0-day in IE - MS advisory...
FYI...
Microsoft Security Advisory (2488013)
Vulnerability in -IE- Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2488013.mspx
• V1.1 (December 31, 2010): Revised Executive Summary to reflect investigation of targeted attacks.
December 22, 2010 - "Microsoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer. The main impact of the vulnerability is remote code execution. This advisory contains workarounds and mitigations for this issue. The vulnerability exists due to the creation of uninitialized memory during a CSS function within Internet Explorer. It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs. Currently, Microsoft is unaware of any active exploitation of this vulnerability..."
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3971
Last revised: 12/23/2010
CVSS v2 Base Score: 9.3 (HIGH)
- http://blogs.technet.com/b/msrc/arch...y-2488013.aspx
22 Dec 2010
- http://secunia.com/advisories/42510
Last Update: 2010-12-23
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
- http://www.securitytracker.com/id?1024922
Dec 23 2010
:fear::fear:
Targeted attacks against MS Office vuln...
FYI...
Targeted attacks against MS Office vuln (CVE-2010-3333/MS10-087)
- http://blogs.technet.com/b/mmpc/arch...-ms10-087.aspx
29 Dec 2010 - "... A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious shellcode which downloads other malware. The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one. The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack... We recommend customers that have not yet installed the security update MS10-087* to do so at their earliest convenience..."
* http://www.microsoft.com/technet/sec.../MS10-087.mspx
Updated: December 15, 2010
Version: 2.0
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3333
Last revised: 12/21/2010
CVSS v2 Base Score: 9.3 (HIGH)
:mad:
MS Security Advisory - Graphics Rendering Engine
FYI...
Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2490606.mspx
January 04, 2011 - "Microsoft is investigating new public reports of a vulnerability in the Windows Graphics Rendering Engine. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs..."
[Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly...]
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3970
Last revised: 12/23/2010
CVSS v2 Base Score: 10.0 (HIGH)
- http://secunia.com/advisories/42779/
Release Date: 2011-01-05
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Solution: The vendor recommends restricting access to shimgvw.dll...
Original Advisory: Microsoft:
http://www.microsoft.com/technet/sec...y/2490606.mspx
Metasploit: http://www.metasploit.com/redmine/pr...ddibsection.rb
- http://www.securitytracker.com/id?1024932
Jan 4 2011
- http://blogs.technet.com/b/msrc/arch...y-2490606.aspx
4 Jan 2011 - "... Microsoft is actively working to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability... we are working to develop a security update to address this vulnerability. The circumstances around the issue do not currently meet the criteria for an out-of-band release; however, we are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog..."
- http://isc.sans.edu/diary.html?storyid=10201
Last Updated: 2011-01-04 19:26:17 UTC- "... it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious ones). See the Microsoft advisory for details... This particular vulnerability was disclosed in December 2010 by Moti and Xu Hao at the "Power of Community" conference. The conference presentation outlines in some detail how to create a file to exploit this vulnerability. The thumbnail itself is stored in the file as a bitmap. The vulnerability is exploited by setting the number of color indexes in the color table to a negative number (biClrUsed). The published slides do provide hints on how to exploit this vulnerability including bypassing SafeSEH* and DEP ..."
(Might help...) ... f/ Vista SP1, Win7, Server2008 and Server2008R2
* http://support.microsoft.com/kb/956607#fixit4me
November 24, 2009 Revision: 3.0 - "... it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems...
• This wizard only applies to Vista SP1 and Server2008...
By default, SEHOP is enabled in Windows Server 2008 R2 and in Windows Server 2008.
By default, SEHOP is disabled in Windows 7 and in Windows Vista..."
:fear:
MS FixIt released for 0-day GRE vuln...
FYI...
Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2490606.mspx
• V1.1 (January 5, 2011): Added a link* to the automated Microsoft Fix it solution for the Modify the Access Control List (ACL) on shimgvw.dll workaround.
* http://support.microsoft.com/kb/2490606#FixItForMe
January 19, 2011 - Revision: 3.0
[Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly...]
___
Current unpatched Windows/IE vulns
- http://isc.sans.edu/diary.html?storyid=10216
Last Updated: 2011-01-05 20:49:56 UTC
:fear:
MS Security Bulletin Advance Notification - Jan 2011
FYI...
MS Security Bulletin Advance Notification - Jan 2011
- http://www.microsoft.com/technet/sec.../MS11-jan.mspx
January 06, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on January 11, 2011..." (Total of -2-)
Bulletin 2 - Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 1 - Important - Remote Code Execution - May require restart - Microsoft Windows
___
MS to fix Windows holes, but not ones in IE
- http://news.cnet.com/8301-27080_3-20027620-245.html
January 6, 2011
- http://www.theregister.co.uk/2011/01...day_pre_alert/
7 January 2011 - "... it is probable that the bulletins due on Tuesday will not be the only security fixes from Microsoft this month..."
:fear:
Current unpatched Windows/IE vulns...
FYI...
Current unpatched Windows/IE vulns...
- http://isc.sans.edu/diary.html?storyid=10216
Last Updated: 2011-01-08 01:58:58 UTC ...(Version: 2)
"Update: Microsoft now created its own version of this table*..."
* http://blogs.technet.com/b/srd/archi...-the-msrc.aspx
7 Jan 2011 5:00 PM
:fear:
MS Security Bulletin Summary - January 2011
FYI...
- http://www.microsoft.com/technet/sec.../MS11-jan.mspx
January 11, 2011 - "This bulletin summary lists security bulletins released for January 2011... (Total of -2-)
Critical -1-
Microsoft Security Bulletin MS11-002 - Critical
Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)
- http://www.microsoft.com/technet/sec.../MS11-002.mspx
Critical - Remote Code Execution- May require restart - Microsoft Windows
CVE-2011-0026, CVE-2011-0027
Important -1-
Microsoft Security Bulletin MS11-001 - Important
Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935)
- http://www.microsoft.com/technet/sec.../MS11-001.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3145
Last revised: 08/30/2010
CVSS v2 Base Score: 9.3 (HIGH)
___
Deployment Priority
- http://blogs.technet.com/cfs-filesys..._2D00_1101.png
Severity and Exploitabilty Index
- http://blogs.technet.com/cfs-filesys..._2D00_1101.png
___
- http://www.us-cert.gov/cas/techalerts/TA11-011A.html
January 11, 2011
Impact: A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Solution: Apply updates ...
References: http://www.microsoft.com/technet/sec.../ms11-jan.mspx
___
- http://secunia.com/advisories/41122/
Release Date: 2010-08-26
Last Update: 2011-01-11
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Original Advisory: MS11-001 (KB2478935):
http://www.microsoft.com/technet/sec.../MS11-001.mspx
- http://secunia.com/advisories/42804/
Release Date: 2011-01-11
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Original Advisory: MS11-002 (KB2419632, KB2419635, KB2419640, KB2451910):
http://www.microsoft.com/technet/sec.../MS11-002.mspx
______
ISC Analysis
- http://isc.sans.edu/diary.html?storyid=10252
Last Updated: 2011-01-11 18:26:51 UTC - "... Exploit(s) available..."
___
MSRT
- http://support.microsoft.com/?kbid=890830
January 11, 2011 - Revision: 83.0
(Recent additions)
- http://www.microsoft.com/security/ma.../families.aspx
... added this release...
• Lethic
Download:
- http://www.microsoft.com/downloads/d...displaylang=en
File Name: windows-kb890830-v3.15.exe
To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/d...displaylang=en
File Name: windows-kb890830-x64-v3.15.exe
.
MS Security Advisories revised - 1.11.2011...
FYI...
Microsoft Security Advisory (2488013)
Vulnerability in -IE- Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2488013.mspx
• V1.3 (January 11, 2011): "Revised the workaround, Prevent the recursive loading of CSS style sheets in Internet Explorer, to add the impact for the workaround...
Impact of workaround: There are side effects to blocking the recursive loading of a cascading style sheet (CSS). Users may encounter some slight performance issues due to the increased checking that is required to block the loading of the CSS files...
Workaround: Microsoft Fix it: http://support.microsoft.com/kb/2488013#FixItForMe
January 12, 2011 - Revision: 3.0 - ... This Fixit solution adds a check to check whether a cascading style sheet is about to be loaded recursively. If this is the case, the Fixit solution cancels the loading of the cascading style sheet. This Fixit solution takes advantage of a feature that is typically used for application compatibility fixes. This feature can modify the instructions of a specific binary when it is loaded..."
Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...y/2269637.mspx
• V4.0 (January 11, 2011): Added Microsoft Security Bulletin MS11-001*, Vulnerability in Windows Backup Manager Could Allow Remote Code Execution, to the Updates relating to Insecure Library Loading section.
* http://www.microsoft.com/technet/sec.../MS11-001.mspx
Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/sec...ry/973811.mspx
• V1.10 (January 11, 2011): Updated the FAQ with information about a new release enabling Microsoft Office Live Meeting Service Portal to opt in to Extended Protection for Authentication.
.