote Code Execution - Requires restart
Microsoft Windows
Bulletin 7 - Important - Remote Code Execution - May require restart
Microsoft Windows
Bulletin 8 - Important - Remote Code Execution - May require restart
Microsoft Windows
Bulletin 9 - Important - Elevation of Privilege - Requires restart
Microsoft Windows
Bulletin 10 - Important - Elevation of Privilege - Requires restart
Microsoft Windows
Bulletin 11 - Important - Elevation of Privilege - May require restart
Microsoft Windows
Bulletin 12 - Important - Denial of Service - Requires restart
Microsoft Windows
Bulletin 13 - Important - Denial of Service - Requires restart
Microsoft Windows
Bulletin 14 - Important - Remote Code Execution - May require restart
Microsoft Office
Bulletin 15 - Important - Remote Code Execution - May require restart
Microsoft SharePoint
Bulletin 16 - Important - Remote Code Execution - May require restart
Microsoft Office
Bulletin 17 - Moderate - Denial of Service - May require restart
Microsoft Exchange ...

- http://blogs.technet.com/b/msrc/archive/2010/12/09/december-2010-advance-notification-service-is-released.aspx
9 Dec 2010 - "... 17 updates addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange..."

- http://www.computerworld.com/s/article/9200642/Microsoft_slates_another_monster_Patch_Tuesday
December 9, 2010 - "... a record, beating the count from October 2010 by one... The total bulletin count for the year - 106 - was also a record, as was the number of vulnerabilities patched in those updates: 266..."

.

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-dec.mspx
December 14, 2010 - "This bulletin summary lists security bulletins released for December 2010...

Critical -2-

Microsoft Security Bulletin MS10-090 - Critical
Cumulative Security Update for Internet Explorer (2416400)
- http://www.microsoft.com/technet/security/bulletin/MS10-090.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS10-091 - Critical
Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199)
- http://www.microsoft.com/technet/security/bulletin/MS10-091.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Important -14-

Microsoft Security Bulletin MS10-092 - Important
Vulnerability in Task Scheduler Could Allow Elevation of Privilege (2305420)
- http://www.microsoft.com/technet/security/bulletin/ms10-092.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-093 - Important
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (2424434)
- http://www.microsoft.com/technet/security/bulletin/MS10-093.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-094 - Important
Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961)
- http://www.microsoft.com/technet/security/bulletin/MS10-094.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-095 - Important
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2385678)
- http://www.microsoft.com/technet/security/bulletin/MS10-095.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-096 - Important
Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089)
- http://www.microsoft.com/technet/security/bulletin/MS10-096.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-097 - Important
Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105)
- http://www.microsoft.com/technet/security/bulletin/MS10-097.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-098 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673)
- http://www.microsoft.com/technet/security/bulletin/ms10-098.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-099 - Important
Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege (2440591)
- http://www.microsoft.com/technet/security/bulletin/ms10-099.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-100 - Important
Vulnerability in Consent User Interface Could Allow Elevation of Privilege (2442962)
- http://www.microsoft.com/technet/security/bulletin/MS10-100.mspx
Important - Elevation of Privilege - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-101 - Important
Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559)
- http://www.microsoft.com/technet/security/bulletin/ms10-101.mspx
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-102 - Important
Vulnerability in Hyper-V Could Allow Denial of Service (2345316)
- http://www.microsoft.com/technet/security/bulletin/ms10-102.mspx
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-103 - Important
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2292970)
- http://www.microsoft.com/technet/security/bulletin/ms10-103.mspx
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS10-104 - Important
Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005)
- http://www.microsoft.com/technet/security/bulletin/MS10-104.mspx
Important - Remote Code Execution - May require restart - Microsoft SharePoint

Microsoft Security Bulletin MS10-105 - Important
Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095)
- http://www.microsoft.com/technet/security/bulletin/ms10-105.mspx
Important - Remote Code Execution - May require restart - Microsoft Office

Moderate -1-

Microsoft Security Bulletin MS10-106 - Moderate
Vulnerability in Microsoft Exchange Server Could Allow Denial of Service (2407132)
- http://www.microsoft.com/technet/security/bulletin/MS10-106.mspx
Moderate - Denial of Service - May require restart - Microsoft Exchange
___

Deployment Priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/0676.2010_2D00_12-deployment.png

Severity and Exploitabilty Index
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/6445.2010_2D00_12-severity-xi.png
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=10081
Last Updated: 2010-12-14 18:52:39 UTC
___

- http://www.us-cert.gov/cas/techalerts/TA10-348A.html
December 14, 2010
Impact: A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Solution: Apply updates ..."
___

MSRT
- http://support.microsoft.com/?kbid=890830
December 14, 2010 - Revision: 82.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release...
• Qakbot

Download:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.14.exe

To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.14.exe

.

FYI...

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
• V1.8 (December 14, 2010): Updated the FAQ with information about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.
• V1.9 (December 17, 2010): Removed the FAQ entry, originally added December 14, 2010, about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.

Microsoft Security Advisory (2458511)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
12/14/2010 - "We have issued MS10-090* to address this issue..."

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
• V3.0 (December 14, 2010) Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section:
MS10-093*, "Vulnerability in Windows Movie Maker Could Allow Remote Code Execution;"
MS10-094*, "Vulnerability in Windows Media Encoder Could Allow Remote Code Execution;"
MS10-095*, "Vulnerability in Microsoft Windows Could Allow Remote Code Execution;"
MS10-096*, "Vulnerability in Windows Address Book Could Allow Remote Code Execution;" and
MS10-097*, "Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution."

* http://forums.spybot.info/showpost.php?p=391031&postcount=73

.

FYI...

Patch issues with Outlook 2007
- http://isc.sans.edu/diary.html?storyid=10117
Last Updated: 2010-12-20 14:47:33 UTC - "Last week on December 14, Microsoft released an update (KB 2412171) for Microsoft Outlook 2007, and several of our readers wrote in indicating it caused problems with Outlook after applying the update. On December 16, Microsoft removed the update from Microsoft Update. Microsoft identified 3 issues with this update. If you are experiencing similar issues with the patch like those listed in this Microsoft Blog and you are using Windows XP, Vista and 7, Microsoft listed the steps to remove the patch here*."
* http://blogs.msdn.com/b/outlook/archive/2010/12/17/issues-with-the-recent-update-for-outlook-2007.aspx
___

> http://support.microsoft.com/kb/2485531
Last Review: December 21, 2010 - Revision: 4.0
___

- http://support.microsoft.com/kb/2412171
Last Review: December 18, 2010 - Revision: 3.1
___

[Symptoms related to Outlook 2007 bug injected by bad M$ Update KB 2412171]
- http://www.us-cert.gov/current/#microsoft_releases_blog_entry_regarding
December 20, 2010
• Outlook fails to connect if Secure Password Authentication (SPA) is configured for an account and the mail server does not support SPA.
• Noticeable performance issues when switching between folders if a Microsoft Exchange Server account is not configured in Outlook.
• AutoArchive cannot be configured for IMAP, POP3, or Outlook Live Connector accounts if there is no Exchange Server account configured in the same Outlook provide...
> http://blogs.msdn.com/b/outlook/archive/2010/12/17/issues-with-the-recent-update-for-outlook-2007.aspx

:sad::fear:

FYI...

MS WMI Admin Tool ActiveX vuln
- http://www.us-cert.gov/current/#microsoft_wmi_administrative_tool_activex
December 22, 2010 - "... vulnerability affecting the WBEMSingleView.ocx ActiveX control. This control is part of the Microsoft WMI Administrative Tools package. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. US-CERT encourages users and administrators to set the kill bit for CLSID 2745E5F5-D234-11D0-847A00C04FD7BB08 to help mitigate the risks until a fix is available from the vendor... Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#725596* ..."
* http://www.kb.cert.org/vuls/id/725596
Last Updated: 2010-12-22

- http://secunia.com/advisories/42693/
Last Update: 2010-12-23
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft WMI Administrative Tools 1.x, Microsoft WMI Object Viewer ActiveX Control 1.x...
Solution: Set the kill-bit for the affected ActiveX control...

:fear::fear:

FYI...

- http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx
swiblog / 22 Dec 2010 6:58 PM - "... the IIS FTP Service is not installed by default, and even after installation, it is not enabled by default..."

0-Day IIS 7.5 DoS (processing FTP requests)
- http://isc.sans.edu/diary.html?storyid=10126
Last Updated: 2010-12-22 22:05:34 UTC - "A 0-day exploit has been published at exploit-db (see US-Cert advisory*) that takes advantage of a memory corruption vulnerability in IIS 7.5's FTP service. This bug will work pre-authentication.
From the looks of it, it is a pure remote exploit that's chief use would be denial of service. As with any memory corruption bugs, it is theoretically possible to use this to gain access to the server with the permissions of the user that is running IIS... Some defenses would be limiting FTP services that are internet-facing (especially if IIS), using firewalls to limit access to the server and configuring perimeter devices to check for memory attacks..."
* http://www.kb.cert.org/vuls/id/842372

- http://secunia.com/advisories/42713
Last Update: 2010-12-23
Criticality level: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Information Services (IIS) 7.x
Solution: Restrict traffic to the FTP service.

- http://www.securitytracker.com/id?1024921
Updated: Dec 23 2010

:sad::fear:

FYI...

Microsoft Security Advisory (2488013)
Vulnerability in -IE- Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2488013.mspx
• V1.1 (December 31, 2010): Revised Executive Summary to reflect investigation of targeted attacks.
December 22, 2010 - "Microsoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer. The main impact of the vulnerability is remote code execution. This advisory contains workarounds and mitigations for this issue. The vulnerability exists due to the creation of uninitialized memory during a CSS function within Internet Explorer. It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs. Currently, Microsoft is unaware of any active exploitation of this vulnerability..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3971
Last revised: 12/23/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://blogs.technet.com/b/msrc/archive/2010/12/22/microsoft-releases-security-advisory-2488013.aspx
22 Dec 2010

- http://secunia.com/advisories/42510
Last Update: 2010-12-23
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched...

- http://www.securitytracker.com/id?1024922
Dec 23 2010

:fear::fear:

FYI...

- http://community.websense.com/blogs/securitylabs/archive/2010/12/23/zero-day-different-exploit-in-internet-explorer.aspx
23 Dec 2010 - "... Two different new zero-day exploits were published on December 22...
1) ... The use of built-in protections of DEP and ASLR on the Windows platform and Internet Explorer doesn't guarantee to stop the exploit. It stems from the fact that the affected DLL mscorie.dll used by Internet Explorer wasn't compiled to support ASLR - this fact allows an attacker to also bypass DEP by using ROP (return to oriented programming) and successfully exploit the system...
2) ... The second vulnerability takes advantage of the Microsoft WMI Administrative Tools ActiveX Control. Internet Explorer is vulnerable only if Microsoft WMI administrative tools is installed..."

:confused::scratch:

FYI...

Targeted attacks against MS Office vuln (CVE-2010-3333/MS10-087)
- http://blogs.technet.com/b/mmpc/archive/2010/12/29/targeted-attacks-against-recently-addressed-microsoft-office-vulnerability-cve-2010-3333-ms10-087.aspx
29 Dec 2010 - "... A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious shellcode which downloads other malware. The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one. The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack... We recommend customers that have not yet installed the security update MS10-087* to do so at their earliest convenience..."
* http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx
Updated: December 15, 2010
Version: 2.0

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333
Last revised: 12/21/2010
CVSS v2 Base Score: 9.3 (HIGH)

:mad:

FYI...

Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2490606.mspx
January 04, 2011 - "Microsoft is investigating new public reports of a vulnerability in the Windows Graphics Rendering Engine. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs..."
[Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly...]
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3970
Last revised: 12/23/2010
CVSS v2 Base Score: 10.0 (HIGH)

- http://secunia.com/advisories/42779/
Release Date: 2011-01-05
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Solution: The vendor recommends restricting access to shimgvw.dll...
Original Advisory: Microsoft:
http://www.microsoft.com/technet/security/advisory/2490606.mspx
Metasploit: http://www.metasploit.com/redmine/projects/framework/repository/revisions/11466/entry/modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb

- http://www.securitytracker.com/id?1024932
Jan 4 2011

- http://blogs.technet.com/b/msrc/archive/2011/01/04/microsoft-releases-security-advisory-2490606.aspx
4 Jan 2011 - "... Microsoft is actively working to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability... we are working to develop a security update to address this vulnerability. The circumstances around the issue do not currently meet the criteria for an out-of-band release; however, we are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog..."

- http://isc.sans.edu/diary.html?storyid=10201
Last Updated: 2011-01-04 19:26:17 UTC- "... it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious ones). See the Microsoft advisory for details... This particular vulnerability was disclosed in December 2010 by Moti and Xu Hao at the "Power of Community" conference. The conference presentation outlines in some detail how to create a file to exploit this vulnerability. The thumbnail itself is stored in the file as a bitmap. The vulnerability is exploited by setting the number of color indexes in the color table to a negative number (biClrUsed). The published slides do provide hints on how to exploit this vulnerability including bypassing SafeSEH* and DEP ..."
(Might help...) ... f/ Vista SP1, Win7, Server2008 and Server2008R2
* http://support.microsoft.com/kb/956607#fixit4me
November 24, 2009 Revision: 3.0 - "... it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems...
• This wizard only applies to Vista SP1 and Server2008...
By default, SEHOP is enabled in Windows Server 2008 R2 and in Windows Server 2008.
By default, SEHOP is disabled in Windows 7 and in Windows Vista..."

:fear:

FYI...

Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2490606.mspx
• V1.1 (January 5, 2011): Added a link* to the automated Microsoft Fix it solution for the Modify the Access Control List (ACL) on shimgvw.dll workaround.
* http://support.microsoft.com/kb/2490606#FixItForMe
January 19, 2011 - Revision: 3.0

[Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly...]
___

Current unpatched Windows/IE vulns
- http://isc.sans.edu/diary.html?storyid=10216
Last Updated: 2011-01-05 20:49:56 UTC

:fear:

FYI...

MS Security Bulletin Advance Notification - Jan 2011
- http://www.microsoft.com/technet/security/Bulletin/MS11-jan.mspx
January 06, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on January 11, 2011..." (Total of -2-)

Bulletin 2 - Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 1 - Important - Remote Code Execution - May require restart - Microsoft Windows
___

MS to fix Windows holes, but not ones in IE
- http://news.cnet.com/8301-27080_3-20027620-245.html
January 6, 2011

- http://www.theregister.co.uk/2011/01/07/patch_tuesday_pre_alert/
7 January 2011 - "... it is probable that the bulletins due on Tuesday will not be the only security fixes from Microsoft this month..."

:fear:

FYI...

Current unpatched Windows/IE vulns...
- http://isc.sans.edu/diary.html?storyid=10216
Last Updated: 2011-01-08 01:58:58 UTC ...(Version: 2)
"Update: Microsoft now created its own version of this table*..."

* http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx
7 Jan 2011 5:00 PM

:fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-jan.mspx
January 11, 2011 - "This bulletin summary lists security bulletins released for January 2011... (Total of -2-)

Critical -1-

Microsoft Security Bulletin MS11-002 - Critical
Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)
- http://www.microsoft.com/technet/security/bulletin/MS11-002.mspx
Critical - Remote Code Execution- May require restart - Microsoft Windows
CVE-2011-0026, CVE-2011-0027

Important -1-

Microsoft Security Bulletin MS11-001 - Important
Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935)
- http://www.microsoft.com/technet/security/bulletin/MS11-001.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3145
Last revised: 08/30/2010
CVSS v2 Base Score: 9.3 (HIGH)
___

Deployment Priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/6153.deploy_2D00_1101.png

Severity and Exploitabilty Index
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/6011.sev_2D00_exp_2D00_1101.png
___

- http://www.us-cert.gov/cas/techalerts/TA11-011A.html
January 11, 2011
Impact: A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Solution: Apply updates ...
References: http://www.microsoft.com/technet/security/bulletin/ms11-jan.mspx
___

- http://secunia.com/advisories/41122/
Release Date: 2010-08-26
Last Update: 2011-01-11
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Original Advisory: MS11-001 (KB2478935):
http://www.microsoft.com/technet/security/Bulletin/MS11-001.mspx

- http://secunia.com/advisories/42804/
Release Date: 2011-01-11
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Original Advisory: MS11-002 (KB2419632, KB2419635, KB2419640, KB2451910):
http://www.microsoft.com/technet/security/Bulletin/MS11-002.mspx
______

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=10252
Last Updated: 2011-01-11 18:26:51 UTC - "... Exploit(s) available..."
___

MSRT
- http://support.microsoft.com/?kbid=890830
January 11, 2011 - Revision: 83.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release...
• Lethic

Download:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.15.exe

To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.15.exe

.

FYI...

Microsoft Security Advisory (2488013)
Vulnerability in -IE- Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2488013.mspx
• V1.3 (January 11, 2011): "Revised the workaround, Prevent the recursive loading of CSS style sheets in Internet Explorer, to add the impact for the workaround...
Impact of workaround: There are side effects to blocking the recursive loading of a cascading style sheet (CSS). Users may encounter some slight performance issues due to the increased checking that is required to block the loading of the CSS files...
Workaround: Microsoft Fix it: http://support.microsoft.com/kb/2488013#FixItForMe
January 12, 2011 - Revision: 3.0 - ... This Fixit solution adds a check to check whether a cascading style sheet is about to be loaded recursively. If this is the case, the Fixit solution cancels the loading of the cascading style sheet. This Fixit solution takes advantage of a feature that is typically used for application compatibility fixes. This feature can modify the instructions of a specific binary when it is loaded..."

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
• V4.0 (January 11, 2011): Added Microsoft Security Bulletin MS11-001*, Vulnerability in Windows Backup Manager Could Allow Remote Code Execution, to the Updates relating to Insecure Library Loading section.
* http://www.microsoft.com/technet/security/bulletin/MS11-001.mspx

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
• V1.10 (January 11, 2011): Updated the FAQ with information about a new release enabling Microsoft Office Live Meeting Service Portal to opt in to Extended Protection for Authentication.

.

FYI...

IE drive-by bug...
- http://www.theregister.co.uk/2011/01/12/ie_code_execution_bug/
12 January 2011 - "Microsoft on Tuesday warned that attackers have begun exploiting a critical vulnerability in Internet Explorer and rolled out a temporary fix* until a permanent patch is issued. The vulnerability in IE versions 6, 7 and 8, which involves the way the browser handles cascading style sheets, allows adversaries to perform drive-by malware attacks by luring victims to booby-trapped webpages. The exploits are triggered by recursive CSS pages, in which style sheets include their own addresses..."
* http://blogs.technet.com/b/srd/archive/2011/01/11/new-workaround-included-in-security-advisory-2488013.aspx
11 Jan 2011 - "... It’s important to note that the workaround will protect Internet Explorer only if the latest security updates have been applied, including MS10-090 which was released on December 14, 2010. You can find MS10-090 at http://www.microsoft.com/technet/security/bulletin/MS10-090.mspx
> To install the workaround, click here: http://download.microsoft.com/download/E/5/6/E56904FD-3370-479D-B14A-E5481222C59C/MicrosoftFixit50591.msi
> If you’d like to uninstall the workaround after you have installed it, click here: http://download.microsoft.com/download/3/3/3/33346329-840F-4B9F-B54E-9AE1114EA331/MicrosoftFixit50592.msi ..."

:fear:

FYI...

Microsoft preps for SP1 for Windows 7?
- http://www.h-online.com/security/news/item/Microsoft-prepares-for-SP1-for-Windows-7-1168977.html
13 January 2011 - "An "important update", which may be a prerequisite for installing Service Pack 1, is now being offered to Windows 7 and Windows Server 2008 R2 users by Windows Update. Despite the publication date being given as '11.01.2011', it is not a new update – update number 976902* first put in an appearance back in October... The update is not yet being installed automatically. It may be that Update 976902 is required in order to install SP1 for Windows 7 and Windows Server 2008 R2 via Windows Update. This would not be unprecedented – when SP1 for Windows Vista was first released, it could only be installed via Windows Update if other patches, also distributed via Windows Update, had previously been installed. Service Pack 1 is scheduled for release shortly, indeed any day now. It contains a whole heap of patches and hot fixes. There is likely to be little new functionality, previously a standard feature of service packs. However, support for the Advanced Vector Extensions (AVX) instruction set extensions used by forthcoming generations of processors is set to be one new feature. Also new are RemoteFX (an extension to the existing Remote Desktop Services) and Dynamic Memory (intelligent allocation of main memory), both relevant only when running Server 2008 R2 on large networks. Users interested in trying out SP1 in advance can now download the release candidate, which, like all beta software, is not recommended for use in live environments."
* http://support.microsoft.com/kb/976902
January 11, 2011 Revision: 4.0 - "... This software update will be a prerequisite to install service packs. Additionally, this update improves reliability when you install or remove Windows 7 and Windows Server 2008 R2 updates and service packs..."

:spider:
___

Microsoft Windows SDK for Windows 7 and .NET Framework 4 GraphEdit Insecure Library Loading Vulnerability
- http://secunia.com/advisories/41202/
Release Date: 2010-09-02
Criticality level: Highly critical
Solution Status: Unpatched

:fear:

FYI...

Outlook 2007 - update released 11 Jan 2011
Ref: http://blogs.office.com/b/microsoft-outlook/archive/2011/01/13/fixes-for-issues-with-december-update-for-outlook-2007-have-been-released.aspx
13 Jan 2011 - "... Outlook 2007... update released on Tuesday, January 11..."

* http://support.microsoft.com/kb/2412171
Last Review: January 13, 2011 - Revision: 6.0

- http://support.microsoft.com/kb/2485531
Last Review: January 11, 2011 - Revision: 5.0 - "... To resolve this issue, install the -current- version of update 2412171* ..."

:scratch:

FYI...

Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2490606.mspx
• V1.2 (January 19, 2011): Clarified that the Modify the Access Control List (ACL) on shimgvw.dll workaround only applies to Windows XP and Windows Server 2003 systems and added a new workaround, Disable viewing of thumbnails in Windows Explorer on Windows Vista and Windows Server 2008 systems.
"... Workarounds:
• Modify the Access Control List (ACL) on shimgvw.dll on Windows XP and Windows Server 2003 systems...
Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly...
• Disable viewing of thumbnails in Windows Explorer on Windows Vista and Windows Server 2008 systems...
Impact of Workaround: Windows Explorer will not display thumbnail images..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3970
Original release date: 12/22/2010
Last revised: 01/19/2011
CVSS v2 Base Score: 9.3 (HIGH)

:lip:

FYI...

Microsoft Security Advisory (2501696)
Vulnerability in MHTML Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/2501696.mspx
January 28, 2011 - "Microsoft is investigating new public reports of a vulnerability in all supported editions of Microsoft Windows. The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities. Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability. At this time, Microsoft has not seen any indications of active exploitation of the vulnerability. The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim's Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user... we recommend that customers apply one or more of the client-side workarounds provided in the Suggested Actions section of this advisory to help block potential attack vectors regardless of the service...
CVE Reference: CVE-2011-0096
Suggested Actions:
• Enable the MHTML protocol lockdown ...
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones...
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone...
Additional Suggested Actions:
• Review the Microsoft Knowledge Base Article that is associated with this advisory - For more information about this issue, see Microsoft Knowledge Base Article: http://support.microsoft.com/kb/2501696#FixItForMe
January 28, 2011 - Revision: 1.0 - ...The fixit solution described in this section is not intended to be a replacement for any security update. We recommend that you always install the latest security updates. However, we offer this fixit solution as a workaround option for some scenarios..."

- http://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspx
28 Jan 2011

- http://blogs.technet.com/b/msrc/archive/2011/01/28/microsoft-releases-security-advisory-2501696.aspx
28 Jan 2011
___

- http://secunia.com/advisories/43093/
Release Date: 2011-01-29
Impact: Cross Site Scripting
Where: From remote ...
Solution: Enable MHTML protocol lockdown (either manually or using the available automated "Microsoft Fix it" solution). > http://support.microsoft.com/kb/2501696#FixItForMe
___

- http://isc.sans.edu/diary.html?storyid=10318
Last Updated: 2011-01-28 18:47:54 UTC

:fear::fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-feb.mspx
February 03, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on February 8, 2011... (Total of -12-)

Critical -3-

Bulletin 1 - Critical - Remote Code Execution - Requires restart
Microsoft Windows, Internet Explorer

Bulletin 2 - Critical - Remote Code Execution - Requires restart
Microsoft Windows

Bulletin 3 - Critical - Remote Code Execution - Requires restart
Microsoft Windows

Important -9-

Bulletin 4 - Important - Remote Code Execution - May require restart
Microsoft Windows

Bulletin 5 - Important - Denial of Service - Requires restart
Microsoft Windows

Bulletin 6 - Important - Remote Code Execution - May require restart
Microsoft Office

Bulletin 7 - Important - Information Disclosure - May require restart
Microsoft Windows

Bulletin 8 - Important - Elevation of Privilege - Restart required
Microsoft Windows

Bulletin 9 - Important - Elevation of Privilege - Restart required
Microsoft Windows

Bulletin 10 - Important - Elevation of Privilege - Restart required
Microsoft Windows

Bulletin 11 - Important - Elevation of Privilege - Restart required
Microsoft Windows

Bulletin 12 - Important - Elevation of Privilege - Restart required
Microsoft Windows
___

- http://blogs.technet.com/b/msrc/archive/2011/02/03/advance-notification-service-for-the-february-2011-security-bulletin-release.aspx
Feb. 3, 2011 - "... we'll be addressing issues related to two recent Security Advisories, 2490606 (a public vulnerability affecting the Windows Graphics Rendering Engine) and 2488013 (a public vulnerability affecting Internet Explorer). Additionally, we will be addressing an issue affecting FTP service in IIS 7.0 and 7.5..."

- http://isc.sans.edu/diary.html?storyid=10357
Last Updated: 2011-02-04 18:42:28 UTC
.

FYI...

- http://www.computerworld.com/s/article/9208501/Microsoft_takes_second_shot_at_fixing_Outlook_2007_bugs
Feb 7, 2011 - "Microsoft will take yet another crack this month at fixing a December update for Outlook 2007... The company reissued the update on Jan. 11, saying it had solved the problems... Apparently not*..."
* http://msexchangeteam.com/archive/2011/02/01/457903.aspx
Feb. 01, 2011 - "... we recommend that you test them in a non-production environment before deploying them in production..."

- http://www.theinquirer.net/inquirer/news/2024285/microsoft-finally-fix-internet-explorer-flaw
Feb 04 2011 - "... Microsoft will fix 22 vulnerabilities in next week's Patch Tuesday security fixes, although -not- the Windows Internet Explorer zero-day vulnerability that was discovered recently*... Qualys said it has seen limited exploits for these on the wild, so the update is highly recommended..."
* http://support.microsoft.com/kb/2501696#FixItForMe
Vuln in MHTML "FixIt" - January 28, 2011

:surrender:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-feb.mspx
February 08, 2011 - "This bulletin summary lists security bulletins released for February 2011...
(Total of -12-)

Critical -3-

Microsoft Security Bulletin MS11-003 - Critical
Cumulative Security Update for Internet Explorer (2482017)
- http://www.microsoft.com/technet/security/Bulletin/MS11-003.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS11-006 - Critical
Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185)
- http://www.microsoft.com/technet/security/Bulletin/MS11-006.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-007 - Critical
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376)
- http://www.microsoft.com/technet/security/Bulletin/MS11-007.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Important -9-

Microsoft Security Bulletin MS11-004 - Important
Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256)
- http://www.microsoft.com/technet/security/bulletin/ms11-004.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-005 - Important
Vulnerability in Active Directory Could Allow Denial of Service (2478953)
- http://www.microsoft.com/technet/security/Bulletin/MS11-005.mspx
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-008 - Important
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2451879)
- http://www.microsoft.com/technet/security/bulletin/ms11-008.mspx
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS11-009 - Important
Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure (2475792)
- http://www.microsoft.com/technet/security/Bulletin/MS11-009.mspx
Important - Information Disclosure - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-010 - Important
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2476687)
- http://www.microsoft.com/technet/security/Bulletin/MS11-010.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-011 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802)
- http://www.microsoft.com/technet/security/bulletin/ms11-011.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-012 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628)
- http://www.microsoft.com/technet/security/bulletin/ms11-012.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-013 - Important
Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2496930)
- http://www.microsoft.com/technet/security/bulletin/ms11-013.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-014 - Important
Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege (2478960)
- http://www.microsoft.com/technet/security/Bulletin/MS11-014.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows
___

Deployment Priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/6813.deploy_2D00_feb11.png

Severity and Exploitabilty Index
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/5504.severity_2D00_exploit_2D00_feb11.png
___

MSRT
- http://support.microsoft.com/?kbid=890830
February 8, 2011 - Revision: 84.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release...
• Cycbot

- http://blogs.technet.com/b/mmpc/archive/2011/02/09/another-round-of-bots-for-msrt.aspx
9 Feb 2011

Download:
- http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.16.exe

To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.16.exe
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=10375
Last Updated: 2011-02-09 21:20:21 UTC (Version: 5)

Q&A: February 2011 Security Bulletin Release
- http://blogs.technet.com/b/msrc/p/february-2011-security-bulletin-q-a.aspx
February 9, 2011

.

FYI...

Microsoft Security Advisory (967940)
Update for Windows Autorun
- http://www.microsoft.com/technet/security/advisory/967940.mspx
Published: February 24, 2009 | Updated: February 08, 2011 - "... availability of updates to the Autorun feature that help to restrict AutoPlay functionality to only CD and DVD media on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Restricting AutoPlay functionality to only CD and DVD media can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file...
FAQS: ...After installing the initial update described in Microsoft Knowledge Base Article 967715, the default registry setting to disable Autorun on network drives is properly enforced. After installing the 971029 update*, customers may experience the following AutoPlay behavior:
• Many existing devices in market, and many upcoming devices, use the Autorun feature with the AutoPlay dialog box to present and install software when DVDs, CDs, and USB flash drives are inserted. The AutoPlay behavior with CD and DVD media is not affected by this update.
• Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB flash drives. Users will have to manually install the software. To do this, users click Open folder to view the files, browse to the software's setup program, and then double-click the setup program to run the program manually.
• Some USB flash drives have firmware that present these USB flash drives as CD drives when you insert them into computers. The AutoPlay behavior with these USB flash drives is not affected by this update..."

• V2.0 (February 8, 2011): Summary and update FAQ revised to notify users that the 971029 update to Autorun that restricts AutoPlay functionality to CD and DVD media will be offered via automatic updating.

- http://blogs.technet.com/b/msrc/archive/2011/02/08/deeper-insight-into-the-security-advisory-967940-update.aspx
8 Feb 2011

* http://support.microsoft.com/kb/971029
Last Review: February 8, 2011 - Revision: 4.0

- http://support.microsoft.com/kb/967715
Last Review: September 9, 2010 - Revision: 6.2

Virus families using Autorun / MMPC charts - MSE detections
- http://www.microsoft.com/security/portal/blog-images/20110207_image1.jpg
MSRT - major virus families using Autorun
- http://www.microsoft.com/security/portal/blog-images/20110207_image2.jpg
Also see Table 1: Top Families, 2H 2010, by Number of Detections
- http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx
8 Feb. 2011

(Optional MS update) Restrict USB Autorun: Update for Windows (KB971029)
- http://www.f-secure.com/weblog/archives/00002096.html
February 9, 2011
___

Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2490606.mspx
Updated: February 08, 2011 - "... We have issued MS11-006* to address this issue..."
* http://www.microsoft.com/technet/security/Bulletin/MS11-006.mspx

Microsoft Security Advisory (2488013)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2488013.mspx
Updated: February 08, 2011 - "... We have issued MS11-003** to address this issue..."
** http://www.microsoft.com/technet/security/Bulletin/MS11-003.mspx

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
Published: August 23, 2010 | Updated: February 08, 2011 - Version: 5.0
... Update released on February 8, 2011
• Microsoft Security Bulletin MS11-003**, "Cumulative Security Update for Internet Explorer," provides support for a vulnerable component of Internet Explorer that is affected by the Insecure Library Loading class of vulnerabilities described in this advisory.

:fear:

FYI...

Win7 SP1 release date - 2011.02.22
- http://blogs.technet.com/b/windowsserver/archive/2011/02/08/windows-server-2008-r2-and-windows-7-sp1-releases-to-manufacturing-today.aspx
9 Feb 2011 - "... pleased to announce the Release to Manufacturing (RTM) of Windows Server 2008 R2 Service Pack 1 (SP1), along with Windows 7 SP1. SP1 will be made generally available for download on February 22... On February 22, both will be available to all customers through Windows Update..."

.

FYI... Autorun advisory updated - again.

Microsoft Security Advisory (967940)
Update for Windows Autorun
- http://www.microsoft.com/technet/security/advisory/967940.mspx
Updated: February 22, 2011
Version: 2.1
• V2.1 (February 22, 2011): Summary revised to notify users of a change in the deployment logic for updates described in this advisory. This change is intended to minimize the user interaction required to install the updates on systems configured for automatic updating.

:blink:

FYI...

Win7 SP1 available
- http://support.microsoft.com/kb/976932
Last Review: February 22, 2011 - Revision: 3.1

- http://windows.microsoft.com/installwindows7sp1
"... How to get SP1
The recommended (and easiest) way to get SP1 is to turn on automatic updating in Windows Update in Control Panel, and wait for Windows 7 to notify you that SP1 is ready to install. It takes about 30 minutes to install, and you'll need to restart your computer about halfway through the installation..."

What's included in Windows 7 SP1
- http://windows.microsoft.com/en-US/windows7/whats-included-in-windows-7-service-pack-1-sp1

- http://windows.microsoft.com/en-US/windows7/learn-how-to-install-windows-7-service-pack-1-sp1
"... Installation method
Estimated amount of free disk space required
Windows Update
• x86-based (32-bit): 750 MB
• x64-based (64-bit): 1050 MB
Downloading SP1 from the Microsoft website
• x86-based (32-bit): 4100 MB
• x64-based (64-bit): 7400 MB
Installing SP1 using an installation DVD
• x86-based (32-bit): 4100 MB
• x64-based (64-bit): 7400 MB

:blink:

FYI...

Microsoft Security Advisory (2491888)
Vulnerability in Microsoft Malware Protection Engine Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/2491888.mspx
February 23, 2011 - "... an update to the Microsoft Malware Protection Engine also addresses a security vulnerability reported to Microsoft. The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid logon credentials has created a specially crafted registry key. An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users. Since the Microsoft Malware Protection Engine is a part of several Microsoft anti-malware products, the update to the Microsoft Malware Protection Engine is installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly. Typically, no action is required of enterprise administrators or end users to install this update, because the built-in mechanism for the automatic detection and deployment of this update will apply the update within the next 48 hours. The exact time frame depends on the software used, Internet connection, and infrastructure configuration..."
- http://support.microsoft.com/kb/2510781
February 23, 2011 - "... how to verify that the updates have been installed... This update requires Windows Live OneCare..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0037
Last revised: 02/28/2011 - CVSS v2 Base Score: 7.2 (HIGH) - "... before 1.1.6603.0, as used in Microsoft Malicious Software Removal Tool (MSRT), Windows Defender, Security Essentials, Forefront Client Security, Forefront Endpoint Protection 2010, and Windows Live OneCare..."
___

- http://secunia.com/advisories/43468/
Release Date: 2011-02-24
Solution Status: Partial Fix
...The vulnerability is reported in version 1.1.6502.0 and prior of Microsoft Malware Protection Engine.
Solution: Ensure that systems are running version 1.1.6603.0 or later of Microsoft Malware Protection Engine. Typically, malware definitions and updates for Microsoft Malware Protection Engine are applied automatically...

- http://www.h-online.com/security/news/item/Microsoft-s-virus-scanner-causes-security-problem-1196731.html
24 February 2011 - "... such updates are usually installed within 48 hours, but that users can also initiate the process manually..."

:fear:

FYI...

Win7 / 2008 R2 SP1 problems...
- http://isc.sans.edu/diary.html?storyid=10453
Last Updated: 2011-02-24 13:45:34 UTC ...(Version: 1) - "... some of the problems we are hearing about with Windows 7 SP1 and Windows 2008 R2 SP1. Right now, there is no urgent reason to install this service pack and it should be tested first...
Specific examples. Consider them anecdotal but if you run any software mentioned here, or similar software, this list should give you a guide to test.
* Users with old versions of Microsoft Security Essentials may not be able to install SP1. Upgrade first.
* Samsung Galaxy S phone drivers may have problems with SP1
* some users reported very long install times (> 1hr. but not all that unusual for a service pack)
* Chrome 10 and 11 have issues according to some tweets
* Word 2003 VBA
* slower boot times with SP1 then without
* some reports of download issues due to overloaded servers
* Lenovo's Thinkvantage System Update may not work (update it before applying the SP)
* EVGA Precision Utility 2.0.2 (Graphics card stats program liked by gamers)
* MSI Afterburner
* some issues with Bitlocker are reported. But no confirmation at this point and it may also be due to entering the wrong password on reboot (you have to reboot a couple times in certain situations)

Link to a technet page with reports of install issues:
http://technet.microsoft.com/en-us/library/ff817622%28WS.10%29.aspx
If all fails, here's a link with an uninstall procedure for SP1:
http://windows.microsoft.com/en-US/windows7/uninstall-sp1
To temporarily block installation of the service pack:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=d7c9a07a-5267-4bd6-87d0-e2a72099edb7&displaylang=en
...This tool can be used with:
• Windows 7 Service Pack 1 (valid through 2/22/2012)
• Windows Server 2008 R2 Service Pack 1 (valid through 2/22/2012) ..."

:fear::fear:

FYI...

MS Autorun update v2.1 now "automatic" from Windows Update
- http://isc.sans.edu/diary.html?storyid=10468
Last Updated: 2011-03-02 06:27:56 UTC - "Microsoft has moved their Windows Autorun V2.1 [1] (967940) update patch from optional updates to automatic updates. This is the same patch that was released in last month’s patch Tuesday. When Windows update is next run, this patch will automatically be selected to apply to your machine. This is more likely to affect home users, as companies should be using group policies to control how USB autorun settings operate. Expect one or two calls... why their favorite autorun USB stick application has stopped working."

[1] http://www.microsoft.com/technet/security/advisory/967940.mspx

:sad:

FYI...

MS Security Bulletin Advance Notification - March 2011
- http://www.microsoft.com/technet/security/Bulletin/MS11-mar.mspx
March 03, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on March 8, 2011..."
(Total of -3-)

Bulletin 1
Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 2
Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3
Important - Remote Code Execution - May require restart - Microsoft Office

.

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-mar.mspx
March 08, 2011 - "This bulletin summary lists security bulletins released for March 2011... (Total of -3-)

Microsoft Security Bulletin MS11-015 - Critical
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)
- http://www.microsoft.com/technet/security/bulletin/ms11-015.mspx
Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-017 - Important
Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)
- http://www.microsoft.com/technet/security/Bulletin/MS11-017.mspx
Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-016 - Important
Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047)
- http://www.microsoft.com/technet/security/Bulletin/MS11-016.mspx
Remote Code Execution - May require restart - Microsoft Office
___

MS11-015: http://secunia.com/advisories/43626/
Highly critical - System access - From remote
MS11-016: http://secunia.com/advisories/41104/
Highly critical - System access - From remote
MS11-017: http://secunia.com/advisories/43628/
Highly critical - System access - From remote

MS11-015:
- http://www.securitytracker.com/id/1025169
- http://www.securitytracker.com/id/1025170
MS11-016:
- http://www.securitytracker.com/id/1025171
MS11-017:
- http://www.securitytracker.com/id/1025172
___

- http://blogs.technet.com/b/msrc/archive/2011/03/08/march-2011-security-bulletin-release.aspx
"8 Mar 2011
MS11-015. This bulletin resolves one Critical-level and one Important-level vulnerability affecting certain media files in all versions of Microsoft Windows. It has an Exploitability Index rating of 1 ...
MS11-016 is a DLL-preloading issue affecting Microsoft Groove 2007 Service Pack 2, which makes this an Office bulletin. Versions 2007 and 2010 of Groove are unaffected, as is Microsoft SharePoint Workspace 2010.
MS11-017 is also a DLL-preloading issue, in this instance in Microsoft Windows Remote Client Desktop. This security update is rated Important for Remote Desktop Connection 5.2 Client, Remote Desktop Connection 6.0 Client, Remote Desktop Connection 6.1 Client, and Remote Desktop Connection 7.0 Client..."

Deployment Priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/0247.1103-deployment.png

Severity and Exploitability
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/5460.1103-severity_2D00_xi.png
___

MSRT
- http://support.microsoft.com/?kbid=890830
March 8, 2011 - Revision: 85.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Renocide

- http://blogs.technet.com/b/mmpc/archive/2011/03/09/msrt-march-11-featuring-win32-renocide.aspx
9 Mar 2011

Download:
- http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.17.exe

To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.17.exe
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=10510
Last Updated: 2011-03-08 18:17:20 UTC

.

FYI...

Microsoft Security Advisory (2491888)
Vulnerability in Microsoft Malware Protection Engine Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/2491888.mspx
• V1.1 (March 8, 2011): Revised advisory FAQ to announce updated version of the MSRT...
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0037
Last revised: 02/28/2011
CVSS v2 Base Score: 7.2 (HIGH)
"... before 1.1.6603.0..."

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
• V6.0 (March 8, 2011): Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-015, "Vulnerabilities in Windows Media Could Allow Remote Code Execution;" MS11-016, "Vulnerability in Microsoft Groove Could Allow Remote Code Execution;" and MS11-017, "Vulnerability in Remote Desktop Client Could Allow Remote Code Execution."

:fear:

FYI...

Forefront update fails - KB2508823
- http://isc.sans.edu/diary.html?storyid=10522
Last Updated: 2011-03-09 23:13:29 UTC - "Included in this Patch Tuesday is a Forefront update KB2508823[1] (Client Version: 1.5.1996.0). We have received a number of reports that the KB2508823 update fails during the install. Once the update fails, the existing Forefront client is also removed. This leaves the machine without any anti-malware protection. We recommend you hold off deploying the update until confirmation from Microsoft. Microsoft have posted a similar warning here:
- http://blogs.technet.com/b/clientsecurity/archive/2011/03/08/fcs-v1-march-2011-update.aspx
"Update 9 March 2011... you may want to hold off approving this update for the moment..."
___

- http://blogs.technet.com/b/clientsecurity/archive/2011/03/08/fcs-v1-march-2011-update.aspx
"Update 10 March 2011... We have received reports of an installation issue with our March update of Forefront Client Security when the option of “install updates and shutdown” is used. We wanted to be clear on the issue and exactly what steps we are taking to rectify it.
Symptom: A computer attempts to use the install updates and shutdown Windows feature to update to the latest version of FCSv1. After restart, the computer does not have the Antimalware agent installed, but will still have the Security State Assessment(SSA) and Microsoft Operation Manager components installed.
The problem: This issue only occurs on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It does not occur on Windows XP, Windows Server 2003 or Windows 2000. This issue was not introduced in the March Update. It is caused by a previously undetected problem in the October 2010 update. Please review the steps below for what options you should take. For the bug to occur, the system must have either the policy setting changing the default shutdown behavior or the user clicks on “Apply updates at Shutdown”. If the update is deployed or manually installed in other ways, this bug does not occur..."
(MS recommended steps to take at the URL above.)

[1] http://support.microsoft.com/kb/2508823

:eek:

FYI...

MS advisory - updated (2501696)
Vulnerability in MHTML Could Allow Information Disclosure
* http://www.microsoft.com/technet/security/advisory/2501696.mspx
• V1.1 (March 11, 2011): Revised Executive Summary to reflect investigation of limited, targeted attacks.

- https://www.computerworld.com/s/article/9214259/New_attacks_leverage_unpatched_IE_flaw_Microsoft_warns
March 12, 2011 - "An Internet Explorer flaw made public by a Google security researcher two months ago is now being used in online attacks. The flaw, which has not yet been patched, has been used in "limited, targeted attacks," Microsoft said Friday*... The attack is triggered when the victim is tricked into visiting a maliciously encoded Web page - what's known as a Web drive-by attack... Microsoft has released a Fixit tool** that users can download to repair the problem, but has not said when, or even if, it plans to push out a comprehensive security update to all users..."
** http://support.microsoft.com/kb/2501696#FixItForMe

- http://www.theregister.co.uk/2011/03/12/windows_bug_target_google_users/
12 March 2011

- http://www.pcmag.com/article2/0,2817,2381881,00.asp
PCmag.com - "... Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules..."

:fear::mad:

FYI...

MSRT 2011.03 results...
- http://blogs.technet.com/b/mmpc/archive/2011/03/16/win32-renocide-the-aftermath.aspx
16 Mar 2011 - "On March 8th, we announced the release of our latest Malicious Software Removal Tool (MSRT), version that included detection and cleaning capabilities for a backdoor enabled worm we are calling Win32/Renocide... According to our telemetry, this new addition was among the top 5 detected threats (in the first week of release), both when it comes to infected machines and when classified based on number of detected files... The high tally of affected machines reflects Renocide's relative age; the botnet has been around since 2008 and has slowly but steadily increased its prevalence. Our first detection dates back to the first half of 2008... Sality leads in the threat count ranking due to the fact that it is a file infector..."
(Charts available at the URL above.)

:fear:

FYI...

Microsoft Security Advisory (2524375)
Fraudulent Digital Certificates Could Allow Spoofing
- http://www.microsoft.com/technet/security/advisory/2524375.mspx
March 23, 2011 - "Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against -all- Web browser users including users of Internet Explorer... Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used. An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375*..."
* http://support.microsoft.com/kb/2524375
March 23, 2011 - Revision: 1.0

- http://www.securitytracker.com/id/1025248
Mar 23 2011

- http://isc.sans.edu/diary.html?storyid=10603
Last Updated: 2011-03-23 18:11:20 UTC
___

- http://www.secureworks.com/research/threats/rsacompromise/
March 18, 2011

:fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-mar.mspx
• V1.1 (March 16, 2011): Removed an erroneous reference to Windows XP Home Edition SP3 and Windows XP Tablet PC Edition SP3 as not affected in the notes for MS11-015 under Affected Software and Download Locations. This is an informational change only. There were no changes to the security update files or detection logic. For customers who are running these editions of Windows XP and who have not already applied this update, Microsoft recommends applying the update immediately. Customers who have already applied the update do not need to take any action.

Microsoft Security Bulletin MS11-015 - Critical
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)
- http://www.microsoft.com/technet/security/bulletin/ms11-015.mspx
Remote Code Execution - May require restart - Microsoft Windows

:sad:

FYI...

- https://www.computerworld.com/s/article/9215615/Microsoft_sets_mammoth_Patch_Tuesday_will_fix_64_flaws
April 7, 2011 - "... will patch a record 64 vulnerabilities in Windows, Office, Internet Explorer, Windows graphics framework, and other software next week..."

- http://www.microsoft.com/technet/security/bulletin/ms11-apr.mspx
April 07, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on April 12, 2011... (Total of -17-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Bulletin 2 - Critical - Remote Code Execution - Requires restart - Microsoft Windows

Bulletin 3 - Critical - Remote Code Execution - Requires restart - Microsoft Windows

Bulletin 4 - Critical - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 5 - Critical - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 6 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft Office

Bulletin 7 - Critical - Remote Code Execution - Requires restart - Microsoft Windows

Bulletin 8 - Critical - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 9 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
___

Bulletin 10 - Important - Remote Code Execution - May require restart - Microsoft Office

Bulletin 11 - Important - Remote Code Execution - May require restart - Microsoft Office, Microsoft Server Software

Bulletin 12 - Important - Remote Code Execution - May require restart - Microsoft Office

Bulletin 13 - Important - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 14 - Important - Remote Code Execution - May require restart - Microsoft Developer Tools and Software

Bulletin 15 - Important - Information Disclosure - Requires restart - Microsoft Windows

Bulletin 16 - Important - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 17 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
___

- http://blogs.technet.com/b/msrc/archive/2011/04/07/advance-notification-service-for-the-april-2011-bulletin-release.aspx

:sad:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-apr.mspx
April 12, 2011 - "This bulletin summary lists security bulletins released for April 2011...(Total of -17-)

Critical

Microsoft Security Bulletin MS11-018 - Critical
Cumulative Security Update for Internet Explorer (2497640)
- http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS11-019 - Critical
Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)
- http://www.microsoft.com/technet/security/Bulletin/MS11-019.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-020 - Critical
Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
- http://www.microsoft.com/technet/security/Bulletin/MS11-020.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-027 - Critical
Cumulative Security Update of ActiveX Kill Bits (2508272)
- http://www.microsoft.com/technet/security/Bulletin/MS11-027.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-028 - Critical
Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)
- http://www.microsoft.com/technet/security/Bulletin/MS11-028.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-029 - Critical
Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)
- http://www.microsoft.com/technet/security/bulletin/MS11-029.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-030 - Critical
Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
- http://www.microsoft.com/technet/security/bulletin/ms11-030.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-031 - Critical
Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)
- http://www.microsoft.com/technet/security/Bulletin/MS11-031.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-032 - Critical
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)
- http://www.microsoft.com/technet/security/Bulletin/MS11-032.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Important

Microsoft Security Bulletin MS11-021 - Important
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)
- http://www.microsoft.com/technet/security/bulletin/ms11-021.mspx
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS10-022 - Important
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
- http://www.microsoft.com/technet/security/Bulletin/MS10-022.mspx
Important - Remote Code Execution - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS11-023 - Important
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)
- http://www.microsoft.com/technet/security/Bulletin/MS11-023.mspx
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS11-024 - Important
Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)
- http://www.microsoft.com/technet/security/Bulletin/MS11-024.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-025 - Important
Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
- http://www.microsoft.com/technet/security/Bulletin/MS11-025.mspx
Important - Remote Code Execution - May require restart - Microsoft Developer Tools and Software

Microsoft Security Bulletin MS11-026 - Important
Vulnerability in MHTML Could Allow Information Disclosure (2503658)
- http://www.microsoft.com/technet/security/bulletin/ms11-026.mspx
Important - Information Disclosure - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-033 - Important
Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)
- http://www.microsoft.com/technet/security/Bulletin/MS11-033.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-034 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)
- http://www.microsoft.com/technet/security/bulletin/ms11-034.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows
___

Deployment Priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/0245.Bulletin-Deployment-Priority.png

Severity and Exploitability index
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/8510.Severity-and-Exploitability-Index.png
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=10693
Last Updated: 2011-04-13 00:13:23 UTC ...(Version: 3)
___

- http://www.securitytracker.com/id/1025327 - MS11-018
- http://www.securitytracker.com/id/1025328 - MS11-019
- http://www.securitytracker.com/id/1025329 - MS11-020
- http://www.securitytracker.com/id/1025337 - MS11-021
- http://www.securitytracker.com/id/1025340 - MS11-022

- http://www.securitytracker.com/id/1025343 - MS11-023
- http://www.securitytracker.com/id/1025347 - MS11-024
- http://www.securitytracker.com/id/1025346 - MS11-025
- http://www.securitytracker.com/id/1025330 - MS11-027
- http://www.securitytracker.com/id/1025331 - MS11-028

- http://www.securitytracker.com/id/1025335 - MS11-029
- http://www.securitytracker.com/id/1025332 - MS11-030
- http://www.securitytracker.com/id/1025333 - MS11-031
- http://www.securitytracker.com/id/1025334 - MS11-032
- http://www.securitytracker.com/id/1025344 - MS11-033
- http://www.securitytracker.com/id/1025345 - MS11-034
___

MSRT
- http://support.microsoft.com/?kbid=890830
April 12, 2011 - Revision: 86.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Afcore:
- http://blogs.technet.com/b/mmpc/archive/2011/04/13/msrt-april-11-win32-afcore.aspx
13 Apr 2011 - "... added the Win32/Afcore family of trojans to its detections. This malware is -aka- Coreflood* ..."
* http://forums.spybot.info/showpost.php?p=401072&postcount=13

Download:
- http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.18.exe - 12.2MB

To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.18.exe - 12.6MB

.

FYI...

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
• V1.12 (April 12, 2011): Updated the FAQ with information about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.

Microsoft Security Advisory (2506014)
Update for the Windows Operating System Loader
- http://www.microsoft.com/technet/security/advisory/2506014.mspx
4/12/2011 - "Microsoft is announcing the availability of an update to winload.exe to address an issue in driver signing enforcement... this update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware to stay resident on a system after the initial infection. The issue affects, and the update is available for, x64-based editions* of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2..."
* http://support.microsoft.com/kb/2506014

Microsoft Security Advisory (2501696)
Vulnerability in MHTML Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/2501696.mspx
Published: January 28, 2011 | Updated: April 12, 2011 - "We have issued MS11-026* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/ms11-026.mspx

Microsoft Security Advisory (2501584)
Release of Microsoft Office File Validation for Microsoft Office
- http://www.microsoft.com/technet/security/advisory/2501584.mspx
Last Updated: 4/12/2011 - "Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened... known issues* that customers may experience when utilizing the Office File Validation feature..."
* http://support.microsoft.com/kb/2501584

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
• V7.0 (April 12, 2011): Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-023, "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution;" and MS11-025, "Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution."

.

FYI...

TDL rootkit vuln/fix...
- http://sunbeltblog.blogspot.com/2011/04/tdl-rootkit-vulnerability-fix-in-patch.html
April 14, 2011 - "... It appears that at least part of this vulnerability has been patched. From the Technet blog:
- http://blogs.technet.com/b/srd/archive/2011/04/12/assessing-the-risk-of-the-april-security-updates.aspx
12 Apr 2011 - "... The second advisory, KB 2506014*, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family..."
[MS11-034 - "30 of this month’s 64 vulnerabilities being addressed in this bulletin..."]
Update April 13: Corrected the MS11-028 bulletin severity and affected products. Also moved this bulletin up higher in priority due to this correction.
*Update April 15: Corrected the MS11-032 bulletin exploitability due to a rating error. Also moved MS11-032 higher in priority order.
* http://www.microsoft.com/technet/security/advisory/2506014.mspx

> http://support.microsoft.com/kb/2506014
April 12, 2011 - Revision: 3.0
___

- http://blog.trendmicro.com/stalking-tdl4-all-access-pass-to-the-hard-drive/
April 15, 2011 - "... patch specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. More information can be found in the security bulletin for MS11-034*..."

* http://www.microsoft.com/technet/security/bulletin/ms11-034.mspx
Acknowledgments...
• Tarjei Mandt of Norman for reporting the Vulnerability Type 1: Win32k Use After Free Vulnerability
CVE-2011-0662, CVE-2011-0665, CVE-2011-0666, CVE-2011-0667, CVE-2011-0670, CVE-2011-0671, CVE-2011-0672, CVE-2011-0674, CVE-2011-0675, CVE-2011-1234, CVE-2011-1235, CVE-2011-1236, CVE-2011-1237, CVE-2011-1238, CVE-2011-1239, CVE-2011-1240, CVE-2011-1241, CVE-2011-1242
[ALL] ...CVSS Severity: 7.2 (HIGH)
• Tarjei Mandt of Norman for reporting the Vulnerability Type 2: Win32k Null Pointer De-reference Vulnerability
CVE-2011-0673, CVE-2011-0676, CVE-2011-0677, CVE-2011-1225, CVE-2011-1226, CVE-2011-1227, CVE-2011-1228, CVE-2011-1229, CVE-2011-1230, CVE-2011-1231, CVE-2011-1232, CVE-2011-1233
[ALL] ...CVSS Severity: 7.2 (HIGH)

:blink:

FYI...

MS11-020 - PATCH NOW
- http://isc.sans.edu/diary.html?storyid=10714
Last Updated: 2011-04-15 12:22:18 UTC - "Based on notifications received from Microsoft... The Remote Code Exploit is possible -without- authentication, so this presents a serious risk to internal networks. Think Downadup/Conficker, or think lateral movement if that will help motivate patching. Also note that this patch requires a reboot of your system..."
- http://isc.sans.edu/diary.html?storyid=10693
Last Updated: 2011-04-15 12:10:35 UTC ... (Version: -4-)

- http://www.microsoft.com/technet/security/Bulletin/MS11-020.mspx
April 12, 2011
- http://support.microsoft.com/kb/2508429
April 12, 2011

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0661
Last revised: 04/14/2011
CVSS v2 Base Score: 10.0 (HIGH)

:fear::fear:

FYI...

MS11-022 - Known issues...
- http://support.microsoft.com/kb/2464588
Last Review: April 14, 2011
• Presentations that contain layouts with a background images may cause an error when opened in PowerPoint 2003. A dialog will notify you that some contents (text, images or objects) have corrupted; the specific content lost will be what is specified in the layout, not the actual slide content itself. Items that were removed will display a blank box or a box containing “cleansed”.
Workarounds for this issue:
Remove background images from layouts in presentations that have to be accessed and edited from PowerPoint 2003.
After the error message is displayed, save a copy of the presentation and perform edits on the copy.
Microsoft is researching this problem and will post more information in this article when the information becomes available..."

- http://support.microsoft.com/kb/2464588
Last Review: April 19, 2011 - Revision: 3.0
"... Removal information
To remove this security update, use the Add or Remove Programs item or use the Programs and Features item in Control Panel.
Note: When you remove this security update, you may be prompted to insert the disc that contains Microsoft Office PowerPoint 2003. Additionally, you may not have the option to uninstall this security update from the Add or Remove Programs item or the Programs and Features item in Control Panel. There are several possible causes for this issue.
For more information about the removal, click the following article number to view the article in the Microsoft Knowledge Base:
- http://support.microsoft.com/kb/903771
903771 Information about the ability to uninstall Office updates ..."

:fear:

FYI...

PowerPoint 2003 hotfix package
- http://support.microsoft.com/kb/2543241/en-us
Last Review: April 26, 2011 - Revision: 3.0 -
"Issues that this hotfix package fixes:
When you open presentations that contain layouts with background images in PowerPoint 2003, an error may occur. When the error occurs, you receive a message that states that some contents (text, images, or objects) have corrupted. You can determine what content has been lost by viewing the layout, but not by viewing the slide content. Items that were removed will display a blank box or a box that contains "cleansed"... this hotfix is intended to correct only the problems that are described in this article. Apply this hotfix -only- to systems that are experiencing the problems described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix...
Prerequisites: You -must- have Microsoft Office 2003 Service Pack 3 installed to apply this hotfix package...
This hotfix replaces security update 2464588, which is described in bulletin MS11-022*..."
* http://www.microsoft.com/technet/security/bulletin/MS11-022.mspx

:fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-may.mspx
May 5, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on May 10, 2011... (Total of -2-)

Bulletin 1 - Critical - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 2 - Important - Remote Code Execution - May require restart - Microsoft Office

.

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-may.mspx
May 10, 2011 - "This bulletin summary lists security bulletins released for May 2011. (Total of -2-)...

Microsoft Security Bulletin MS11-035 - Critical
Vulnerability in WINS Could Allow Remote Code Execution (2524426)
- http://www.microsoft.com/technet/security/bulletin/MS11-035.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-036 - Important
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814)
- http://www.microsoft.com/technet/security/bulletin/MS11-036.mspx
Important - Remote Code Execution - May require restart - Microsoft Office
___

Deployment Priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/3731.DP.png

Severity and Exploitability Index
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2275.Severity-XI.png
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=10855
Last Updated: 2011-05-10 16:58:08 UTC
___

- http://www.securitytracker.com/id/1025512 - MS11-035
- http://www.securitytracker.com/id/1025513 - MS11-036
May 10 2011
___

MSRT
- http://support.microsoft.com/?kbid=890830
May 10, 2011 - Revision: 87.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Ramnit

Download:
- http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.19.exe - 12.6MB

To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.19.exe - 13.1MB

.

FYI...

MSIR Vol. 10 released
- http://blogs.technet.com/b/mmpc/archive/2011/05/11/announcing-microsoft-security-intelligence-report-volume-10.aspx
11 May 2011 - "... in-depth regional threat intelligence for 117 countries based on data from more than 600 million machines worldwide. The report highlights a polarization of cybercriminal behavior and an increasing trend of cybercriminals using "marketing-like" approaches and deception methods to target consumers... key data points that indicate these tactics are on the rise:
• Rogue Security Software – Rogue security software was detected and blocked on almost 19 million systems in 2010, and the top five families were responsible for approximately 13 million of these detections.
• Phishing – Phishing using social networking as the lure increased 1,200 percent – from a low of 8.3 percent of all phishing in January to a high of 84.5 percent in December 2010. Phishing that targeted online gaming sites reached a high of 16.7 percent of all phishing in June.
• Adware – Global detections of adware when surfing websites increased 70 percent from the second quarter to the fourth quarter of 2010. This increase was almost completely caused by the detection of a pair of new Adware families, JS/Pornpop and Win32/ClickPotato, which are the two most prevalent malware in many countries.
... notable that Windows 7 operating systems are infected only about half as often as Vista, and Vista half as often as Windows XP..."
___

- http://www.theinquirer.net/inquirer/news/2070600/criminals-hit-oracle-flaws-hard-javascript-exploits
May 12 2011 - "... In Microsoft's latest security intelligence report, the firm revealed that in the third quarter of 2010 the number of Java attacks increased to fourteen times the number of attacks it saw in the previous quarter... Java attacks surpassed every other exploitation category that the Microsoft Malware Protection tracked..."
___

Java - most common target for attacks
- http://www.h-online.com/security/news/item/Microsoft-publishes-its-latest-Security-Intelligence-Report-1244298.html?view=zoom;zoom=1

- http://www.h-online.com/security/news/item/Microsoft-publishes-its-latest-Security-Intelligence-Report-1244298.html?view=zoom;zoom=4

- http://www.h-online.com/security/news/item/Microsoft-publishes-its-latest-Security-Intelligence-Report-1244298.html?view=zoom;zoom=5

:fear:

FYI...

MS11-018 re-released for IE7 on XP and Server 2003
- http://blogs.technet.com/b/msrc/archive/2011/05/16/ms11-018-re-released-for-ie7-on-windows-xp-and-server-2003.aspx
16 May 2011 - "... we re-released MS11-018. If you are using Internet Explorer 7 on supported editions of Windows XP and Windows Server 2003 you may be offered this re-release. For more details, please see the security bulletin, MS11-018*..."
* http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx
• V2.0 (May 16, 2011): Bulletin rereleased to reoffer the update for Internet Explorer 7 on supported editions of Windows XP and Windows Server 2003. This is a detection change only. There were no changes to the binaries. Only affected customers will be offered the update. Customers who have installed the update manually and customers running configurations not targeted by the change to detection logic do not need to take any action.

.

FYI...

MS EMET v2.1 released
- http://blogs.technet.com/b/srd/archive/2011/05/18/new-version-of-emet-is-now-available.aspx
18 May 2011 - "... new version of the Enhanced Mitigation Experience Toolkit (EMET) with brand new features and mitigations. Users can click here* to download the tool free... new features:
• EMET is an officially-supported product through the online forum
• “Bottom-up Rand” new mitigation randomizes (8 bits of entropy) the base address of bottom-up allocations (including heaps, stacks, and other memory allocations) once EMET has enabled this mitigation.
• Export Address Filtering is now available for 64 bit processes. EAF filters all accesses to the Export Address Table which blocks most of the existing shellcodes
• Improved command line support for enterprise deployment and configuration
• Ability to export/import EMET settings
• Improved SEHOP (structured exception handler overwrite protection) mitigation
• Minor bug fixes..."
* http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e127dfaf-f8f3-4cd5-8b08-115192c491cb

.

FYI...

MSRT detections - May 10–20, 2011
- http://blogs.technet.com/b/mmpc/archive/2011/06/08/may-msrt-by-the-numbers.aspx
Family Count Note
Sality 202,351 Classic parasitic virus
Taterf 77,236 Worm
Rimecud 65,149 Worm
Vobfus 59,918 Worm
Alureon 58,884 Evolved parasitic virus
Parite 53,778 Evolved parasitic virus
Ramnit 52,549 Evolved parasitic virus
Brontok 50,392 Worm
Cycbot 50,209 Trojan ...
(Top 25 detections listed at the URL above.)

.

FYI...

MS Bulletin Advance Notification - June 2011
- http://www.microsoft.com/technet/security/Bulletin/MS11-jun.mspx
June 9, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on June 14, 2011...

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight
Bulletin 3 - Critical - Remote Code Execution - Requires restart - Microsoft Forefront Threat Management Gateway
Bulletin 4 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 5 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 6 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 7 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework
Bulletin 8 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 9 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Internet Explorer

Bulletin 10 - Important - Information Disclosure - May require restart - Microsoft Windows
Bulletin 11 - Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 12 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 13 - Important - Denial of Service - Requires restart - Microsoft Windows
Bulletin 14 - Important - Denial of Service - Requires restart - Microsoft Windows
Bulletin 15 - Important - Information Disclosure - May require restart - Microsoft Office, Microsoft SQL Server, Microsoft Visual Studio
Bulletin 16 - Important - Elevation of Privilege

- http://blogs.technet.com/b/msrc/archive/2011/06/09/june-advance-notification-service-and-10-immutable-laws-revisited.aspx
June 9, 2011 - "... 16 bulletins (nine Critical in severity, seven Important) addressing 34 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studios, Silverlight and ISA..."
___

> http://www.theinquirer.net/inquirer/news/2078079/microsoft-adobe-roll-patches-windows-reader
Jun 10 2011 - "... The pre-notification also indicates that all versions of Excel in Microsoft Office will be updated on both Windows and Mac OS X. Internet Explorer versions 6, 7, 8 and 9 will also be patched... The same day, 14 June is also the date for Adobe to release a patch as part of its regular quarterly update cycle... The Adobe patches will address critical vulnerabilities in Adobe Reader X, Reader 9.4.3 and its earlier versions..."

.

FYI...

Vista SP1 support ends July 12, 2011
- http://www.h-online.com/security/news/item/Support-for-Windows-Vista-coming-to-an-end-1259389.html
13 June 2011 - "... From 10 April, 2012, the Home editions of Windows Vista will no longer be supported. The Business and Enterprise editions of Vista with their comparatively wider range of features will be supported until 2017. However, Vista Ultimate, which has the widest range of features, is counted as a Home edition, and Microsoft's support for this edition will also end in April 2012. Irrespective of this, another support period will end before then, as Microsoft will only continue to support Windows Vista if the current Service Pack has been installed; this applies to all editions from Starter to Ultimate. When a new Service Pack for Windows is released, users have two years to install it, as the support of the previous Service Pack is discontinued after that time. And that is what is about to happen to Vista with SP1: from 12 July, patches will only be released for versions of Vista that have SP2 installed.
After April 2012, affected Vista users can either switch to Windows 7 – Windows 8 will probably not be ready yet – or to Windows XP. Contrary to Microsoft's rules, all versions of XP, including XP Home, will be supported until at least 2014."

- http://windows.microsoft.com/en-us/windows/products/lifecycle
Desktop operating systems | Date of availability | Support retired
Windows Vista SP1 | Feb. 4, 2008 | July 12, 2011
___

"How to..." install Vista SP2
- http://windows.microsoft.com/en-US/windows-vista/Learn-how-to-install-Windows-Vista-Service-Pack-2-SP2

.

FYI...

June 2011 Security Bulletin - Q&A
- http://blogs.technet.com/b/msrc/p/june-2011-security-bulletin-q-a.aspx
June 15, 2011
___

- http://www.microsoft.com/technet/security/Bulletin/MS11-jun.mspx
June 14, 2011 - "This bulletin summary lists security bulletins released for June 2011..." (Total of -16-)

Critical

Microsoft Security Bulletin MS11-038 - Critical
Vulnerability in OLE Automation Could Allow Remote Code Execution (2476490)
- http://www.microsoft.com/technet/security/Bulletin/MS11-038.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-039 - Critical
Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2514842)
- http://www.microsoft.com/technet/security/Bulletin/MS11-039.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight

Microsoft Security Bulletin MS11-040 - Critical
Vulnerability in Threat Management Gateway Firewall Client Could Allow Remote Code Execution (2520426)
- http://www.microsoft.com/technet/security/bulletin/MS11-040.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Forefront Threat Management Gateway

Microsoft Security Bulletin MS11-041 - Critical
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2525694)
- http://www.microsoft.com/technet/security/bulletin/MS11-041.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-042 - Critical
Vulnerabilities in Distributed File System Could Allow Remote Code Execution (2535512)
- http://www.microsoft.com/technet/security/Bulletin/MS11-042.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-043 - Critical
Vulnerability in SMB Client Could Allow Remote Code Execution (2536276)
- http://www.microsoft.com/technet/security/Bulletin/MS11-043.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-044 - Critical
Vulnerability in .NET Framework Could Allow Remote Code Execution (2538814)
- http://www.microsoft.com/technet/security/Bulletin/MS11-044.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Microsoft .NET Framework

Microsoft Security Bulletin MS11-050 - Critical
Cumulative Security Update for Internet Explorer (2530548)
- http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS11-052 - Critical
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (2544521)
- http://www.microsoft.com/technet/security/Bulletin/MS11-052.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows, Internet Explorer

Important

Microsoft Security Bulletin MS11-037 - Important
Vulnerability in MHTML Could Allow Information Disclosure (2544893)
- http://www.microsoft.com/technet/security/bulletin/ms11-037.mspx
Important - Information Disclosure - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-045 - Important
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2537146)
- http://www.microsoft.com/technet/security/bulletin/MS11-045.mspx
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS11-046 - Important
Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2503665)
- http://www.microsoft.com/technet/security/bulletin/MS11-046.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-047 - Important
Vulnerability in Hyper-V Could Allow Denial of Service (2525835)
- http://www.microsoft.com/technet/security/bulletin/MS11-047.mspx
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-048 - Important
Vulnerability in SMB Server Could Allow Denial of Service (2536275)
- http://www.microsoft.com/technet/security/Bulletin/MS11-048.mspx
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-049 - Important
Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure (2543893)
- http://www.microsoft.com/technet/security/Bulletin/MS11-049.mspx
Important - Information Disclosure - May require restart - Microsoft Office, Microsoft SQL Server, Microsoft Visual Studio

Microsoft Security Bulletin MS11-051 - Important
Vulnerability in Active Directory Certificate Services Web Enrollment Could Allow Elevation of Privilege (2518295)
- http://www.microsoft.com/technet/security/bulletin/ms11-051.mspx
Important - Elevation of Privilege - May require restart - Microsoft Windows
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=11050
Last Updated: 2011-06-14 20:37:35 UTC
___

Deployment Priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/2654.deployment_2D00_201106.png

Severity and Exploitabilty Index
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/7220.severity_2D00_xi_2D00_201106.png
___

MSRT
- http://support.microsoft.com/?kbid=890830
June 14, 2011 - Revision: 88.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Rorpian
• Yimfoca
• Nuqel

Download:
- http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.20.exe - 12.9MB

To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.20.exe - 13.3MB

.

FYI...

- http://www.symantec.com/security_response/threatconlearn.jsp
"The ThreatCon is currently at Level 2: Elevated... On June 16, 2011, one of the issues fixed in Microsoft's June update, CVE-2011-1255, described in MS11-050 was found to be exploited in-the-wild. Customers are advised to install all applicable updates as soon as possible..."
- http://www.symantec.com/connect/blogs/exploit-june-ms-tuesday-vulnerability-wild

MS11-050 - Critical - Cumulative Security Update for Internet Explorer (2530548)
- http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx

- http://www.securityfocus.com/bid/48206/exploit
Updated: Jun 17 2011 - Symantec has discovered in-the-wild exploitation of the issue. The exploit is not publicly available.
___

- http://labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/
June 26, 2011

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1255
Last revised: 06/29/2011
CVSS v2 Base Score: 9.3 (HIGH)

:fear:

FYI...

Microsoft Security Advisory (2501584)
Office File Validation for Microsoft Office
- http://www.microsoft.com/technet/security/advisory/2501584.mspx
Updated: 6/30/2011 - "Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened. The Office File Validation feature described in this advisory applies when opening an Office file using Microsoft Excel 2003, Microsoft PowerPoint 2003, Microsoft Word 2003, Microsoft Publisher 2003, Microsoft Excel 2007, Microsoft PowerPoint 2007, Microsoft Word 2007, or Microsoft Publisher 2007. Office File Validation helps detect and prevent a kind of exploit known as a file format attack. File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code...
Affected Software: Microsoft Office 2003 SP3, Microsoft Office 2007 SP2 ...
Microsoft revised this advisory to announce that as of June 28, 2011, the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584* is available through the Microsoft Update service...
Suggested Actions: Consult TechNet article, Office File Validation for Office 2003 and Office 2007, for information on deployment, installation, and configuration of the Office File Validation feature for Microsoft Office 2003 and Microsoft Office 2007**..."

* http://support.microsoft.com/kb/2501584

** http://technet.microsoft.com/en-us/library/53782285-736e-4d00-b458-6170054287af.aspx

.

FYI...

MS Office 2010 SP1 available
- http://blogs.technet.com/b/office_sustained_engineering/
June 29, 2011 - "... Today SP1 is available from the Download center. The Downloads Table below provides links to the new packages for SP1. If you have installed all Office Automatic Updates, you will also see SP1 available as a manual download from Microsoft Update. After a 90 day grace period, SP1 will be offered as an automatic update through Microsoft Update..."

- http://technet.microsoft.com/en-us/office/ee748587.aspx

- http://support.microsoft.com/kb/2460049

.

FYI...

MS to retire Office XP, Vista SP1 next week
- https://www.computerworld.com/s/article/9218164/Microsoft_to_retire_Office_XP_Vista_SP1_next_week
July 5, 2011 - "Microsoft will retire 2001's Office XP and the first service pack for Windows Vista next week, according to the company's published schedule. Both Office XP and Vista Service Pack 1 (SP1) will exit all support July 12, this month's Patch Tuesday. That date will be the last time Microsoft issues security updates for the aging suite and Vista SP1... Microsoft generally patches security vulnerabilities in its products throughout the entire 10-year stretch. Although Office XP's support expires next week, Vista users can continue to receive security updates by upgrading to SP2... Office 2003, the follow-up to Office XP, will receive security updates until April 2014. Office 2007 and Office 2010 will get patches until April 2017 and October 2020, respectively. Office XP and Vista SP1 were last patched three weeks ago when Microsoft issued 16 security updates that fixed 34 flaws."

Office XP
- http://support.microsoft.com/lifecycle/?p1=2533

:fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-jul.mspx
July 07, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on July 12, 2011... (Total 0f -4-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows

Bulletin 2 - Important - Elevation of Privilege - Requires restart - Microsoft Windows

Bulletin 3 - Important - Elevation of Privilege - Requires restart - Microsoft Windows

Bulletin 4 - Important - Remote Code Execution - May require restart - Microsoft Office ..."

.

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-jul.mspx
July 12, 2011 - "This bulletin summary lists security bulletins released for July 2011... (Total of -4-)

Critical

Microsoft Security Bulletin MS11-053 - Critical
Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (2566220)
- http://www.microsoft.com/technet/security/Bulletin/MS11-053.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Important

Microsoft Security Bulletin MS11-054 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)
- http://www.microsoft.com/technet/security/bulletin/ms11-054.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows
"This security update resolves -15- privately reported vulnerabilities in Microsoft Windows..."

Microsoft Security Bulletin MS11-056 - Important
Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938)
- http://www.microsoft.com/technet/security/bulletin/ms11-056.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows
"This security update resolves -5- privately reported vulnerabilities in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS)..."

Microsoft Security Bulletin MS11-055 - Important
Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847)
- http://www.microsoft.com/technet/security/Bulletin/MS11-055.mspx
Important - Remote Code Execution - May require restart - Microsoft Office

- http://www.microsoft.com/technet/security/advisory/2269637.mspx
• V8.0 (July 12, 2011): Added the update in Microsoft Knowledge Base Article 2533623 and the update in Microsoft Security Bulletin MS11-055, "Vulnerability in Microsoft Visio Could Allow Remote Code Execution," to the Updates relating to Insecure Library Loading section. The update in Microsoft Knowledge Base Article 2533623 implements Application Programming Interface (API) enhancements in Windows to help developers correctly and securely load external libraries.
- http://support.microsoft.com/kb/2533623
Last Review: July 12, 2011 - Revision: 2.1
___

- http://krebsonsecurity.com/2011/07/microsoft-fixes-scary-bluetooth-flaw-21-others/
July 12th, 2011 - "... updates to fix at least -22- security flaws in its Windows operating systems and other software..."
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=11191
Last Updated: 2011-07-13 15:07:26 UTC ...(Version: 2)
___

Deployment Priority
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/7418.201107_2D00_deployment.png

Severity and Exploitability Index
- http://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/7367.201107_2D00_severity_2D00_xi.png
___

- http://www.securitytracker.com/id/1025760 - MS11-053
- http://www.securitytracker.com/id/1025761 - MS11-054
- http://www.securitytracker.com/id/1025762 - MS11-056
- http://www.securitytracker.com/id/1025763 - MS11-055
July 12 2011
___

Q&A - MSRC July 2011 Security Bulletin Release
- http://blogs.technet.com/b/msrc/p/july-2011-security-bulletin-q-a.aspx
July 13, 2011
___

MSRT
- http://support.microsoft.com/?kbid=890830
July 12, 2011 - Revision: 89.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Tracur
• Dursg

Download:
- http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.21.exe 13.0MB

To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.21.exe 13.0MB

- http://blogs.technet.com/b/mmpc/archive/2011/07/12/msrt-july-2011-targeting-web-redirector-malware.aspx
12 Jul 2011

.

FYI...

July MSRT on web redirector malware
- http://blogs.technet.com/b/mmpc/archive/2011/07/28/july-msrt-on-web-redirector-malware.aspx
28 Jul 2011 - "... Since the release of MSRT on July 12, we have removed 516,517 Win32/Tracur threats from 242,517 computers making this malware the top threat on the list. Another 91,041 instances of Win32/Dursg were removed from 73,166 computers... The big number of Tracur threats can be accounted to its dropped files. Tracur will drop modified copies of itself in the <system folder> using file names derived from existing Windows DLL names with an appended string “32”, such as hal32.dll, olecli3232.dll, olecli3232.exe, and authz32.dll. Checking the origin of detections for Tracur*, United States has the highest percentage of infections with 80%, followed by Japan, France, and Canada, accounting for 3% of detections each...
* http://www.microsoft.com/security/portal/blog-images/BID11-012-001b.png
For Dursg**, United States has 56% of the detected infections, followed by Turkey, Canada, and United Kingdom..."
** http://www.microsoft.com/security/portal/blog-images/BID11-012-002.png

:fear::fear:

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-aug.mspx
August 04, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on August 9, 2011..." (Total of -13-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 2 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 3 - Important - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 4 - Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 5 - Important - Elevation of Privilege - May require restart - Microsoft Windows
Bulletin 6 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 7 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 8 - Important - Denial of Service - Requires restart - Microsoft Windows
Bulletin 9 - Important - Denial of Service - Requires restart - Microsoft Windows
Bulletin 10 - Important - Information Disclosure - May require restart - Microsoft .NET Framework, Microsoft Developer Tools
Bulletin 11 - Important - Information Disclosure - May require restart - Microsoft Developer Tools
Bulletin 12 - Moderate - Information Disclosure - May require restart - Microsoft .NET Framework
Bulletin 13 - Moderate - Denial of Service - Requires restart - Microsoft Windows ..."

.

FYI...

- https://www.microsoft.com/technet/security/Bulletin/MS11-aug.mspx
August 09, 2011 - "This bulletin summary lists security bulletins released for August 2011... (Total of -13-)

Critical - 2

Microsoft Security Bulletin MS11-057 - Critical
Cumulative Security Update for Internet Explorer (2559049)
- https://www.microsoft.com/technet/security/bulletin/MS11-057.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS11-058 - Critical
Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)
- https://www.microsoft.com/technet/security/bulletin/ms11-058.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Important - 9

Microsoft Security Bulletin MS11-059 - Important
Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656)
- https://www.microsoft.com/technet/security/bulletin/ms11-059.mspx
Important - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-060 - Important
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2560978)
- https://www.microsoft.com/technet/security/bulletin/ms11-060.mspx
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS11-061 - Important
Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250)
- https://www.microsoft.com/technet/security/bulletin/ms11-061.mspx
Important - Elevation of Privilege - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-062 - Important
Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege (2566454)
- https://www.microsoft.com/technet/security/bulletin/ms11-062.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-063 - Important
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680)
- https://www.microsoft.com/technet/security/bulletin/ms11-063.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-064 - Important
Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894)
- https://www.microsoft.com/technet/security/bulletin/ms11-064.mspx
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-065 - Important
Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222)
- https://www.microsoft.com/technet/security/bulletin/ms11-065.mspx
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-066 - Important
Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943)
- https://www.microsoft.com/technet/security/bulletin/ms11-066.mspx
Important - Information Disclosure - May require restart - Microsoft .NET Framework, Microsoft Developer Tools

Microsoft Security Bulletin MS11-067 - Important
Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)
- https://www.microsoft.com/technet/security/bulletin/ms11-067.mspx
Important - Information Disclosure - May require restart - Microsoft Developer Tools

Moderate - 2

Microsoft Security Bulletin MS11-068 - Moderate
Vulnerability in Windows Kernel Could Allow Denial of Service (2556532)
- https://www.microsoft.com/technet/security/bulletin/ms11-068.mspx
Moderate - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-069 - Moderate
Vulnerability in .NET Framework Could Allow Information Disclosure (2567951)
- https://www.microsoft.com/technet/security/bulletin/ms11-069.mspx
Moderate - Information Disclosure - May require restart - Microsoft .NET Framework
___

Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/2860.aug11_2D00_xi.png

Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/6567.aug11_2D00_deploy.png
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=11341
Last Updated: 2011-08-09 19:35:25 UTC
___

MSRT
- http://support.microsoft.com/?kbid=890830
August 9, 2011 - Revision: 90.0 - "... The Malicious Software Removal Tool runs in quiet mode. If it detects malicious software on your computer, the next time that you log on to your computer as a computer administrator, a balloon will appear in the notification area to make you aware of the detection..."

(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• FakeSysdef
• Hiloti

Download:
- http://www.microsoft.com/security/pc-security/malware-removal.aspx
File Name: windows-kb890830-v3.22.exe
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: windows-kb890830-x64-v3.22.exe

MSRT August '11 ...
- https://blogs.technet.com/b/mmpc/archive/2011/08/10/msrt-august-11-fakesysdef.aspx
10 Aug 2011

.

FYI...

Microsoft Security Advisory (2562937)
Update Rollup for ActiveX Kill Bits
- https://www.microsoft.com/technet/security/advisory/2562937.mspx
August 09, 2011 - "Microsoft is releasing a new set of ActiveX kill bits with this advisory. This update sets the kill bits for the following third-party software:
• CheckPoint SSL VPN On-Demand applications...
• ActBar... IBM...
• EBI R Web Toolkit... Honeywell..."

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://www.microsoft.com/technet/security/advisory/2269637.mspx
August 09, 2011 - "... Update released on August 9, 2011
• MS11-059*, "Vulnerability in Data Access Components Could Allow Remote Code Execution," provides support for a vulnerable component of Microsoft Windows that is affected by the Insecure Library Loading class of vulnerabilities described in this advisory..."
* https://www.microsoft.com/technet/security/bulletin/ms11-059.mspx

.

FYI...

MS11-043 re-released... Critical
Vulnerability in SMB Client Could Allow Remote Code Execution (2536276)
- https://www.microsoft.com/technet/security/bulletin/MS11-043.mspx
Published: June 14, 2011 | Updated: August 09, 2011
• "V2.0 (August 9, 2011): Bulletin rereleased to reoffer the update on all supported operating systems to address a stability issue. Customers who have already successfully updated their systems should reinstall this update."

- http://support.microsoft.com/kb/2536276
Last Review: August 9, 2011 - Revision: 3.0

:fear::confused:

FYI...

Microsoft Security Advisory (2607712)
Fraudulent Digital Certificates Could Allow Spoofing
- https://www.microsoft.com/technet/security/advisory/2607712.mspx
August 29, 2011 V2.0 - "Microsoft is aware of at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store, on all supported releases of Microsoft Windows. Although this is not a vulnerability in a Microsoft product, Microsoft is taking action to protect customers. Microsoft has been able to confirm that one digital certificate affects all subdomains of google.com and may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. Microsoft is continuing to investigate how many more certificates have been fraudulently issued. As a precautionary measure, Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List. All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Users of these operating systems will be presented with an invalid certificate error when they browse to a Web site or try to install programs signed by the DigiNotar root certificate. In those cases users should follow the instructions in the message. Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003. Microsoft is continuing to investigate this issue and may release future updates to help protect customers..."

- https://blogs.technet.com/b/msrc/archive/2011/08/29/microsoft-releases-security-advisory-2607712.aspx

- https://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
"... We have received reports of these certificates being used in the wild... we are releasing new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and SeaMonkey (2.3.2) shortly..."
___

- http://h-online.com/-1333088
30 August 2011

:fear:

FYI...

- http://news.yahoo.com/second-firm-warns-concern-dutch-hack-215940770.html
Sep. 6, 2011 AMSTERDAM (AP) — "A company that sells certificates guaranteeing the security of websites, GlobalSign, says it is temporarily halting the issuance of new certificates over concerns it may have been targeted by hackers. GlobalSign, the Belgian-based subsidiary of Japan's GMO Internet Inc., is one of the oldest and largest such companies globally. It said in a statement Tuesday it does not know whether it has actually been hacked, but is taking threats by an anonymous hacker seriously in the wake of an attack on a smaller Dutch firm, DigiNotar, that came to light last week. The DigiNotar attack is believed to have allowed the Iranian government to spy on thousands of Iranian citizens' communications with Google email during the month of August."
> http://www.globalsign.com/company/press/090611-security-response.html
___

Microsoft Security Advisory (2607712)... updated
Fraudulent Digital Certificates Could Allow Spoofing
- https://www.microsoft.com/technet/security/advisory/2607712.mspx
Updated: September 06, 2011 - "Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar... For supported releases of Microsoft Windows, typically no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically...
Suggested Actions... Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2607712*..."

Fraudulent digital certificates could allow spoofing
* http://www.microsoft.com/technet/security/advisory/2607712.mspx
September 6, 2011

- https://blogs.technet.com/b/msrc/archive/2011/09/06/microsoft-updates-security-advisory-2607712.aspx
6 Sep 2011

:fear:

FYI...

MS Security Bulletin Advance Notification - September 2011
- https://technet.microsoft.com/en-us/security/bulletin/ms11-sep
September 08, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on September 13, 2011..." (Total of -5-)

Bulletin 1 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 2 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3 - Important - Remote Code Execution - May require restart - Microsoft Office, Microsoft Server Software
Bulletin 4 - Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 5 - Important - Elevation of Privilege - May require restart - Microsoft Office, Microsoft Server Software
___

- https://www.computerworld.com/s/article/9219857/Microsoft_plans_15_patches_for_Windows_Office_next_week
September 8, 2011 - "... patch 15 vulnerabilities in Windows, Excel, SharePoint Server and Groove..."

.

FYI...

MS Security Bulletin Summary - September 2011
- https://technet.microsoft.com/en-us/security/bulletin/ms11-sep
September 13, 2011 - "This bulletin summary lists security bulletins released for September 2011..." (Total of -5-)

Microsoft Security Bulletin MS11-070 - Important
Vulnerability in WINS Could Allow Elevation of Privilege (2571621)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-070
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-071 - Important
Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-071
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-072 - Important
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-072
Important - Remote Code Execution - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS11-073 - Important
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-073
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS11-074 - Important
Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-074
Important - Elevation of Privilege - May require restart - Microsoft Office, Microsoft Server Software
___

Microsoft Security Advisory (2607712)... updated
Fraudulent Digital Certificates Could Allow Spoofing
- https://technet.microsoft.com/en-us/security/advisory/2607712
Updated: Tuesday, September 13, 2011 - Version: 4.0
• V4.0 (September 13, 2011): Revised to announce the release of the 2616676 update that addresses the issue described in this advisory.
> http://support.microsoft.com/kb/2616676
September 13, 2011
___

Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/4382.0911_2D00_deployment.png

Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/6786.1109_2D00_severity_2D00_xi.png

> https://blogs.technet.com/b/msrc/archive/2011/09/13/more-on-diginotar-certificates-and-september-bulletins.aspx
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=11551
Last Updated: 2011-09-13 20:02:31 UTC
___

- http://www.securitytracker.com/id/1026037 - MS11-070
- http://www.securitytracker.com/id/1026041 - MS11-071
- http://www.securitytracker.com/id/1026038 - MS11-072
- http://www.securitytracker.com/id/1026039 - MS11-073
- http://www.securitytracker.com/id/1026040 - MS11-074
Sep 13 2011

.

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2269637
• V10.0 (September 13, 2011): Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-071, "Vulnerability in Windows Components Could Allow Remote Code Execution;" and MS11-073, "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution."
- https://technet.microsoft.com/en-us/security/bulletin/ms11-071
- https://technet.microsoft.com/en-us/security/bulletin/ms11-073

Microsoft Security Advisory (2607712)
Fraudulent Digital Certificates Could Allow Spoofing
- https://technet.microsoft.com/en-us/security/advisory/2607712
• V4.0 (September 13, 2011): Revised to announce the release of the KB2616676 update that addresses the issue described in this advisory.
• V4.1 (September 13, 2011): Revised to announce the availability of the KB2616676 update for the Windows Developer Preview release. See the Update FAQ in this advisory for more information.
• V5.0 (September 19, 2011): Revised to announce the re-release of the KB2616676 update. See the Update FAQ in this advisory for more information.
- http://support.microsoft.com/kb/2616676
September 19, 2011 - Revision: 4.0

- https://blogs.technet.com/b/msrc/archive/2011/09/19/cumulative-non-security-update-protects-from-fraudulent-certificates.aspx
19 Sep 2011
___

- https://www.computerworld.com/s/article/9220121/Microsoft_fixes_SSL_kill_switch_blooper
September 19, 2011 - "... the update (MS) shipped to Windows XP and Server 2003 users last Tuesday was flawed..."

:fear:

FYI...

Microsoft Security Advisory (2588513)
Vulnerability in SSL/TLS Could Allow Information Disclosure
- https://technet.microsoft.com/en-us/security/advisory/2588513
September 26, 2011 - "Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected. We are not aware of a way to exploit this vulnerability in other protocols or components and we are not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Mitigating Factors:
The attack must make several hundred HTTPS requests before the attack could be successful.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected..."
(More detail at the URL above.)

- http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
26 Sep 2011
___

- http://www.secureworks.com/research/blog/general/transitive-trust-and-ssl-cert/
Sep 9, 2011
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
Last revised: 10/03/2011
CVSS v2 Base Score: 4.3 (MEDIUM)

- https://www.kb.cert.org/vuls/id/864643
Date Last Updated: 2011-09-29

:spider:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms11-oct
October 06, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on October 11, 2011..."
(Total of -8-)

Bulletin 1 - Critical - Remote Code Execution - May require restart - Microsoft .NET Framework, Microsoft Silverlight
Bulletin 2 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 3 - Important - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 4 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 5 - Important - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 6 - Important - Remote Code Execution - May require restart - Microsoft Forefront Unified Access Gateway
Bulletin 7 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 8 - Important - Denial of Service - May require restart - Microsoft Host Integration Server ...

- https://blogs.technet.com/b/msrc/archive/2011/10/06/advanced-notification-for-the-october-2011-bulletin-release.aspx
6 Oct 2011 - "... eight security bulletins, two Critical and six Important, to address 23 vulnerabilities across Internet Explorer, .NET Framework & Silverlight, Microsoft Windows, Microsoft Forefront UAG, and Microsoft Host Integration Server..."

.

FYI...

MS SIRv11 available
- https://blogs.technet.com/b/mmpc/archive/2011/10/11/new-microsoft-security-intelligence-report-volume-11-now-available.aspx
11 Oct 2011
> http://www.microsoft.com/security/sir/default.aspx

Malware detected by MSRT H1-2011
> http://www.microsoft.com/security/portal/blog-images/SIR11/SIR11_chart.png
___

- http://h-online.com/-1360430
13 October 2011

:fear:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms11-oct
October 11, 2011 - "This bulletin summary lists security bulletins released for October 2011..." (Total of -8-)

Critical -2-

Microsoft Security Bulletin MS11-078 - Critical
Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-078
Critical - Remote Code Execution - May require restart - Microsoft .NET Framework, Microsoft Silverlight

Microsoft Security Bulletin MS11-081 - Critical
Cumulative Security Update for Internet Explorer (2586448)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-081
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Important -6-

Microsoft Security Bulletin MS11-075 - Important
Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-075
Important - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-076 - Important
Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-076
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-077 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-077
Important - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-079 - Important
Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-079
Important - Remote Code Execution- May require restart - Microsoft Forefront United Access Gateway

Microsoft Security Bulletin MS11-080 - Important
Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-080
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-082 - Important
Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-082
Important - Denial of Service - May require restart - Microsoft Host Integration Server
___

Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/1638.October-2011-Deployment.jpg

Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/5126.October-2011-_2D00_-Severity.png
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=11779
Last Updated: 2011-10-11 18:17:17 UTC... (Version: 2)
___

- https://secunia.com/advisories/46403/ - MS11-075
- https://secunia.com/advisories/46404/ - MS11-076
- https://secunia.com/advisories/46405/ - MS11-077
- https://secunia.com/advisories/46406/ - MS11-078
- https://secunia.com/advisories/46402/ - MS11-079
- https://secunia.com/advisories/46401/ - MS11-080
- https://secunia.com/advisories/46400/ - MS11-081 - IE
Updated 2011-10-17 - CVE Reference(s): CVE-2011-1993, CVE-2011-1995, CVE-2011-1996, CVE-2011-1997, CVE-2011-1998, CVE-2011-1999, CVE-2011-2000, CVE-2011-2001
CVSS v2 Base Score: 9.3 (HIGH)
- https://secunia.com/advisories/46399/ - MS11-082
___

MSRT
- http://support.microsoft.com/?kbid=890830
October 11, 2011 - Revision: 94.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• EyeStye (aka 'SpyEye')
• Poison

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: windows-kb890830-v4.1.exe
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: windows-kb890830-x64-v4.1.exe

.

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2269637
Updated: Tuesday, October 11, 2011
• V11.0: Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-075, "Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution;" and MS11-076, "Vulnerability in Windows Media Center Could Allow Remote Code Execution."

:fear:

FYI... NOW available thru MS Updates:

MS Updates - October 2011 revisited ...

A Compatibility View list update is available for Windows IE8
- http://support.microsoft.com/kb/2598845
October 26, 2011 - Revision: 2.1 - "An update is available for the Internet Explorer 8 Compatibility View list. This update is dated October 25, 2011. This Compatibility View list update makes websites that are designed for older browsers look better in Internet Explorer 8..."

A Jump List that contains more than 999 items is not displayed in Windows 7 or in Windows Server 2008 R2
- http://support.microsoft.com/kb/2607576
October 25, 2011 - Revision: 1.0

The values of the 32-bit versions of two registry entries are incorrect in 64-bit versions of Windows 7 or of Windows Server 2008 R2
- http://support.microsoft.com/kb/2603229
October 25, 2011 - Revision: 1.0

MS08-069: Security update for XML Core Services 4.0
- http://support.microsoft.com/kb/954430
October 3, 2011 - Revision: 6.0

Microsoft XML Core Services 4.0 SP2
- http://support.microsoft.com/kb/973688
January 19, 2011 - Revision: 4.0

.

FYI...

Update on Zbot / MSRT removals
- https://blogs.technet.com/b/mmpc/archive/2011/10/31/update-on-the-zbot-spot.aspx
31 Oct 2011 - "... prior to the September 2011 release, MSRT consistently detected about -90%- of PWS:Win32/Zbot variants in the wild. For the month of September 2011, we detected and removed PWS:Win32/Zbot from around 185,000 distinct Windows computers, a stark increase to the months beforehand... For October so far, we've removed Zbot from over 88,000 computers and we expect that number to grow to around 100,000... These increased numbers are also likely a result of new functionality we've seen in Zbot recently. It seems that some variants now automatically spread via the Windows autorun functionality; something that is very common with other prolific malware families, so it's not very surprising we're seeing it now - but is surprising we hadn't seen it before now. Regarding autorun, Microsoft released a security update in February of 2011* that changed its default behavior - the result was an overall decline in threats utilizing autorun as a spreading mechanism. There is a Microsoft Knowledge Base article that discusses how to disable autorun in Windows, here** ..."

* http://support.microsoft.com/kb/971029

** http://support.microsoft.com/kb/967715

:fear::fear:

FYI...

MSRT: Poison and EyeStye*, by the numbers (*aka SpyEye)
- https://blogs.technet.com/b/mmpc/archive/2011/11/01/poison-and-eyestye-by-the-numbers.aspx
1 Nov 2011 - "The latest MSRT release included coverage for two more malware families, one being Win32/EyeStye... the other being Win32/Poison... As of October 25, the MSRT has removed Win32/Poison from a little over 16,000 computers... we have disinfected EyeStye from more than half a million unique machines... (605,825 at the time of writing)...
Top 10 Families in MSRT:
- http://www.microsoft.com/security/portal/blog-images/BID047-003.png
... most of the computers found to be infected with EyeStye were located in western Europe, with the largest number of detections found in Germany:
Geographical distribution of EyeStye:
- http://www.microsoft.com/security/portal/blog-images/BID047-004.png ..."

- https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=27871
PDF report Win32/Poison - 19 pgs.

:fear::fear:

FYI...

Microsoft Security Bulletin MS11-081 - Critical
Cumulative Security Update for Internet Explorer (2586448)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-081
Updated: Wednesday, November 02, 2011 - Version: 1.2
• V1.2 (November 2, 2011): Announced the release of a hotfix to resolve a known issue affecting IE7 customers after the KB2586448 security update is installed. See the Update FAQ for details.

> http://support.microsoft.com/kb/2586448
November 2, 2011 - Revision: 2.0

Some drop-down lists and combo boxes do not appear in IE7 after you install security update 2586448
>> http://support.microsoft.com/kb/2628724
November 2, 2011 - Revision: 6.2
"... If you cannot upgrade to a newer version of Internet Explorer, a supported hotfix is now available from Microsoft for Internet Explorer 7. However, it is intended to correct -only- the problem that is described in this article. Apply it only to systems that are experiencing this specific problem..."

:fear::fear:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms11-nov
November 03, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on November 8, 2011... (Total of -4-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 4 - Moderate - Denial of Service - Requires restart - Microsoft Windows ..."

.

FYI...

Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
- https://technet.microsoft.com/en-us/security/advisory/2639658
• V1.0 (November 3, 2011): Advisory published.
• V1.1 (November 3, 2011): Added localization notation to the Workarounds section.
• V1.2 (November 4, 2011): Revised the workaround, Deny access to T2EMBED.DLL, to improve support for non-English versions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Customers with non-English versions of Microsoft Windows should reevaluate the applicability of the revised workaround for their environment.
• V1.3 (November 8, 2011): Added link to MAPP Partners with Updated Protections in the Executive Summary.

November 03, 2011 - "Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs...
Workarounds: Deny access to T2EMBED.DLL
Note: See Microsoft Knowledge Base Article 2639658* to use the automated Microsoft Fix it solution to enable or disable this workaround to deny access to t2embed.dll..."
- http://support.microsoft.com/kb/2639658#FixItForMe
November 3, 2011 - Revision: 1.0
Impact of Workaround. Applications that rely on embedded font technology will fail to display properly.

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3402
Last revised: 11/07/2011
CVSS v2 Base Score: 9.3 (HIGH)
___

- https://www.computerworld.com/s/article/9221498/Duqu_exploits_same_Windows_font_engine_patched_last_month_Microsoft_confirms
November 4, 2011 - "... the Windows kernel vulnerability exploited by the Duqu Trojan is within the TrueType parsing engine, the same component it last patched just last month... So far during 2011, Microsoft has patched 56 different kernel vulnerabilities with updates issued in February, April, June, July, August and October. In April alone, the company fixed 30 bugs, then quashed 15 more in July..."
___

- https://secunia.com/advisories/46724/
Release Date: 2011-11-07
Criticality level: Extremely critical
Impact: System access
Where: From remote...
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3402
... Reported as a 0-day.
Solution: Apply the Microsoft Fix it.*...
* http://support.microsoft.com/kb/2639658#FixItForMe

- http://www.securitytracker.com/id/1026271
Updated: Nov 4 2011
Impact: Execution of arbitrary code via network, User access via network
Vendor Confirmed: Yes
Version(s): XP SP3, 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1; and prior service packs...
... A remote user can create a specially crafted document that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with kernel level privileges. The vulnerability resides in the Win32k.sys kernel driver in the parsing of TrueType fonts...

NOTE: "... The vulnerability cannot be exploited automatically via email unless the user opens an attachment sent in an email message..."
Per: https://isc.sans.edu/diary.html?storyid=11950

U.S.CERT: Critical alert
- https://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-291-01E.pdf
November 1, 2011

:fear::fear:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms11-nov
November 08, 2011 - "This bulletin summary lists security bulletins released for November 2011...
(Total of -4-)

Microsoft Security Bulletin MS11-083 - Critical
Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-083
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-085 - Important
Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/bulletin/ms11-085
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-086 - Important
Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-086
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-084 - Moderate
Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-084
Moderate - Denial of Service - Requires restart - Microsoft Windows
___

Bulletin Deployment priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/3301.November-2011-Deployment-Graphic.png

Severity and exploitability index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/6136.November-2011-Severity-Graphic.png
___

- http://www.securitytracker.com/id/1026290 - MS11-083
- http://www.securitytracker.com/id/1026291 - MS11-084
- http://www.securitytracker.com/id/1026292 - MS11-085
- http://www.securitytracker.com/id/1026293 - MS11-085
- http://www.securitytracker.com/id/1026294 - MS11-086
Nov 8 2011
- https://secunia.com/advisories/46731/ - MS11-083
- https://secunia.com/advisories/46751/ - MS11-084
- https://secunia.com/advisories/46752/ - MS11-085
- https://secunia.com/advisories/46755/ - MS11-086
Nov 8 2011
___

Office updates...
- http://support.microsoft.com/kb/2639798
November 8, 2011 - "... -security- and nonsecurity updates. All the following are included in the November 8, 2011 update.
2553455 Description of the Office 2010 update
- http://support.microsoft.com/kb/2553455
2553310 Description of the Office 2010 update
- http://support.microsoft.com/kb/2553310
2553181 Description of the Office 2010 update
- http://support.microsoft.com/kb/2553181
2553290 Description of the OneNote 2010 update
- http://support.microsoft.com/kb/2553290
2553323 Description of the Outlook 2010 update
- http://support.microsoft.com/kb/2553323
982726 Description of the Outlook 2010 Junk Email Filter update
- http://support.microsoft.com/kb/982726
2596972 Description of the Outlook 2003 Junk Email Filter update...
- http://support.microsoft.com/kb/2596972
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=11971
Last Updated: 2011-11-08 22:18:48 UTC - Version: 2

Re-released: Microsoft Security Bulletin MS11-037 - Important
Vulnerability in MHTML Could Allow Information Disclosure (2544893)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-037
Published: Tuesday, June 14, 2011 | Updated: Tuesday, November 08, 2011
Version: 2.0 - FAQs: "... The new offering of this update provides systems running Windows XP or Windows Server 2003 with the same cumulative protection that is provided by this update for all other affected operating systems..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1894
Last revised: 09/07/2011
Overview: "The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle a MIME format in a request for embedded content in an HTML document, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted EMBED element in a web page that is visited in Internet Explorer, aka 'MHTML Mime-Formatted Request Vulnerability'..."
CVSS v2 Base Score: 4.3 (MEDIUM)
___

MSRT
- http://support.microsoft.com/?kbid=890830
November 8, 2011 - Revision: 95.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Carberp
• Cridex
• Dofoil

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: windows-kb890830-v4.2.exe - 14.0 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: windows-kb890830-x64-v4.2.exe - 14.0 MB

- https://blogs.technet.com/themes/blogs/generic/post.aspx?WeblogApp=mmpc&y=2011&m=11&d=08&WeblogPostName=msrt-november-11-carberp&GroupKeys=
8 Nov 2011

.

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2269637
• V12.0 (November 8, 2011): Added the following Microsoft Security Bulletin to the Updates relating to Insecure Library Loading section: MS11-085*, "Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution."
* https://technet.microsoft.com/en-us/security/bulletin/ms11-085

Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
- https://technet.microsoft.com/en-us/security/advisory/2639658
• V1.4 (November 11, 2011): Revised impact statement for the workaround, Deny access to T2EMBED.DLL, to address applications that rely on T2EMBED.DLL for functionality.
"... vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability..."
> http://support.microsoft.com/kb/2639658#FixItForMe

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3402
Last revised: 11/07/2011
CVSS v2 Base Score: 9.3 (HIGH)

- http://labs.m86security.com/2011/11/truetype-but-not-truly-safe-the-new-zero-day-event/
November 8th, 2011
___

A simple test of the Duqu workaround...
- http://blogs.computerworld.com/19256/a_simple_test_insures_the_duqu_workaround_is_working
November 12, 2011

:fear: :spider:

FYI...

Microsoft Security Advisory (2641690)
Fraudulent Digital Certificates Could Allow Spoofing
* http://technet.microsoft.com/security/advisory/2641690
November 10, 2011 - "... The majority of customers have automatic updating enabled and will not need to take any action because the KB2641690 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually..."

- http://support.microsoft.com/kb/2641690
November 10, 2011 Rev 1.0 - "Microsoft has released a Microsoft security advisory about this issue for IT professionals. This update is released for all supported versions of Microsoft Windows. This update revokes the trust of the following DigiCert Sdn. Bhd intermediate certificates by putting them in the Microsoft Untrusted Certificate Store:
Digisign Server ID – (Enrich) issued by Entrust.net Certification Authority (2048)
Digisign Server ID (Enrich) issued by GTE CyberTrust Global Root
The security advisory* contains additional security-related information..."

- https://blogs.technet.com/themes/blogs/generic/post.aspx?WeblogApp=msrc&y=2011&m=11&d=10&WeblogPostName=microsoft-releases-security-advisory-2641690-updates-untrusted-certificate-store&GroupKeys=
10 Nov 2011
___

- https://www.us-cert.gov/current/#fraudulent_digital_certificates_could_allow
November 10, 2011

:fear:

FYI...

Microsoft Security Advisory (2641690)
Fraudulent Digital Certificates Could Allow Spoofing
- https://technet.microsoft.com/en-us/security/advisory/2641690
• V2.0 (November 16, 2011): Revised to announce the re-release of the KB261690 update. See the Update FAQ in this advisory for more information. Also, added link to Microsoft Knowledge Base Article 2641690* under Known Issues in the Executive Summary.
* http://support.microsoft.com/kb/2641690
November 16, 2011 - Revision: 5.1
"... Before November 16, 2011, Microsoft Windows Server Update Services (WSUS) server customers experienced problems with the versions of update 2641690 for Windows XP x64 and for Windows Server 2003. On November 16, 2011, we re-released update 2641690 to address this issue for Windows XP x64 and for all editions of Windows Server 2003. Most systems have automatic updating enabled. If you do have automatic updating enabled, you do not have to take any action because update 2641690 will be installed automatically. All releases of Windows Vista, of Windows 7, of Windows Server 2008, and of Windows Server 2008 R2 are not affected by this issue..."

:fear::spider:

FYI...

MSRT November: Dofoil
- https://blogs.technet.com/themes/blogs/generic/post.aspx?WeblogApp=mmpc&y=2011&m=11&d=22&WeblogPostName=msrt-november-dofoil&GroupKeys=
22 Nov 2011 - "... one of the three families added to the November release of the Microsoft Malicious Software Removal Tool is Win32/Dofoil. TrojanDownloader:Win32/Dofoil is a configurable downloader. Dofoil will attempt to receive control instructions from a remote server. The response contains encrypted configuration data containing download URLs and execution options... often seen as an attachment as part of a spam campaign, the MMPC has observed Win32/Dofoil distributed and installed via other mechanisms such as by exploit. In the wild Win32/Dofoil variants are employed to download rogue security software such as Trojan:Win32/FakeSysdef and spam capable malware such as Trojan:Win32/Danmec.L. Among observed spam campaigns, here is a small selection of spam lures employed during the last two months:
'IRS
From: pay.damages @irs.gov
Subject: IRS Notification ...'
'iTunes
From: account.sn.5890 @itunes.apple.com
Subject: Your iTunes Gift Certificate ...'
'Xerox
Subject: Fwd: Scan from a Xerox W. Pro #16389356 ...'
... reported variants of Win23/Dofoil on 13,488 unique machines this month. Forty-seven percent of these machines were running Windows XP, whilst approximately twenty-nine percent were running Windows 7. Looking at the geographic distribution* of the machines which reported a Win32/Dofoil detection...
* http://www.microsoft.com/security/portal/blog-images/BID54-GRAPH.png
... most prevalent in the United States, the MMPC observed those attempting to distribute Win32/Dofoil employing the use of localized lures targeting recipients in Germany, France Italy and Australia..."

:fear::mad:

FYI... http://windowssecrets.com/category/patch-watch/

... Regularly updated problem-patch chart
>> http://windowssecrets.com/category/patch-watch/
2011-11-23 - "... table provides the status of problem Windows patches reported in previous Patch Watch columns. Patches listed... as safe to install will be removed from the next updated table...
[ i.e.] Microsoft Security Bulletin MS11-069 - Moderate
Vulnerability in .NET Framework Could Allow Information Disclosure (2567951)
* https://technet.microsoft.com/en-us/security/bulletin/ms11-069
'Published: Tuesday, August 09, 2011 | Updated: Wednesday, October 26, 2011 ...
Revisions:
• V1.0 (August 9, 2011): Bulletin published.
• V1.1 (August 23, 2011): Added an update FAQ to announce a detection change for KB2539636 that corrects an installation issue. This is a detection change only. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
• V1.2 (October 26, 2011): Corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems...'

Status recommendations: Skip* — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply..."

:secret:

FYI... Duqu TrueType 0-day exploit - notes ..

No Microsoft patch is available (yet)
> http://windowssecrets.com/newsletter/building-your-own-xp-service-pack-4/#inthe3
2011-12-01 - "... The workaround** denies access to t2embed.dll, causing the Duqu exploit to fail. But the Duqu Fix it also has an odd characteristic: it prompts Windows XP users to download two older Microsoft patches, MS10-001 (KB 972270) and MS10-076 (KB 982132) — patches most XP users have presumably already installed..."
** http://support.microsoft.com/kb/2639658#FixItForMe

Free Duqu detector from CrySyS
> http://windowssecrets.com/newsletter/building-your-own-xp-service-pack-4/#inthe2
2011-12-01 - "... To see whether your system is vulnerable to Duqu, you can obtain a free Duqu detector from CrySyS*..."
* http://www.crysys.hu/duqudetector.html

:fear:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms11-dec
December 08, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on December 13, 2011...
(Total of -14-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3 - Critical - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 4 - Important - Information Disclosure - Requires restart - Microsoft Windows
Bulletin 5 - Important - Information Disclosure - May require restart - Microsoft Office
Bulletin 6 - Important - Information Disclosure - May require restart - Microsoft Office
Bulletin 7 - Important - Information Disclosure - May require restart - Microsoft Windows
Bulletin 8 - Important - Information Disclosure - May require restart - Microsoft Office
Bulletin 9 - Important - Information Disclosure - Requires restart - Microsoft Windows
Bulletin 10 -Important - Information Disclosure - May require restart - Microsoft Office

Bulletin 11 -Important - Elevation of Privilege - Requires restart- Microsoft Windows
Bulletin 12 -Important - Elevation of Privilege - Requires restart- Microsoft Windows
Bulletin 13 -Important - Elevation of Privilege - Requires restart- Microsoft Windows, Internet Explorer
Bulletin 14 -Important - Elevation of Privilege - May require restart - Microsoft Office
___

- https://www.computerworld.com/s/article/9222530/Update_Microsoft_plans_20_patches_next_week_will_fix_Duqu_and_BEAST_bugs
December 8, 2011 - "... Among the patches will be ones that plug the hole used by the Duqu intelligence-gathering Trojan, and fix the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 bug popularized three months ago by the BEAST, for "Browser Exploit Against SSL/TLS," hacking tool..."

TrueType: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3402
Last revised: 11/07/2011
CVSS v2 Base Score: 9.3 (HIGH)
SSL/TLS: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
Last revised: 11/24/2011
CVSS v2 Base Score: 4.3 (MEDIUM)
___

- https://isc.sans.edu/diary.html?storyid=12169
Last Updated: 2011-12-08 21:43:23 UTC - "... gifts we will be presented with next week..."

.

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms11-dec
December 13, 2011 - "This bulletin summary lists security bulletins released for December 2011...
(Total of -13- )

Critical - 3

Microsoft Security Bulletin MS11-087 - Critical
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-087
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-090 - Critical
Cumulative Security Update of ActiveX Kill Bits (2618451)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-090
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-092 - Critical
Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-092
Critical - Remote Code Execution - May require restart - Microsoft Office

Important - 10

Microsoft Security Bulletin MS11-088 - Important
Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-088
Important - Elevation of Privilege - May require restart - Microsoft Office

Microsoft Security Bulletin MS11-089 - Important
Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-089
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS11-091 - Important
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-091
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS11-093 - Important
Vulnerability in OLE Could Allow Remote Code Execution (2624667)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-093
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-094 - Important
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-094
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS11-095 - Important
Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-095
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-096 - Important
Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-096
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS11-097 - Important
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
- https://technet.microsoft.com/en-us/security/bulletin/ms11-097
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-098 - Important
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-098
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-099 - Important
Cumulative Security Update for Internet Explorer (2618444)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-099
Important - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
___

Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/7343.2011_2D00_12-dep.png

Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/7343.2011_2D00_12-dep.png

- https://blogs.technet.com/b/msrc/archive/2011/12/13/the-december-bulletins-are-released.aspx?Redirected=true
"... Why 13 bulletins and not 14, as we stated in the ANS announcement on Thursday? After that announcement, we discovered an apps-compatibility issue between one bulletin-candidate and a major third-party vendor... The issue addressed in that bulletin, which we have been monitoring and against which we have seen no active attacks in the wild, was discussed in Security Advisory 2588513*."
* https://technet.microsoft.com/en-us/security/advisory/2588513

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
Last revised: 12/13/2011
CVSS v2 Base Score: 4.3 (MEDIUM)

- https://www.computerworld.com/s/article/9222639/Microsoft_scratches_BEAST_patch_at_last_minute_but_fixes_Duqu_bug
December 13, 2011 - "... scrubbed security update was to fix the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 bug demonstrated in September 2011 by researchers who crafted a hacking tool dubbed BEAST... SAP... was the third-party vendor who reported compatibility problems...."
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=12193
Last Updated: 2011-12-14 02:29:09 UTC
___

Security Advisory updates:

Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
- https://technet.microsoft.com/en-us/security/advisory/2639658
V2.0 (December 13, 2011): Advisory updated to reflect publication of security bulletin. MS11-087.

Insecure Library Loading Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2269637
V13.0 (December 13, 2011): Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-099, "Cumulative Security Update for Internet Explorer;" and MS11-094, "Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution."
___

Insecure library loading - verified Secunia List
- https://secunia.com/community/advisories/windows_insecure_library_loading/
Number of products affected: 293
Number of vendors affected: 113
Number of Secunia Advisories issued: 215
Solution Status ...
___

- https://secunia.com/advisories/46724/ - MS11-087
- https://secunia.com/advisories/47062/ - MS11-088
- https://secunia.com/advisories/47098/ - MS11-089
- https://secunia.com/advisories/47099/ - MS11-090
- https://secunia.com/advisories/47117/ - MS11-092
- https://secunia.com/advisories/47207/ - MS11-093
- https://secunia.com/advisories/47208/ - MS11-094
- https://secunia.com/advisories/47213/ - MS11-094
- https://secunia.com/advisories/47202/ - MS11-095
- https://secunia.com/advisories/47203/ - MS11-096
- https://secunia.com/advisories/47210/ - MS11-097
- https://secunia.com/advisories/47204/ - MS11-098
- https://secunia.com/advisories/47212/ - MS11-099
___

MSRT
- http://support.microsoft.com/?kbid=890830
December 13, 2011 - Revision: 96.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Helompy

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: windows-kb890830-v4.3.exe - 14.5 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: windows-kb890830-x64-v4.3.exe - 14.8 MB

- https://blogs.technet.com/b/mmpc/archive/2011/12/13/msrt-december-win32-helompy.aspx?Redirected=true
13 Dec 2011
___

Dec. 2011 Security Bulletin Q&A:
- https://blogs.technet.com/b/msrc/archive/2011/12/15/december-2011-security-bulletin-webcast-q-amp-a.aspx?Redirected=true
Dec. 14, 2011

.

FYI... Win7 SP1 goes "missing"...

'You do not have the option of downloading Windows 7 SP1 when you use Windows Update to check for updates'
- http://support.microsoft.com/kb/2498452
Last Review: April 24, 2012 - Revision: 11.0
"... To resolve this issue, follow the steps in the methods below..."
(See the site)

:sad:

FYI...

- https://www.us-cert.gov/current/#multiple_vendors_vulnerable_to_hash
Dec. 29, 2011

- http://h-online.com/-1401863
Dec. 29, 2011
___

Microsoft Security Advisory (2659883)
Vulnerability in ASP.NET Could Allow Denial of Service
- https://technet.microsoft.com/en-us/security/advisory/2659883
December 28, 2011 - "Microsoft is aware of detailed information that has been published describing a new method to exploit hash tables. Attacks targeting this type of vulnerability are generically known as hash collision attacks. Attacks such as these are not specific to Microsoft technologies and affect other web service software providers. This vulnerability affects all versions of Microsoft .NET Framework and could allow for an unauthenticated denial of service attack on servers that serve ASP.NET pages. Sites that only serve static content or disallow dynamic content types listed in the mitigation factors below are not vulnerable.
The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision. It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition. Microsoft is aware of detailed information available publicly that could be used to exploit this vulnerability but is not aware of any active attacks.
Details of a workaround to help protect sites against this vulnerability are provided in this article. Individual implementations for sites using ASP.NET will vary and Microsoft strongly suggests customers evaluate the impact of the workaround for applicability to their implementations...
Workarounds - Configuration-based workaround
The following workaround configures the limit of the maximum request size that ASP.NET will accept from a client. Decreasing the maximum request size will decrease the susceptibility of the ASP.NET server to a denial of service attack..."
- http://support.microsoft.com/kb/2659883
December 28, 2011 - Revision: 2.0

- http://www.kb.cert.org/vuls/id/903934
2011-12-28

- https://isc.sans.edu/diary.html?storyid=12286
Last Updated: 2011-12-28 23:02:14 UTC ...(Version: 2)
___

- https://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx?Redirected=true
27 Dec 2011 10:29 PM - "...if your website does need to accept user uploads, this workaround is likely to block legitimate requests. In that case, you should not use this workaround and instead wait for the comprehensive security update*..."
* Advanced Notification for out-of-band release to address Security Advisory 2659883
- https://blogs.technet.com/b/msrc/archive/2011/12/28/advanced-notification-for-out-of-band-release-to-address-security-advisory-2659883.aspx?Redirected=true
28 Dec 2011 7:51 PM - "... The release is scheduled for December 29... The bulletin has a severity rating of Critical..."
___

- http://www.securitytracker.com/id/1026469
CVE Reference: CVE-2011-3414
Date: Dec 28 2011
Impact: Denial of service via network...

- http://www.ocert.org/advisories/ocert-2011-003.html
2011-12-28

- https://secunia.com/advisories/47323/ | https://secunia.com/advisories/47404/
- https://secunia.com/advisories/47405/ | https://secunia.com/advisories/47406/
- https://secunia.com/advisories/47407/ | https://secunia.com/advisories/47408/
- https://secunia.com/advisories/47411/ | https://secunia.com/advisories/47413/
- https://secunia.com/advisories/47414/ | https://secunia.com/advisories/47415/
Release Date: 2011-12-29

:fear::fear:

FYI...

Microsoft Security Bulletin MS11-100 - Critical
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)
- https://technet.microsoft.com/en-us/security/bulletin/ms11-100.mspx
December 29, 2011 - "This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site... This security update is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on -all- supported editions of Microsoft Windows...
Collisions in HashTable May Cause DoS Vulnerability
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3414 - 7.8 (HIGH)
Insecure Redirect in .NET Form Authentication Vulnerability
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3415 - 6.8
ASP.Net Forms Authentication Bypass Vulnerability
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3416 - 8.5 (HIGH)
ASP.NET Forms Authentication Ticket Caching Vulnerability
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3417 - 9.3 (HIGH)
12/30/2011
Affected Software: Windows XP (all editions), Windows Server 2003 (all editions), Windows Vista (all editions), Windows Server 2008 (all editions), Windows 7 (all editions), Windows Server 2008 R2 (all editions) ..."
• V1.1 (December 30, 2011): Added entry to the Update FAQ to address security-rated changes to functionality contained in this update and added mitigation for CVE-2011-3414.
___

MSRC: https://blogs.technet.com/b/msrc/archive/2011/12/29/microsoft-releases-ms11-100-for-security-advisory-2659883.aspx?Redirected=true
29 Dec 2011 - "... Consumers are -not- vulnerable unless they are running a Web server from their computer..."

MS SRD: https://blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx?Redirected=true
29 Dec 2011
___

- https://secunia.com/advisories/47323/
Last Update: 2012-01-02
Criticality level: Moderately critical
Impact: Security Bypass, Spoofing, DoS
Where: From remote...
Original Advisory: MS11-100 (KB2638420, KB2656351, KB2656352, KB2656353, KB2656355, KB2656356, KB2656358, KB2656362, KB2657424):
http://technet.microsoft.com/en-us/security/bulletin/MS11-100

- http://www.securitytracker.com/id/1026479
Updated: Dec 30 2011

:fear::spider:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms12-jan
January 05, 2012 - "This is an advance notification of security bulletins that Microsoft is intending to release on January 10, 2012...
(Total of -7-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Important - Security Feature Bypass - Requires restart - Microsoft Windows
Bulletin 3 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 4 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 5 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 6 - Important - Information Disclosure - Requires restart - Microsoft Windows
Bulletin 7 - Important - Information Disclosure - May require restart - Microsoft Developer Tools and Software

.

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms12-jan
January 10, 2012 - "This bulletin summary lists security bulletins released for January 2012...
(Total of -7-)

Microsoft Security Bulletin MS12-004 - Critical
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-004
Critical - Remote Code Execution - Requires restart- Microsoft Windows

Microsoft Security Bulletin MS12-001 - Important
Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-001
Important - Security Feature Bypass - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-002 - Important
Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-002
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS12-003 - Important
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-003
Important - Elevation of Privilege - Requires restart- Microsoft Windows

Microsoft Security Bulletin MS12-005 - Important
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-005
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS12-006 - Important
Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-006
Important - Information Disclosure - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-007 - Important
Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-007
Important - Information Disclosure - May require restart - Microsoft Developer Tools and Software
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=12361
Last Updated: 2012-01-10 18:38:36 UTC
___

Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/4527.20120110_5F00_Deployment_5F00_Priority.PNG

Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/4048.20120110_5F00_Severity_5F00_and_5F00_XI.PNG

- https://blogs.technet.com/b/msrc/archive/2012/01/10/january-2012-security-bulletins-released.aspx?Redirected=true
___

- https://secunia.com/advisories/47356/ - MS12-001
- https://secunia.com/advisories/45189/ - MS12-002
- https://secunia.com/advisories/47479/ - MS12-003
- https://secunia.com/advisories/47485/ - MS12-004
- https://secunia.com/advisories/47480/ - MS12-005
- https://secunia.com/advisories/46168/ - MS12-006
- https://secunia.com/advisories/47483/ - MS12-007
- https://secunia.com/advisories/47516/ - MS12-007

- http://www.securitytracker.com/id/1026498 - MS12-006
___

MSRT
- http://support.microsoft.com/?kbid=890830
January 10, 2012 - Revision: 97.1
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Sefnit*

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: windows-kb890830-v4.4.exe - 13.8 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: windows-kb890830-x64-v4.4.exe - 14.2 MB

* https://blogs.technet.com/b/mmpc/archive/2012/01/10/january-12-msrt-win32-sefnit.aspx?Redirected=true
10 Jan 2012 - "... Sefnit... often installed by different exploit kits including such as "Blackhole" (detected as Blacole), or distributed on file sharing networks with enticing "keygen" or "crack" styled file names..."

.

FYI...

Microsoft Security Advisory (2588513)
Vulnerability in SSL/TLS Could Allow Information Disclosure
- https://technet.microsoft.com/en-us/security/advisory/2588513
Published: Monday, September 26, 2011 | Updated: Tuesday, January 10, 2012 - "We have issued MS12-006* to address this issue..."
* https://technet.microsoft.com/en-us/security/bulletin/ms12-006

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389

* http://forums.spybot.info/showpost.php?p=419439&postcount=33

:fear:

FYI...

Microsoft Security Advisory (2641690)
Fraudulent Digital Certificates Could Allow Spoofing
- https://technet.microsoft.com/en-us/security/advisory/2641690
• V3.0 (January 19, 2012): Revised to announce the release of an update for Windows Mobile 6.x, Windows Phone 7, and Windows Phone 7.5 devices.

:fear:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms12-feb
February 09, 2012 - "This is an advance notification of security bulletins that Microsoft is intending to release on February 14, 2012...
(Total of -9-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 3 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 4 - Critical - Remote Code Execution - May require restart - Microsoft .NET Framework, Microsoft Silverlight
Bulletin 5 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 6 - Important - Elevation of Privilege - May require restart - Microsoft Office, Microsoft Server Software
Bulletin 7 - important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 8 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 9 - Important - Remote Code Execution - May require restart - Microsoft Office
___

- http://h-online.com/-1432804
10 Feb 2012 - "... a total of 21 vulnerabilities in products including Windows, Office and Internet Explorer, as well as in the .NET Framework and Silverlight..."

.

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms12-feb
February 14, 2012 - "This bulletin summary lists security bulletins released for February 2012...
(Total of -9-)

Critical -4-

Microsoft Security Bulletin MS12-008 - Critical
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-008
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-010 - Critical
Cumulative Security Update for Internet Explorer (2647516)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-010
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS12-013 - Critical
Vulnerability in C Run-Time Library Could Allow Remote Code Execution (2654428)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-013
Critical - Remote Code Execution - Requires restart - Microsoft Windows
- https://blogs.technet.com/b/srd/archive/2012/02/14/ms12-013-more-information-about-the-msvcrt-dll-issue.aspx?Redirected=true

Microsoft Security Bulletin MS12-016 - Critical
Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-016
Critical - Remote Code Execution - May require restart - Microsoft .NET Framework, Microsoft Silverlight
___

Reliability Update 2 for the .NET Framework 4
- http://support.microsoft.com/kb/2600217
Last Review: Feb 18, 2012 - Revision: 3.0 - Reliability Update 2 for the Microsoft .NET Framework 4 is available to fix some stability, reliability, and performance issues..
___

Important -5-

Microsoft Security Bulletin MS12-009 - Important
Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege (2645640)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-009
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-011 - Important
Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2663841)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-011
Important - Elevation of Privilege - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS12-012 - Important
Vulnerability in Color Control Panel Could Allow Remote Code Execution (2643719)
- https://technet.microsoft.com/en-us/security/bulletin/MS12-012
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS12-014 - Important
Vulnerability in Indeo Codec Could Allow Remote Code Execution (2661637)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-014
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS12-015 - Important
Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2663510)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-015
Important - Remote Code Execution - May require restart - Microsoft Office
___

Bulletin Deployment Priority
- https://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/6646.February-2012-Deployment.png

Severity and Exploitability Index
- https://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/1134.February-2012-XI.png

- https://blogs.technet.com/b/msrc/archive/2012/02/14/msrc-looks-back-at-ten-years-and-the-february-2012-bulletins.aspx?Redirected=true
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=12586
Last Updated: 2012-02-14 20:41:30 UTC
___

- https://secunia.com/advisories/47237/ - MS12-008
- https://secunia.com/advisories/47911/ - MS12-009
- https://secunia.com/advisories/48028/ - MS12-010
- https://secunia.com/advisories/48031/ - MS12-010
- https://secunia.com/advisories/48029/ - MS12-011
- https://secunia.com/advisories/41874/ - MS12-012
- https://secunia.com/advisories/47949/ - MS12-013
- https://secunia.com/advisories/41114/ - MS12-014
- https://secunia.com/advisories/47946/ - MS12-015
- https://secunia.com/advisories/48030/ - MS12-016
___

MSRT
- http://support.microsoft.com/?kbid=890830
February 14, 2012 - Revision: 99.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Fareit
• Pramro

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: windows-kb890830-v4.5.exe - 14.2 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: windows-kb890830-x64-v4.5.exe - 14.7 MB
___

MS Exchange 2010 SP2 - Update Rollup 1
- https://blogs.technet.com/b/exchange/archive/2012/02/13/released-update-rollup-1-for-exchange-2010-service-pack-2.aspx?Redirected=true
13 Feb 2012 - "Earlier today the Exchange CXP team released Update Rollup 1 for Exchange Server 2010 SP2 to the Download Center*.
* http://www.microsoft.com/download/en/details.aspx?id=28809
This update contains a number of customer-reported and internally found issues since the release of RU1. See KB 2645995**: Description of Update Rollup 1 for Exchange Server 2010 Service Pack 2' for more details.
** http://support.microsoft.com/kb/2645995

.

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms12-mar
March 08, 2012 - "This is an advance notification of security bulletins that Microsoft is intending to release on March 13, 2012.
(Total of -6-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Important - Denial of Service - Requires restart - Microsoft Windows
Bulletin 3 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 4 - Important - Elevation of Privilege - May require restart - Microsoft Visual Studio
Bulletin 5 - Important - Remote Code Execution - May require restart - Microsoft Expression Design
Bulletin 6 - Moderate - Denial of Service - May require restart - Microsoft Windows

.

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms12-mar
March 13, 2012 - "This bulletin summary lists security bulletins released for March 2012...
(Total of -6-)

Critical -1-

Microsoft Security Bulletin MS12-020 - Critical
Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-020
Critical - Remote Code Execution - Requires restart - Microsoft Windows
> http://support.microsoft.com/kb/2671387
See: "Known issues and additional information about this security update..."

Important -4-

Microsoft Security Bulletin MS12-017 - Important
Vulnerability in DNS Server Could Allow Denial of Service (2647170)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-017
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-018 - Important
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-018
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-021 - Important
Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-021
Important - Elevation of Privilege - May require restart - Microsoft Visual Studio

Microsoft Security Bulletin MS12-022 - Important
Vulnerability in Expression Design Could Allow Remote Code Execution (2651018)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-022
Important - Remote Code Execution - May require restart - Microsoft Expression Design
> http://support.microsoft.com/kb/2651018
See: "Known issues with this security update..."

Moderate -1-

Microsoft Security Bulletin MS12-019 - Moderate
Vulnerability in DirectWrite Could Allow Denial of Service (2665364)
- https://technet.microsoft.com/en-us/security/bulletin/ms12-019
Moderate - Denial of Service - May require restart - Microsoft Windows
___

Bulletin Deployment Priority
- https://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/5734.March-2012-Deployment-2.png

Severity and Exploitability Index
- https://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-45-71/4705.March-2012-Server_2D00_XI-1.png

- https://blogs.technet.com/b/msrc/archive/2012/03/13/strength-flexibility-and-the-march-2012-security-bulletins.aspx?Redirected=true
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=12775
Last Updated: 2012-03-13 17:29:20 UTC
___

MSRT
- http://support.microsoft.com/?kbid=890830
March 13, 2012 - Revision: 100.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Dorkbot
• Hioles
• Yeltminky
• Pluzoks.A

- https://blogs.technet.com/b/mmpc/archive/2012/03/13/msrt-march-2012-breaking-bad.aspx?Redirected=true
13 Mar 2012

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: windows-kb890830-v4.6.exe - 14.8 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: windows-kb890830-x64-v4.6.exe - 15.4 MB

.

FYI...

Microsoft Security Advisory (2647518)
Update Rollup for ActiveX Kill Bits
- https://technet.microsoft.com/en-us/security/advisory/2647518
March 13, 2012

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/security/advisory/2269637
• V15.0 (March 13, 2012): Added the following Microsoft Security Bulletin to the Updates relating to Insecure Library Loading section: MS12-022*, "Vulnerability in Expression Design Could Allow Remote Code Execution."
* https://technet.microsoft.com/en-us/security/bulletin/ms12-022

.

FYI... RE: MS12-020 - Critical...

- https://blogs.technet.com/b/srd/archive/201...Redirected=true (https://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx?Redirected=true)
13 Mar 2012 - "... we anticipate that an exploit for code execution will be developed in the next 30 days... Remote Desktop Protocol is disabled by default, so a majority of workstations are unaffected by this issue. However, we highly encourage you to apply the update right away on any systems where you have enabled Remote Desktop... Enabling NLA* will prevent older clients (including Windows XP and Windows Server 2003) from connecting, by default..."
* See the URL above for MS Fixit's...
> http://web.nvd.nist.gov/view/vuln/detail?v...d=CVE-2012-0002 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0002)
Last revised: 03/14/2012 - "... Note that on Windows XP and Windows Server 2003, Remote Assistance can enable RDP..."
CVSS v2 Base Score: 9.3 (HIGH)

- http://www.symantec.com/security_response/threatconlearn.jsp
"... The Microsoft Remote Desktop Protocol (RDP) patch is especially critical. Although RDP is not enabled by default, when it is enabled many RDP servers are placed directly on the Internet. If RDP is being used, ensure it is patched as soon as possible. RDP should -not- be placed directly on the Internet. RDP should be remotely accessible only by trusted clients by way of a VPN or similar solution..."

- http://h-online.com/-1471581
14 March 2012 - "... some customers "need time to evaluate and test all bulletins before applying them", Microsoft has also provided a workaround and a no-reboot "Fix it" tool that enables Network-Level Authentication (NLA) to mitigate the problem..."

:fear::fear:

FYI...

MS12-020 - MS RDP ...
- https://isc.sans.edu/diary.html?storyid=12805
Last Updated: 2012-03-16 15:26:16 UTC - "... proof-of-concept is out..."

- https://isc.sans.edu/diary.html?storyid=12808
Last Updated: 2012-03-17 00:18:07 UTC

- http://atlas.arbor.net/briefs/index#-700023003
Severity: Extreme Severity
March 16, 2012 01:36

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0002
Last revised: 03/15/2012
CVSS v2 Base Score: 9.3 (HIGH)

> https://technet.microsoft.com/en-us/security/bulletin/ms12-020

:fear::fear:

FYI...

RDP exploit watch: 5M RDP endpoints found on the Web
- http://atlas.arbor.net/briefs/index#-1324643596
Elevated Severity
March 19, 2012 22:10
"Research suggests that approximately five million remote desktop endpoints exist on the Internet.
Analysis: Every Internet connected organization should carefully assess the need for Remote Desktop and evaluate exposure to include patch status and strength of credentials. While convenient for users, remote access tools increase the attack surface and additional layers of security such as requiring VPN access, robust network ACL's, requiring stronger authentication and extensive host hardening should be considered. Additionally, it is important to institute proper monitoring to detect attacks and unauthorized access."
Source: https://www.zdnet.com/blog/security/rdp-exploit-watch-5-million-rdp-endpoints-found-on-internet/10937
"... Dan Kaminsky has identified approximately five million internet-accessible RDP endpoints that are potentially sitting ducks for a network worm exploiting the MS12-020 vulnerability..."

- http://dankaminsky.com/2012/03/18/rdp/
March 18, 2012
___

- http://www.kb.cert.org/vuls/id/624051
Last Updated: 2012-03-19

:fear::fear:

FYI...

Exploit for MS12-020 RDP bug moves to Metasploit
- http://atlas.arbor.net/briefs/index#1373529066
Elevated Severity
March 21, 2012
"A Denial of Service exploit for the Microsoft Remote Desktop security hole is now included in the Metasploit Framework, a popular penetration testing toolkit. This DoS exploit was already in the wild.
Analysis: Hopefully the increased press on this issue has encouraged robust patching and system hardening which will reduce the impact of this issue when a remote code execution exploit does become public. istherdpexploitoutyet.com (http://istherdpexploitoutyet.com) is a website tracking the progress on this issue and offering links to research information. Be aware that this site does not offer any guarantees, and dangerous fake exploits for this bug have already appeared that will cause harm to those attempting to run them. Organizations that are exploited by this Denial of Service condition will see a "blue screen of death" involving RDPWD.SYS, as seen in the blog: http://community.websense.com/blogs/securitylabs/archive/2012/03/20/ms12-020-working-poc-in-the-wild.aspx
Source: http://threatpost.com/en_us/blogs/exploit-ms12-020-rdp-bug-moves-metasploit-032012 "

:fear::fear:

FYI...

Tool Exploiting MS12-020 Vulnerabilities ...
- http://atlas.arbor.net/briefs/
Severity: Elevated Severity
Published: Wednesday, March 28, 2012 19:20
An easy-to-use denial of service tool for the Microsoft Remote Desktop Protocol vulnerability has been released.
Analysis: While a metasploit module has been available for some time, a new, easy-to-use point and click tool lowers the bar. Organizations that have yet to patch should do so...
Source: http://www.f-secure.com/weblog/archives/00002338.html

MS12-020 exploit in-the-wild ...
- https://www.f-secure.com/weblog/archives/00002338.html
March 27, 2012 - "Since the public release of Microsoft's MS12-020 bulletin, there have been plenty of attempts to exploit vulnerabilities in the Remote Desktop Protocol (RDP). Last week, we received a related sample, which turned out to be a tool called "RDPKill by: Mark DePalma" that was designed to kill targeted RDP service. The tool was written with Visual Basic 6.0, and has a simple user interface. We tested it on machines running on Windows XP 32-bit and Windows 7 64-bit... Both the Windows XP 32-bit and the Windows 7 64-bit computers were affected by the Denial of Service (DoS) attack. The service crashed and triggered a "Blue Screen of Death" (BSoD) condition*...
* https://www.f-secure.com/weblog/archives/rdpkill_bsod.png
We detect this tool as Hack-Tool:W32/RDPKill.A. (SHA-1: 1d131a5f17d86c712988a2d146dc73367f5e5917). Besides RDPKill.A, other similar tools and Metasploit module can also be found online. Due to their availability, an unpatched RDP server would be an easy target of DoS attack by attackers who might be experimenting with these tools. For those who still haven't patched their system, especially those running RDP service on their machines, we strongly advise that you to do so as soon as possible..."

:fear::fear:

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms12-apr
April 05, 2012 - "This is an advance notification of security bulletins that Microsoft is intending to release on April 10, 2012... (Total of -6-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 2 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 3 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework
Bulletin 4 - Critical - Remote Code Execution - May require restart - Microsoft Office, Microsoft SQL Server, Microsoft Server Software, Microsoft Developer Tools
Bulletin 5 - Important - Information Disclosure - May require restart - Microsoft Forefront United Access Gateway
Bulletin 6 - Important - Remote Code Execution - May require restart - Microsoft Office
___

- https://blogs.technet.com/b/msrc/archive/2012/04/05/advance-notification-service-for-april-2012-security-bulletin-release.aspx?Redirected=true
5 Apr 2012 - "... 6 bulletins addressing 11 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, Forefront UAG, and .NET Framework..."

.

FYI...

- http://technet.microsoft.com/en-us/security/bulletin/ms12-apr
April 10, 2012 - "This bulletin summary lists security bulletins released for April 2012...
(Total of -6-)

Critical -4-

Microsoft Security Bulletin MS12-023 - Critical
Cumulative Security Update for Internet Explorer (2675157)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-023
Critical - Remote Code Execution- Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS12-024 - Critical
Vulnerability in Windows Could Allow Remote Code Execution (2653956)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-024
Critical - Remote Code Execution- Requires restart - Microsoft Windows

Microsoft Security Bulletin MS12-025 - Critical
Vulnerability in .NET Framework Could Allow Remote Code Execution (2671605)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-025
Critical - Remote Code Execution- May require restart - Microsoft Windows, Microsoft .NET Framework

Microsoft Security Bulletin MS12-027 - Critical
Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-027
Critical - Remote Code Execution - May require restart - Microsoft Office, Microsoft SQL Server, Microsoft Server Software, Microsoft Developer Tools

Important -2-

Microsoft Security Bulletin MS12-026 - Important
Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure (2663860)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-026
Important - Information Disclosure - May require restart - Microsoft Forefront United Access Gateway

Microsoft Security Bulletin MS12-028 - Important
Vulnerability in Microsoft Office Could Allow Remote Code Execution (2639185)
- http://technet.microsoft.com/en-us/security/bulletin/ms12-028
Important - Remote Code Execution - May require restart - Microsoft Office
___

- https://blogs.technet.com/b/msrc/archive/2012/04/10/windows-xp-and-office-2003-countdown-to-end-of-support-and-the-april-2012-bulletins.aspx?Redirected=true
10 Apr 2012 - "... These bulletins will increase protection by addressing 11 CVEs. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these Critical updates:
• MS12-027 (Windows Common Controls)...
• MS12-023 (Internet Explorer)..."

Bulletin Deployment Priority
- https://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/7220.April-2012-Overview-Slides_5F00_Dep_5F00_Prio.png

Severity and Exploitability Index
- https://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8715.April-2012-Overview-Slides_5F00_Sev_5F00_XI.png
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=12949
Last Updated: 2012-04-10 18:08:35 UTC
___

- https://secunia.com/advisories/48724/ - MS12-023
- https://secunia.com/advisories/48581/ - MS12-024
- https://secunia.com/advisories/48785/ - MS12-025
- https://secunia.com/advisories/48787/ - MS12-026
- https://secunia.com/advisories/48786/ - MS12-027
- https://secunia.com/advisories/48723/ - MS12-028

- http://www.securitytracker.com/id/1026901 - MS12-023
- http://www.securitytracker.com/id/1026906 - MS12-024
- http://www.securitytracker.com/id/1026907 - MS12-025
- http://www.securitytracker.com/id/1026909 - MS12-026
- http://www.securitytracker.com/id/1026899 - MS12-027
- http://www.securitytracker.com/id/1026900 - MS12-027
- http://www.securitytracker.com/id/1026902 - MS12-027
- http://www.securitytracker.com/id/1026903 - MS12-027
- http://www.securitytracker.com/id/1026904 - MS12-027
- http://www.securitytracker.com/id/1026905 - MS12-027
- http://www.securitytracker.com/id/1026910 - MS12-028
- http://www.securitytracker.com/id/1026911 - MS12-028
___

MSRT
- http://support.microsoft.com/?kbid=890830
April 10, 2012 - Revision: 101.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Bocinex
• Claretore
• Gamarue

- https://blogs.technet.com/b/mmpc/archive/2012/04/10/msrt-april-2012-win32-claretore.aspx?Redirected=true
10 Apr 2012

Download:
- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.7.exe - 14.9 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.7.exe - 15.5 MB

.