MS Security Advisory 2028859
FYI...
Microsoft Security Advisory (2028859)
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2028859.mspx
May 18, 2010 - "Microsoft is investigating a new public report of a vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."
- http://www.theregister.co.uk/2010/05..._security_bug/
18 May 2010 - "... users can prevent attacks by disabling the Windows Aero Theme. To turn it off, choose Start > Control Panel and click on Appearance and Personalization. Then click on Change the Theme. Then select one of the Basic and High Contrast Themes."
:fear:
MSRT Threat Report - May 2010
FYI...
MSRT Threat Report - May 2010
- http://blogs.technet.com/mmpc/archiv...d-alureon.aspx
May 21, 2010 - "... In total, MSRT May cleaned malware infections from 1,961,243 machines and below are the top most prevalent threat families cleaned with MSRT in May.
Family - Machines Cleaned
Alureon 356,959
Frethog 321,600
Taterf 261,553
Rimecud 225,005 ..."
:fear:
MS Security Bulletin Advance Notification - June 2010
FYI...
MS Security Bulletin Advance Notification - June 2010
- http://blogs.technet.com/b/msrc/arch...ification.aspx
3 Jun 2010 - "... This month’s release includes ten bulletins addressing 34 vulnerabilities.
• Six of the bulletins affect Windows; of those, two carry a Critical severity rating and four are rated Important.
• Two bulletins, both with a severity rating of Important, affect Microsoft Office.
• One bulletin, again with a severity rating of Important, affects both Windows and Office.
• One bulletin, with a severity rating of Critical, affects Internet Explorer...
We will also be acting on two Security Advisories this month.
• We are closing Security Advisory 983438 (Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege) with the June bulletins.
• We are also addressing Security Advisory 980088 (Vulnerability in Internet Explorer Could Allow Information Disclosure)..."
- http://www.microsoft.com/technet/sec.../ms10-jun.mspx
June 3, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on June 8, 2010... (Total of -10-)
Critical -3-
Bulletin 2
Critical
Remote Code Execution
May require restart
Microsoft Windows
Bulletin 3
Critical
Remote Code Execution
May require restart
Microsoft Windows
Bulletin 4
Critical
Remote Code Execution
Requires restart
Microsoft Windows, Internet Explorer
Important -7-
Bulletin 1
Important
Elevation of Privilege
Requires restart
Microsoft Windows
Bulletin 5
Important
Remote Code Execution
May require restart
Microsoft Office
Bulletin 6
Important
Elevation of Privilege
May require restart
Microsoft Windows
Bulletin 7
Important
Remote Code Execution
May require restart
Microsoft Office
Bulletin 8
Important
Elevation of Privilege
May require restart
Microsoft Office, Microsoft Server Software
Bulletin 9
Important
Remote Code Execution
May require restart
Microsoft Windows
Bulletin 10
Important
Tampering
May require restart
Microsoft Windows
.
MS Security Bulletin Summary - June 2010
FYI...
MS Security Bulletin Summary - June 2010
- http://www.microsoft.com/technet/sec.../MS10-jun.mspx
June 08, 2010 - "This bulletin summary lists security bulletins released for June 2010... (Total of -10-)
Critical -3-
Microsoft Security Bulletin MS10-033 - Critical
Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
- http://www.microsoft.com/technet/sec.../MS10-033.mspx
Critical
Remote Code Execution
May require restart
Microsoft Windows
Microsoft Security Bulletin MS10-034 - Critical
Cumulative Security Update of ActiveX Kill Bits (980195)
- http://www.microsoft.com/technet/sec.../ms10-034.mspx
Critical
Remote Code Execution
May require restart
Microsoft Windows
Microsoft Security Bulletin MS10-035 - Critical
Cumulative Security Update for Internet Explorer (982381)
- http://www.microsoft.com/technet/sec.../ms10-035.mspx
Critical
Remote Code Execution
Requires restart
Microsoft Windows, Internet Explorer
Important -7-
Microsoft Security Bulletin MS10-032 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)
- http://www.microsoft.com/technet/sec.../ms10-032.mspx
Important
Elevation of Privilege
Requires restart
Microsoft Windows
Microsoft Security Bulletin MS10-036 - Important
Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)
- http://www.microsoft.com/technet/sec.../ms10-036.mspx
Important
Remote Code Execution
May require restart
Microsoft Office
...For XP systems w/Office XP, also see:
- http://support.microsoft.com/kb/983235
June 8, 2010 - Revision: 3.0 - MS10-036 - "... We are providing a Microsoft Fix it solution for users on Windows XP systems that have Microsoft Office XP installed... The Fix it solution applies to Office XP on Windows XP-based systems, and the Fix it solution addresses issues in Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, and Microsoft Visio..."
Microsoft Security Bulletin MS10-037 - Important
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218)
- http://www.microsoft.com/technet/sec.../ms10-037.mspx
Important
Elevation of Privilege
May require restart
Microsoft Windows
Microsoft Security Bulletin MS10-038 - Important
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)
- http://www.microsoft.com/technet/sec.../ms10-038.mspx
Important
Remote Code Execution
May require restart
Microsoft Office
Microsoft Security Bulletin MS10-039 - Important
Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
- http://www.microsoft.com/technet/sec.../ms10-039.mspx
Important
Elevation of Privilege
May require restart
Microsoft Office, Microsoft Server Software
Microsoft Security Bulletin MS10-040 - Important
Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)
- http://www.microsoft.com/technet/sec.../MS10-040.mspx
Important
Remote Code Execution
May require restart
Microsoft Windows
Microsoft Security Bulletin MS10-041 - Important
Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)
- http://www.microsoft.com/technet/sec.../ms10-041.mspx
Important
Tampering
May require restart
Microsoft Windows, Microsoft .NET Framework
___
Severity and Exploitability Index
Deployment Priority
- http://blogs.technet.com/b/msrc/arch...n-release.aspx
___
MSRT
- http://support.microsoft.com/?kbid=890830
June 8, 2010 - Revision: 73.0
(Recent additions)
- http://www.microsoft.com/security/ma.../families.aspx
... added this release
FakeInit *
* http://go.microsoft.com/fwlink/?Link...Win32/FakeInit
Download:
- http://www.microsoft.com/downloads/d...displaylang=en
File Name: windows-kb890830-v3.8.exe
Version: 3.8
Date Published: 6/8/2010
To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/d...displaylang=en
File Name: windows-kb890830-x64-v3.8.exe
___
ISC Analysis
- http://isc.sans.edu/diary.html?storyid=8929
Last Updated: 2010-06-08 18:24:24 UTC
.
MS Security Advisory updates...
FYI...
MS Security Advisory (2219475)
Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2219475.mspx
June 10, 2010 - "Microsoft is investigating new public reports of a possible vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. Microsoft is aware that proof of concept exploit code has been published for the vulnerability. However, Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary..."
- http://www.microsoft.com/technet/sec...y/2219475.mspx
• V1.1 (June 11, 2010): Added a link to Microsoft Knowledge Base Article 2219475 to provide an automated Microsoft Fix it solution* for the workaround, Unregister the HCP Protocol. * http://support.microsoft.com/kb/2219475
• V1.2 (June 15, 2010): Revised Executive Summary to reflect awareness of limited, targeted active attacks that use published proof-of-concept exploit code.
- http://www.kb.cert.org/vuls/id/578319
Date Last Updated: 2010-06-10
- http://www.h-online.com/security/new...e-1019381.html
10 June 2010
Microsoft Security Advisory (983438)
Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/sec...ry/983438.mspx
Updated: June 08, 2010 - "... We have issued MS10-039* to address this issue..."
* http://www.microsoft.com/technet/sec.../ms10-039.mspx
Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/sec...ry/973811.mspx
• V1.5 (June 8, 2010): Updated the FAQ with information about six non-security updates enabling .NET Framework to opt in to Extended Protection for Authentication.
See FAQ: "... updates released by Microsoft on June 8, 2010...", re: .NET Framework 2.0 ...
:fear::fear::fear:
CVE 2010-1885 exploit in the wild
FYI...
CVE 2010-1885 exploit in the wild
- http://www.sophos.com/blogs/sophoslabs/?p=10045
June 15, 2010 - "The recent Microsoft Windows Help and Support Center vulnerability (CVE 2010-1885) is being exploited in the wild... Today, we got the first pro-active detection (Sus/HcpExpl-A) on malware that is spreading via a compromised website. This malware downloads and executes an additional malicious component... on the victim’s computer, by exploiting this vulnerability. More details about CVE 2010-1885 can be found in our report here*."
* http://www.sophos.com/support/knowle...le/111188.html
- http://support.microsoft.com/kb/2219475
Last Review: July 13, 2010 - Revision: 3.0 - "... We have released security bulletin MS10-042* to address this issue..."
* http://www.microsoft.com/technet/sec.../MS10-042.mspx
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1885
... Windows XP and Windows Server 2003 ...
Last revised: 07/20/2010
CVSS v2 Base Score: 9.3 (HIGH)
- http://atlas.arbor.net/briefs/index#-2114420025
Severity: High Severity
... active exploitation on the Internet. This affects Window users, especially Windows XP and Server 2003. Mitigations and workarounds have been described by Microsoft.
Analysis: This is a major issue for all Windows users, and we encourage sites to update as soon as possible once a fix is released, or to apply the mitigations.
- http://securitytracker.com/alerts/2010/Jun/1024084.html
Jun 10 2010
- http://blog.trendmicro.com/microsoft...xploits-loose/
June 15, 2010
- http://www.avast.com/pr-legitimate-w...core-the-adult
28 June 2010 - "... HTML:Script-inf... infection is widespread and accounts for 20% of all infected UK pages. The infection takes advantage of a two week old Microsoft Windows vulnerability... CVE-2010-1885..."
- http://pandalabs.pandasecurity.com/h...d-in-the-wild/
06/28/10 - "... cyber criminals are quick to adapt new exploit methods and in this case it literally took one day before we started seeing examples being exploited in the wild..."
:fear::fear::fear:
CVE-2010-1885 attack status...
FYI...
CVE-2010-1885 attack status...
- http://blogs.technet.com/b/mmpc/arch...2010-1885.aspx
30 Jun 2010 - "... attacks have picked up and are no longer limited to specific geographies or targets, and we would like to ensure that customers are aware of this broader distribution. If you have not yet considered the countermeasures listed in the Microsoft Security Advisory (2219475*), you should consider them. As of today, over 10,000 distinct computers have reported seeing this attack at least one time. The following list shows some of the payloads we've detected:
• Trojan:Win32/Swrort.A
• TrojanDownloader:Win32/Obitel.gen!A
• Spammer:Win32/Tedroo.AB
• Trojan:Win32/Oficla.M
• TrojanSpy:Win32/Neetro.A
• Virus:JS/Decdec.A ..."
* http://support.microsoft.com/kb/2219475
Last Review: July 13, 2010 - Revision: 3.0 - "... We have released security bulletin MS10-042* to address this issue..."
* http://www.microsoft.com/technet/sec.../MS10-042.mspx
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1885
Last revised: 07/20/2010
CVSS v2 Base Score: 9.3 (HIGH)
- http://krebsonsecurity.com/2010/07/m...-windows-flaw/
July 5, 2010
- http://community.websense.com/blogs/...mpromised.aspx
5 Jul 2010 - "... Articlealley .com has been compromised and injected with obfuscated code. Article Alley is a free article directory that aims to help authors promote and syndicate their content. It allows authors and promoters to get their articles out on the Web with the potential of being read by millions of readers. This site was compromised from the root domain, and as a result all subsequent sub-pages were infected by the attack.... attack is targeting the Microsoft Help and Support Center 0-day vulnerability CVE-2010-1885..."
(Screenshots available at the Websense URL above.)
:fear::mad:
MS Security Bulletin Advance Notification - July 2010
FYI...
- http://www.microsoft.com/technet/sec.../MS10-jul.mspx
July 8, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on July 13, 2010..." (Total of -4-)
(Critical -3-)
Bulletin 1 - Critical
Remote Code Execution
May require restart
Microsoft Windows
Bulletin 2 - Critical
Remote Code Execution
Requires restart
Microsoft Windows
Bulletin 3 - Critical
Remote Code Execution
May require restart
Microsoft Office
(Important -1-)
Bulletin 4 - Important
Remote Code Execution
May require restart
Microsoft Office
- http://blogs.technet.com/b/msrc/arch...ification.aspx
8 Jul 2010 - "... We will close out two Security Advisories this month.
• We are closing Security Advisory 2028859 (Vulnerability in Canonical Display Driver Could Allow Remote Code Execution) in the July bulletins.
• We are also closing Security Advisory 2219475 (Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution) with a comprehensive update that addresses the issue currently under attack...
Also, July marks the end of Microsoft support for the Windows 2000 and Windows XP SP2 platforms. Customers should actively seek out either a supported operating system or the latest service pack in order to keep receiving necessary security updates..."
.
MS Security Bulletin Summary - July 2010
FYI...
- http://www.microsoft.com/technet/sec.../MS10-jul.mspx
July 13, 2010 - "This bulletin summary lists security bulletins released for July 2010...
(Total of -4-)
(Critical -3-)
Microsoft Security Bulletin MS10-042 - Critical
Vulnerability in Help and SupportCenter Could Allow Remote Code Execution (2229593)
- http://www.microsoft.com/technet/sec.../MS10-042.mspx
Critical
Remote Code Execution
May require restart
Microsoft Windows
- http://blogs.technet.com/b/mmpc/arch...2010-1885.aspx
"... As of midnight on July 12 (GMT), over 25,000 distinct computers in over 100 countries/regions have reported this attack attempt at least one time..." (See chart).
Microsoft Security Bulletin MS10-043 - Critical
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276)
- http://www.microsoft.com/technet/sec.../MS10-043.mspx
Critical
Remote Code Execution
Requires restart
Microsoft Windows
Microsoft Security Bulletin MS10-044 - Critical
Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335)
- http://www.microsoft.com/technet/sec.../MS10-044.mspx
Critical
Remote Code Execution
May require restart
Microsoft Office
(Important -1-)
Microsoft Security Bulletin MS10-045 - Critical
Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)
- http://www.microsoft.com/technet/sec.../MS10-045.mspx
Important
Remote Code Execution
May require restart
Microsoft Office
___
Severity and Exploitability index
- http://blogs.technet.com/cfs-filesys...se83773621.png
Deployment priority
- http://blogs.technet.com/cfs-filesys....dp3897663.png
___
MSRT
- http://support.microsoft.com/?kbid=890830
July 13, 2010 - Revision: 76.0
(Recent additions)
- http://www.microsoft.com/security/ma.../families.aspx
• Bubnix
added this release
* http://www.microsoft.com/security/po...Win32%2fBubnix
Download:
- http://www.microsoft.com/downloads/d...displaylang=en
File Name: windows-kb890830-v3.9.exe
Version: 3.9
Date Published: 7/13/2010
To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/d...displaylang=en
File Name: windows-kb890830-x64-v3.9.exe
___
ISC Analysis
- http://isc.sans.edu/diary.html?storyid=9166
Last Updated: 2010-07-13 17:30:42 UTC
"... no more patches for XPSP2 after today..."
'Same for W2K systems.
W2K: http://support.microsoft.com/lifecycle/?p1=3071 - 7/13/2010
XPSP2: http://support.microsoft.com/lifecycle/?p1=6794 - 7/13/2010
XP : http://support.microsoft.com/lifecycle/?p1=3221 - 4/8/2014
- http://support.microsoft.com/lifecycle/
.