Old MS Alerts

MS08-078 for IEv7 released

FYI...

Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/961051.mspx
December 17, 2008 - "Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS08-078* to address this issue. For more information about this issue, including download links for an available security update, please review MS08-078. The vulnerability addressed is the Pointer Reference Memory Corruption Vulnerability - CVE-2008-4844**..."

** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4844

> http://support.microsoft.com/?kbid=960714
Last Review: December 18, 2008 - Revision: 2.0

Microsoft Security Bulletin MS08-078 - Internet Explorer
Security Update for Internet Explorer (960714)
* http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
December 17, 2008
Severity Rating: Critical
Affected Software: Microsoft Windows, Internet Explorer...
Vulnerability Impact: Remote Code Execution...
(May require restart)

:fear:
 
Last edited:
SQL Server...

FYI...

Microsoft Security Advisory (961040)
Vulnerability in SQL Server Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/961040.mspx
December 22, 2008 - "Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue. Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds* listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time. In addition, due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary...
* Workarounds...
Deny permissions on the sp_replwritetovarbin extended stored procedure..."

- http://support.microsoft.com/kb/961040
December 23, 2008

- http://isc.sans.org/diary.html?storyid=5545
Last Updated: 2008-12-23 14:13:19 UTC
___

- http://www.microsoft.com/technet/security/advisory/961040.mspx
Updated: February 10, 2009 - "...We have issued MS09-004* to address this issue... The vulnerability addressed is the SQL Server sp_replwritetovarbin Limited Memory Overwrite Vulnerability
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5416 ..."

* http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx

:fear:
 
Last edited:
Collision attacks against MD5...

FYI...

Microsoft Security Advisory (961509)
Research proves feasibility of collision attacks against MD5
- http://www.microsoft.com/technet/security/advisory/961509.mspx
December 30, 2008 - "Microsoft is aware that research was published at a security conference proving a successful attack against X.509 digital certificates signed using the MD5 hashing algorithm. This attack method could allow an attacker to generate additional digital certificates with different content that have the same digital signature as an original certificate. The MD5 algorithm had previously shown a vulnerability, but a practical attack had not yet been demonstrated. This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information. Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm. While this issue is not a vulnerability in a Microsoft product, Microsoft is actively monitoring the situation and has worked with affected Certificate Authorities to keep customers informed and to provide customer guidance as necessary...
Mitigating Factors...
• Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. Customers should contact their issuing Certificate Authority for guidance.
• When visited, Web sites that use Extended Validation (EV) certificates show a green address bar in most modern browsers. These certificates are always signed using SHA-1 and as such are not affected by this newly reported research...
Suggested Actions...
• Do not sign digital certificates with MD5
Certificate Authorities should no longer sign newly generated certificates using the MD5 algorithm, as it is known to be prone to collision attacks. Several alternative and more secure technologies are available, including SHA-1, SHA-256, SHA-384 or SHA-512.
Impact of action: Older hardware-based solutions may require upgrading to support these newer technologies...

:fear:
 
MS08-067 exploit in the wild

FYI...

- http://isc.sans.org/diary.html?storyid=5596
Last Updated: 2008-12-31 14:26:41 UTC - "Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067*. It does various things to install and hide itself on the infected computer. It removes any System Restore points that the user has set and disables the Windows Update Service. It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a built-in dictionary. At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible. After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself. You can find examples of the domain names in the Symantec W32.Downadup.B writeup**..."

Vulnerability in Server Service Could Allow Remote Code Execution (958644)
* http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

** http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250

- http://secunia.com/advisories/32326
Last Update: 2008-10-24
Critical: Highly critical...

MS08-067 out-of-band netapi32.dll security update
- http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx

- http://support.microsoft.com/?kbid=958644

- http://www.us-cert.gov/cas/techalerts/TA08-297A.html

:fear:
 
Last edited:
MS08-067 exploit spreads...

FYI...

- http://preview.tinyurl.com/7jxs8z
01-06-2009 (Symantec blogs) - "... the most commonly infected systems appear to be Windows XP SP1 and earlier. Over 500,000 of the infected computers that contacted our server were running these operating system versions. Close behind was Windows XP SP2 and later systems. Windows 2000 and Windows 2003 had smaller shares. We believe that the W32.Downadup.A propagation routine has been very aggressive. It will continue to infect computers in the near future and receive updates via the aforementioned mechanism. Symantec discovered a new variant of this worm on December 30, 2008, dubbed W32.Downadup.B. This updated version contains additional propagation routines and what appears to be an altered domain generation routine. It’s not currently known if this new version was seeded to W32.Downadup.A infections or has independently spread through its own propagation routines.
We strongly encourage all users to ensure that the patches available in MS08-067 have been applied and that antivirus products are fully up-to-date to ensure that this threat does not find its way onto computers."
(Charts available at the URL above.)

:fear::mad::fear:
 
MS08-067 worms...

FYI...

- http://www.f-secure.com/weblog/archives/00001574.html
January 6, 2009 - "Over the last (few) days, we've received reports of corporate networks getting infected with variants of MS08-067 worms. These are mostly Downadup/Conficker variants. The malware uses server-side polymorphism and ACL modification to make network disinfection particularly difficult. A sign of infection is that user accounts become locked out of an Active Directory domain as the worm attempts to crack account passwords using a built-in dictionary. When it fails, it leads to those accounts being locked. We have detailed information about the malware functionality in our Downadup.AL description*. We also have a separate tool available to assist in disinfecting. The tool is available from here**. We also recommend system administrators block access to web sites used by the worm..." (Long list available at the URL above.)

* http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

** ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250
Last revised: 11/21/2008
CVSS v2 Base Score: 10.0 (HIGH)

:fear::fear::mad:
 
Last edited:
MS Bulletin Advance Notification - January 2009

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx
January 8, 2009 - "This is an advance notification of (a) security bulletin that Microsoft is intending to release on January 13, 2009... (1)

Windows Bulletin
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software:
Microsoft Windows 2000 SP4, XPSP2, XPSP3, Server 2003 - Critical
Vista SP1, Server 2008 - Moderate

.
 
MS08-067 - variants of W32.Downadup.B - new ways to propagate

More...

New variants of W32.Downadup.B find new ways to propagate
- http://preview.tinyurl.com/ay432s
01-09-2009 Symantec Security Response Blog - "Symantec has observed an increase in infections relating to W32.Downadup over the holiday period and is urging organizations to apply the patch for Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067) as soon as possible. A new variant of this threat, called W32.Downadup.B, appeared on December 30th and can not only propagate by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, but can also spread through corporate networks by infecting USB sticks and accessing weak passwords... W32.Downadup.B creates an autorun.inf file on all mapped drives so that the threat automatically executes when the drive is accessed. The threat then monitors for drives that are connected to the compromised computer in order to create an autorun.inf file as soon as the drive becomes accessible. The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out. This means infected users may not be able to update their security software from those websites. This can be problematic as worm authors generally dish out new variants constantly... Click here** to obtain more information about how to prevent a threat from spreading using the "AutoRun" feature... more detail on the evolution and infection statistics of this threat, check out the earlier Security Response blog posting*..."
W32.Downadup Infection Statistics
* http://preview.tinyurl.com/7jxs8z
01-06-2009 - "...graph shows the statistics, over a 72-hour period, of unique IP addresses versus unique IP address and user-agent pairs..."

** http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032111570648

:fear::fear::fear:
 
MS08-067 - Preemptive Downadup Domain Blocklist...

FYI...

Preemptive Downadup Domain Blocklist, Jan. 13-16
- http://www.f-secure.com/weblog/archives/00001578.html
January 12, 2009 - "Downadup variants use algorithmically determined URLs to report back to the bad guys. Reverse engineering the worm's code provides us with the method to predict which domains may be used in the future. Today's preemptive blocklist* includes an additional 1,000 URLs that WILL BE used by the Downadup from the 13th to the 16th. Network administrators can use this list as a preventive measure."
* http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_13_16.txt

- http://isc.sans.org/diary.html?storyid=5671
Last Updated: 2009-01-12 22:43:54 UTC

- http://www.fortiguardcenter.com/reports/MS08-067-Conficker.html
(MS08-067 exploit activity from October 2008 to January 2009...) graphic

:fear::fear:
 
Last edited:
MS Security Bulletin Summary - January 2009

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-jan.mspx
January 13, 2009 - "This bulletin summary lists security bulletin.. released for January 2009... (-1-)

Microsoft Security Bulletin MS09-001
Vulnerabilities in SMB Could Allow Remote Code Execution (958687)
- http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software:
Microsoft Windows 2000 SP4, XPSP2, XPSP3, Server 2003 - Critical
Vista SP1, Server 2008 - Moderate
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=5677
Last Updated: 2009-01-13 18:15:14 UTC
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4114
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4834
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4835
___

MS09-001: Prioritizing the deployment of the SMB bulletin
- http://preview.tinyurl.com/8elasn
(MS Security Vulnerability Research & Defense blog) - "...In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine. For example, non-critical workstations could be considered lower priority assuming a system DoS is an acceptable risk. Systems with SMB blocked at the host firewall could also be updated more slowly..."
___

MSRT - Jan.2009 additions...
- http://support.microsoft.com/?kbid=890830
Malicious software family Tool version Current severity rating
Win32/Banload - January 2009 (V 2.6) Moderate
Win32/Conficker* - January 2009 (V 2.6) High ...
* http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker
(aka - Downadup)

Download:
- http://preview.tinyurl.com/6bb67
File Name: windows-kb890830-v2.6.exe
Version: 2.6
Date Published: 1/13/2009
___

- http://www.f-secure.com/weblog/archives/00001579.html
January 13, 2009 11:21 GMT - "... final count is: 2,395,963 infections worldwide. This figure is conservative; the real number is certainly higher."
- http://www.f-secure.com/weblog/archives/00001580.html
January 14, 2009 - "...worldwide Downadup infection count... Today's total infection count is an estimated 3,521,230 infections worldwide. That's over one million new infections since yesterday (and we still consider this to be a conservative estimate)."

:fear:
 
Last edited:
30% missing MS08-067...

FYI...

- http://preview.tinyurl.com/9fc4ze
January 15, 2009 (Computerworld) - "The worm that has infected several million Windows PCs is causing havoc because nearly a third of all systems remain unpatched 80 days after Microsoft Corp. rolled out an emergency fix, a security expert said today. Based on scans of several hundred thousand customer-owned Windows PCs, Qualys Inc.* concluded that about 30% of the machines have not yet been patched with the "out of cycle" fix Microsoft provided Oct. 23 as security update MS08-067..."
* http://www.qualys.com/research/alerts/view.php/2008-10-23

- http://preview.tinyurl.com/8tr9fg
January 15, 2009 (Avert Labs) - "...While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself..."

NOTES:
1. It appears that this could, in part, be due to an MS Update site problem of a sort. MS08-067 was NOT offered on an XPSP2 system during the monthly update for Nov'08, nor during both of the Dec'08 runs (including the check/update for the IE 0-day fix). MS08-067 appears to have been installed during an XPSP3 update from the MS Update site just before year-end. YMMV.
2. A second XPSP2 machine - checked ReportingEvents.log located in %windir%\SoftwareDistribution ... found MS08-067 (KB958644) installed 10.23.2008, but dates shown in >Control Panel >Add/Remove programs show KB958644 install date occurred when XPSP3 was installed at year-end. WTF.

:fear: :sad: :spider:
 
Last edited:
MS08-067 - 8M infections...

FYI...

- http://www.f-secure.com/weblog/archives/00001584.html
January 16, 2009 - "The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing. We've received a number of queries on just how exactly we're producing our estimates. There's been interest from Internet operators, CERTs, and fellow antivirus researchers. There's also been several posts to our blog comments, doubting our numbers... So let us explain how we are generating the numbers. There are several different variants of Downadup out there. The algorithm to create the domain names vary a bit between the variants. We've been tracking the variant we believe to be most common. It creates 250 possible domains each day. We've registered some selected domains out of this pool and are monitoring the connections being made to them... We first tried to count unique User-Agent headers per IP address, but the results weren't very good as in a standardized corporate network, most machines have identical User-Agents. So, with a little digging we discovered that in the /search/q=NUMBER query, the number is not random. It's basically a global variable in the code, getting incremented (thread-safely through InterlockedIncrement) every time the malware has successfully exploited a machine via MS08-067*. The incrementation is done in the httpd thread of the malware, after it has exploited a machine successfully. So this number tells us how many other computers this machine has exploited since it was last restarted... We wrote a program that parses the logs, extracting the highest "q" value for the IP/User-Agent pairs. These are then added together to get our figures. As you can see now, they are very conservative. And they are showing more than 8 million infected machines right now. The situation with Downadup is not getting better. It's getting worse."
(Complete detail shown at the F-secure URL above.)

* http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

:fear: :sad: :fear:
 
Last edited:
MS08-067 and disabling autorun...

FYI...

- http://blog.trendmicro.com/the-mess-that-is-worm_downad/
Jan. 20, 2009 - "The North American region has the most number of infected PCs, with users from the United States being hit the most. Japan, China, and Taiwan are also major DOWNAD-affected countries. In Europe, Italy and Spain had the most infections however other countries have also been affected. Users observe the following symptoms when they are infected with WORM_DOWNAD.AD:
• Blocked access to antivirus-related sites
• Disabled services such as Windows Automatic Update Service
• High traffic on affected system’s port 445
• Hidden files even after changes in Folder Options
• Inability to log in using Windows credentials because they are locked out
A .DLL file with random file names and autorun.inf also appear in all mapped drives, and in Internet Explorer and Movie Maker folders under the Program Files directory. The worm locks its dropped copy to prevent users from reading, writing, and deleting the malicious file. It also makes several registry changes to allow simultaneous network connections. By re-infecting machines, this worm manages to keep its malicious activities going on... Patching systems and programs as soon as fixes are made available and disabling autorun* are two of the most important actions required to reduce the risk of infection, infection propagation or reinfection with variant updates..."
(Global map of infections available at the URL above.)

NoDriveTypeAutoRun
* http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502.mspx?mfr=true

:fear:
 
Last edited:
Waledac - new tactics & new domains...

FYI...

Inauguration Themed Waledac - New Tactics & New Domains
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090119
January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
* http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

:fear:
 
Disabling Autorun on XP, W2K, and W2K3...

FYI...

MS patch needs to be installed manually to disable -Autorun- on W2K, XP, and W2K3.
- http://preview.tinyurl.com/ck79cs
January 22, 2009 (Computerworld) - "...US-CERT said that most Windows users would have to manually go to Microsoft's Web site to grab the KB953252* update. "Note that this fix has been released via [Windows] Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin," said the security organization, talking about a July 2008 patch. "Windows 2000, XP and Server 2003 users must install the update manually." Microsoft has -not- issued the KB953252 update to Windows 2000, XP or Server 2003 systems via Windows Update or the corporate-oriented Windows Server Update Services (WSUS). US-CERT confirmed that the KB653252 update -does- fix the bug it had pointed out the day before**. "Our testing has shown that installing this update -and- setting the NoDriveTypeAutoRun registry value to 0xFF -will- disable Autorun," said US-CERT..."

* http://support.microsoft.com/kb/953252

** http://www.us-cert.gov/cas/techalerts/TA09-020A.html
Last revised: January 21, 2009: Added reference and details for Microsoft KB953252

- http://www.secureworks.com/research/threats/downadup-removal/
"...F-Secure also has a removal tool available, however the f-secure.com domain is in the blocked list of domain names (per infection)... Using an IP address instead of the hostname will bypass the worm's blocking routines, so that tool could be downloaded by infected systems at this URL: ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip ..."

:fear: :rolleyes:
 
Last edited:
Windows - Autorun and NoDriveTypeAutoRun registry values...

FYI...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0243
Last revised:01/22/2009
CVSS v2 Base Score:7.2 (HIGH)
Overview: Microsoft Windows does not properly enforce the Autorun and NoDriveTypeAutoRun registry values, which allows physically proximate attackers to execute arbitrary code...

- http://www.us-cert.gov/cas/techalerts/TA09-020A.html
Last revised: January 21, 2009

- http://isc.sans.org/diary.html?storyid=5695
Last Updated: 2009-01-15 08:38:46 UTC

:fear:
 
MS08-037 – revised...

FYI...

Microsoft Security Bulletin MS08-037 – Important
Vulnerabilities in DNS Could Allow Spoofing (953230)
- http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
Published: July 8, 2008
...Why was this security bulletin revised on January 13, 2009?
Microsoft revised this bulletin to communicate that the update offered by this bulletin may -not- have been correctly offered to all systems running Windows XP SP3. The detection and deployment issue has been fixed, and customers with Windows XP Service Pack 3 systems who have not already applied the update from this bulletin will now be correctly offered the update...
• V2.3 (January 13, 2009): Added a new entry to the Frequently Asked Questions (FAQ) Related to This Security Update section to communicate the fix to a detection and deployment issue with Windows XP Service Pack 3. There were no changes to the binaries or packages for this update. Customers who have successfully updated their systems do not need to reinstall this update.

Ed. note: 'Makes one wonder if the same was true for MS08-067...

:sad:
 
MS Bulletin Advance Notification - February 2009

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx
February 5, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on February 10, 2009...
(Total of -4-)

Internet Explorer
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer

Microsoft Exchange Server
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Does not require restart

Microsoft SQL Server
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart

Microsoft Office - Visio
Restart Requirement: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart

:spider:
 
You must log in or register to reply here.
Back
Top