LNK vuln (MS10-046) now leveraged by botnet...
FYI...
LNK vuln (MS10-046) now leveraged by botnet...
- http://www.symantec.com/connect/blogs/sality-goes-lnk
August 9, 2010 - "... The discovery of the LNK vulnerability (BID 41732*), initially used by Stuxnet, gave malware authors a cheap, easy, and effective way to propagate their creations. The Sality gang didn’t waste much time and jumped on the bandwagon in the early days of August. However, it seems that it was only this weekend that they decided to leverage their botnet to potentially infect even more computers. The latest package downloaded by Sality (sequence ID 122) refers to a few URLs, including Sality-standard hack tools (mail relay, HTTP proxy), but also to a dropper for Sality itself... make sure your operating system is properly patched..."
* http://www.securityfocus.com/bid/41732/references
- http://forums.spybot.info/showpost.p...&postcount=153
"Critical ... This vulnerability is currently being exploited..."
:fear::fear:
MS Security Bulletin Summary - August 2010 V2.0
FYI...
- http://www.microsoft.com/technet/sec.../MS10-aug.mspx
• V2.0 (August 10, 2010): Added the bulletins, MS10-047 to MS10-060.
... (Total of -14-)
Critical -8-
Microsoft Security Bulletin MS10-049 - Critical
Vulnerabilities in SChannel could allow Remote Code Execution (980436)
- http://www.microsoft.com/technet/sec.../MS10-049.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS10-051 - Critical
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)
- http://www.microsoft.com/technet/sec.../MS10-051.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS10-052 - Critical
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)
- http://www.microsoft.com/technet/sec.../MS10-052.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows
Microsoft Security Bulletin MS10-053 - Critical
Cumulative Security Update for Internet Explorer (2183461)
- http://www.microsoft.com/technet/sec.../MS10-053.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Microsoft Security Bulletin MS10-054 - Critical
Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)
- http://www.microsoft.com/technet/sec.../MS10-054.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS10-055 - Critical
Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)
- http://www.microsoft.com/technet/sec.../MS10-055.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows
Microsoft Security Bulletin MS10-056 - Critical
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)
- http://www.microsoft.com/technet/sec.../MS10-056.mspx
Critical - Remote Code Execution - May require restart - Microsoft Office
Microsoft Security Bulletin MS10-060 - Critical
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)
- http://www.microsoft.com/technet/sec.../MS10-060.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight
Important -6-
Microsoft Security Bulletin MS10-047 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)
- http://www.microsoft.com/technet/sec.../MS10-047.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS10-048 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)
- http://www.microsoft.com/technet/sec.../MS10-048.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS10-050 - Important
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)
- http://www.microsoft.com/technet/sec.../MS10-050.mspx
Important - Elevation of Privilege - May require restart - Microsoft Windows
Microsoft Security Bulletin MS10-057 - Important
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)
- http://www.microsoft.com/technet/sec.../MS10-057.mspx
Important - Elevation of Privilege - May require restart - Microsoft Office
Microsoft Security Bulletin MS10-058 - Important
Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)
- http://www.microsoft.com/technet/sec.../MS10-058.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS10-059 - Important
Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)
- http://www.microsoft.com/technet/sec.../MS10-059.mspx
Important - Elevation of Privilege - May require restart - Microsoft Windows
___
Severity and Exploitability index
- http://blogs.technet.com/cfs-filesys...everity-XI.png
Deployment priority
- http://blogs.technet.com/cfs-filesys...Deployment.png
___
ISC Analysis
- http://isc.sans.edu/diary.html?storyid=9361
Last Updated: 2010-08-16 15:15:31 UTC ...(Version: -5-)
___
MSRT
- http://support.microsoft.com/?kbid=890830
August 10, 2010 - Revision: 77.0
(Recent additions)
- http://www.microsoft.com/security/ma.../families.aspx
... added this release...
• Stuxnet
• CplLnk
• Vobfus.A
• Vobfus.B
• Vobfus.C
• Vobfus!dll
• Worm:Win32/Sality.AU
• Virus:Win32/Sality.AU
• Trojan:WinNT/Sality
Download:
- http://www.microsoft.com/downloads/d...displaylang=en
File Name: windows-kb890830-v3.10.exe
Version: 3.10
Date Published: 8/10/2010
To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/d...displaylang=en
File Name: windows-kb890830-x64-v3.10.exe
___
10th Aug, 2010
http://secunia.com/advisories/40871/ - MS10-047
http://secunia.com/advisories/40878/ - MS10-048
http://secunia.com/advisories/40879/ - MS10-049
http://secunia.com/advisories/40883/ - MS10-049
http://secunia.com/advisories/38931/ - MS10-050
http://secunia.com/advisories/40893/ - MS10-051
http://secunia.com/advisories/40934/ - MS10-052
http://secunia.com/advisories/40895/ - MS10-053
http://secunia.com/advisories/40935/ - MS10-054
http://secunia.com/advisories/40936/ - MS10-055
http://secunia.com/advisories/40937/ - MS10-056
http://secunia.com/advisories/40750/ - MS10-057
http://secunia.com/advisories/40904/ - MS10-058
http://secunia.com/advisories/40817/ - MS10-059
http://secunia.com/advisories/40872/ - MS10-060
.
MS Security Advisories - issued/updated 2010.08.10
FYI...
Microsoft Security Advisory (2264072)
Elevation of Privilege Using Windows Service Isolation Bypass
- http://www.microsoft.com/technet/sec...y/2264072.mspx
August 10, 2010 - "Microsoft is aware of the potential for attacks that leverage the Windows Service Isolation feature to gain elevation of privilege... Although, in most situations, untrusted code is not running under the NetworkService identity, the following scenarios have been identified as possible exceptions:
• Systems running Internet Information Services (IIS) in a non-default configuration are at an increased risk, particularly if IIS is running on Windows Server 2003 and Windows Server 2008, because the default worker process identity on these systems is NetworkService.
• Systems running SQL Server where users are granted SQL Server administrative privileges are at an increased risk.
• Systems running Windows Telephony Application Programming Interfaces (TAPI) are at an increased risk...
For the TAPI scenario, Microsoft is providing a non-security update*...
(FAQ) The Windows Service Isolation feature is an optional configuration that some customers may choose to deploy. This feature is not appropriate for all customers..."
- http://support.microsoft.com/kb/2264072
* TAPI non-security update: http://support.microsoft.com/kb/982316
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1886
Last revised: 08/17/2010
CVSS v2 Base Score: 6.8 (MEDIUM)
___
Microsoft Security Advisory (977377)
Vulnerability in TLS/SSL Could Allow Spoofing
- http://www.microsoft.com/technet/sec...ry/977377.mspx
Published: February 09, 2010 | Updated: August 10, 2010 - "... We have issued MS10-049* to address this issue..."
* http://www.microsoft.com/technet/sec.../MS10-049.mspx
___
Update on the publicly disclosed Win32k.sys EoP Vulnerability
- http://blogs.technet.com/b/msrc/arch...erability.aspx
10 Aug 2010 - "... investigating a publicly disclosed vulnerability in the Windows Kernel-mode drivers (win32k.sys) affecting all supported operating systems. We are not aware of attacks that try to use the reported vulnerability or of any customer impact at this time... we are now able to report that this is a local elevation of privilege vulnerability only. This type of issue allows attackers to gain system-level privileges after they have already obtained an account on the target system. For this issue to be exploited, an attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system. The vulnerability cannot be exploited remotely, or by anonymous users. We will not be releasing a security advisory for this issue, but it will be included in a future security update...."
:fear:
MSRT August - One Week Later...
FYI...
MSRT August - One Week Later...
- http://blogs.technet.com/b/mmpc/arch...rt-august.aspx
19 Aug 2010 - "... Within the first week of release, MSRT cleaned 12,283,167 files in 2,005,960 infected machines..."
Graphic
- http://www.microsoft.com/security/po...s/msrt-aug.png
19 Aug 2010
:fear:
MS Security Advisory (2269637)
FYI...
Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2269637.mspx
August 23, 2010 - "Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries. This issue is caused by specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks". These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location. This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security*, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected. In addition to this guidance, Microsoft is releasing a tool** that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.
Mitigating Factors:
• This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security*, that recommend alternate methods to load libraries that are safe against these attacks.
• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
• The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability..."
* http://msdn.microsoft.com/en-us/libr...12(VS.85).aspx
8/19/2010
** http://support.microsoft.com/kb/2264107
Last Review: August 25, 2010 - Revision: 3.0
More... DLL Preloading remote attack vector
- http://blogs.technet.com/b/srd/archi...ck-vector.aspx
23 Aug 2010
- http://isc.sans.edu/diary.html?storyid=9445
Last Updated: 2010-08-24 17:01:04 UTC ...(Version: 3) - "... UPDATE 2: We received some e-mails about active exploitation of this vulnerability in the wild... it appears that the attackers so far are exploiting uTorrent, Microsoft Office and Windows Mail... applications for which Proof of Concept exploits have been published... be very careful about files you open from network shares..."
- http://www.us-cert.gov/current/#micr...rity_advisory5
August 24, 2010 - "... publicly available exploit code for this vulnerability... workarounds may reduce the functionality of the affected systems. Workarounds include:
• disabling the loading of libraries from WebDAV and remote network shares
• disabling the WebClient service
• blocking TCP ports 139 and 445 at the firewall ...
- http://securitytracker.com/alerts/2010/Aug/1024355.html
Aug 24 2010
___
- http://blog.eset.com/wp-content/media_files/DLLvuln.png
August 26, 2010
___
Insecure Library Loading Vulnerability:
Release Date: 2010-08-25
Microsoft Windows Address Book...
- http://secunia.com/advisories/41050/
uTorrent...
- http://secunia.com/advisories/41051/
Adobe Photoshop...
- http://secunia.com/advisories/41060/
Microsoft Office PowerPoint...
- http://secunia.com/advisories/41063/
Wireshark...
- http://secunia.com/advisories/41064/
Opera...
- http://secunia.com/advisories/41083/
Mozilla Firefox...
- http://secunia.com/advisories/41095/
Windows Live Mail...
- http://secunia.com/advisories/41098/
Microsoft Office Groove...
- http://secunia.com/advisories/41104/
VLC Media Player...
- http://secunia.com/advisories/41107/
avast! Antivirus...
- http://secunia.com/advisories/41109/
Adobe Dreamweaver...
- http://secunia.com/advisories/41110/
TeamViewer...
- http://secunia.com/advisories/41112/
... Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
___
- http://secunia.com/blog/120
24 August 2010 - "... the discovery of the remote vector just made this serious... The vulnerability is not in the Windows OS itself, but is caused by bad (insecure) programming practises in applications when loading libraries combined with how the library search order works in Windows. Ideally, when loading a library (or running an executable), a fully qualified path should be passed to the APIs used (e.g. LoadLibrary()). In case a programmer refrains from doing so and only supplies the library name, Windows searches for the file in a number of directories in a particular order. These directories may include the current working directory, which leads to the core of the problem related to the new, remote attack vector as Windows eventually searches for the file on e.g. a remote SMB or WebDAV share if that happens to be the current directory. This is the case if a user e.g. is tricked into opening a file located on a remote share. By placing a malicious library, which a vulnerable application searches for, on the share it is loaded into the application and code is executed with the privileges of the user running it. As the core problem is not in Windows, but rather caused by applications loading libraries insecurely (i.e. not supplying a fully qualified path or not initially calling SetDllDirectory() with a blank path), Secunia will not be issuing a general advisory for Windows. Instead, (likely, quite a lot of) advisories will be issued as affected applications are identified. Currently, we are seeing reports from various researchers having identified everywhere between 40 to 200 vulnerable applications, but the actual number may be a lot higher..."
- http://www.kb.cert.org/vuls/id/707943
Date Last Updated: 2010-08-25
:fear::fear:
ESET graphic: DLL loading vulnerability
FYI...
ESET graphic: DLL loading vulnerability
- http://blog.eset.com/wp-content/media_files/DLLvuln.png
August 26, 2010
(One picture worth a thousand words.)
:fear:
DLL - Insecure Library Loading Vulnerability
FYI...
- http://www.computerworld.com/s/artic...r_40_plus_apps
August 25, 2010 - "... The flaws stem from the way many Windows applications call code libraries - dubbed "dynamic-link library," or "DLL" - that give hackers wiggle room they can exploit by tricking an application into loading a malicious file with the same name as a required DLL. If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive - and in some cases con them into opening a file - they can hijack a PC and plant malware on it... As of 3 p.m. ET, more than 30 exploits had been posted on Wednesday alone..."
- http://www.kb.cert.org/vuls/id/707943
Date Last Updated: 2010-08-30
- http://secunia.com/advisories/search...+Vulnerability
> Updated Jan. 22, 2011 - (Count is now -170-)
Microsoft apps... DLL hijacking attack vuln
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3138
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3139
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3140
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3141
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3142
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3143
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3144
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3145
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3146
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3147
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3148
Last revised: 08/30-31/2010
CVSS v2 Base Score: 9.3 (HIGH)
:fear:
DLL "MS Fix it" disables load from WebDAV and remote network shares
FYI...
Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2269637.mspx
"...Workarounds:
• Disable loading of libraries from WebDAV and remote network shares...
• Disable the WebClient service...
• Block TCP ports 139 and 445 at the firewall...
(See "Impact of workaround" for each one)..."
• V1.1 (August 31, 2010) Added a link to Microsoft Knowledge Base Article 2264107* to provide an automated Microsoft Fix it solution for the workaround, Disable loading of libraries from WebDAV and remote network shares.
* http://support.microsoft.com/kb/2264107
August 31, 2010 - Revision: 4.0
MS SRD - Update on the DLL-preloading remote attack vector
- http://blogs.technet.com/b/srd/archi...ck-vector.aspx
31 Aug 2010 - "... Note: The Fix-it itself does not install the workaround tool. You’ll need to separately download and install the tool beforehand.
To instead completely block all DLL-preloading attack vectors, including the threat of malicious files on a USB thumb drive or files arriving via email as a ZIP attachment, set CWDIllegalInDllSearch to 0xFFFFFFFF. This will address any DLL preloading vulnerabilities that may exist in applications running on your system. However, it may have some unintended consequences for applications that require this behavior, so we do recommend thorough testing..."
- http://go.microsoft.com/?linkid=9742148
- http://techblog.avira.com/2010/09/02...rabilities/en/
September 2, 2010 - "... the company released a Fix-it tool which can be executed after the patch has been applied. It lessens the restrictions introduced by the patch so that most applications do work again. Windows then still blocks loading DLLs from network shares or WebDAV, but if a malicious DLL is located within a local working directory, an attack may still succeed..."
Verified Secunia List:
- http://secunia.com/advisories/window...brary_loading/
(tables are automatically updated as Secunia issues new advisories)
Number of products affected...
Number of vendors affected...
Number of Secunia Advisories issued...
:fear:
MS Security Bulletin Advance Notification - September 2010
FYI...
MS Security Bulletin Advance Notification - September 2010
- http://www.microsoft.com/technet/sec.../MS10-sep.mspx
September 09, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on September 14, 2010... (Total of -9-)
Critical -4-
Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft Office
Bulletin 4 - Critical - Remote Code Execution - May require restart - Microsoft Office
Important -5-
Bulletin 5 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 6 - Important - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 7 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 8 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 9 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
.