Update on Zbot - MSRT removals
FYI...
Update on Zbot / MSRT removals
- https://blogs.technet.com/b/mmpc/arc...zbot-spot.aspx
31 Oct 2011 - "... prior to the September 2011 release, MSRT consistently detected about -90%- of PWS:Win32/Zbot variants in the wild. For the month of September 2011, we detected and removed PWS:Win32/Zbot from around 185,000 distinct Windows computers, a stark increase to the months beforehand... For October so far, we've removed Zbot from over 88,000 computers and we expect that number to grow to around 100,000... These increased numbers are also likely a result of new functionality we've seen in Zbot recently. It seems that some variants now automatically spread via the Windows autorun functionality; something that is very common with other prolific malware families, so it's not very surprising we're seeing it now - but is surprising we hadn't seen it before now. Regarding autorun, Microsoft released a security update in February of 2011* that changed its default behavior - the result was an overall decline in threats utilizing autorun as a spreading mechanism. There is a Microsoft Knowledge Base article that discusses how to disable autorun in Windows, here** ..."
* http://support.microsoft.com/kb/971029
** http://support.microsoft.com/kb/967715
:fear::fear:
MSRT report 2011.11.01 ...
FYI...
MSRT: Poison and EyeStye*, by the numbers (*aka SpyEye)
- https://blogs.technet.com/b/mmpc/arc...e-numbers.aspx
1 Nov 2011 - "The latest MSRT release included coverage for two more malware families, one being Win32/EyeStye... the other being Win32/Poison... As of October 25, the MSRT has removed Win32/Poison from a little over 16,000 computers... we have disinfected EyeStye from more than half a million unique machines... (605,825 at the time of writing)...
Top 10 Families in MSRT:
- http://www.microsoft.com/security/po...BID047-003.png
... most of the computers found to be infected with EyeStye were located in western Europe, with the largest number of detections found in Germany:
Geographical distribution of EyeStye:
- http://www.microsoft.com/security/po...BID047-004.png ..."
- https://www.microsoft.com/download/e...ng=en&id=27871
PDF report Win32/Poison - 19 pgs.
:fear::fear:
MS11-081 updated for IE7 hotfix...
FYI...
Microsoft Security Bulletin MS11-081 - Critical
Cumulative Security Update for Internet Explorer (2586448)
- https://technet.microsoft.com/en-us/...letin/ms11-081
Updated: Wednesday, November 02, 2011 - Version: 1.2
• V1.2 (November 2, 2011): Announced the release of a hotfix to resolve a known issue affecting IE7 customers after the KB2586448 security update is installed. See the Update FAQ for details.
> http://support.microsoft.com/kb/2586448
November 2, 2011 - Revision: 2.0
Some drop-down lists and combo boxes do not appear in IE7 after you install security update 2586448
>> http://support.microsoft.com/kb/2628724
November 2, 2011 - Revision: 6.2
"... If you cannot upgrade to a newer version of Internet Explorer, a supported hotfix is now available from Microsoft for Internet Explorer 7. However, it is intended to correct -only- the problem that is described in this article. Apply it only to systems that are experiencing this specific problem..."
:fear::fear:
MS Security Bulletin Advance Notification - November 2011
FYI...
- https://technet.microsoft.com/en-us/...letin/ms11-nov
November 03, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on November 8, 2011... (Total of -4-)
Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 4 - Moderate - Denial of Service - Requires restart - Microsoft Windows ..."
.
MS Advisory for vuln related to Duqu malware
FYI...
Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
- https://technet.microsoft.com/en-us/...visory/2639658
• V1.0 (November 3, 2011): Advisory published.
• V1.1 (November 3, 2011): Added localization notation to the Workarounds section.
• V1.2 (November 4, 2011): Revised the workaround, Deny access to T2EMBED.DLL, to improve support for non-English versions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Customers with non-English versions of Microsoft Windows should reevaluate the applicability of the revised workaround for their environment.
• V1.3 (November 8, 2011): Added link to MAPP Partners with Updated Protections in the Executive Summary.
November 03, 2011 - "Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs...
Workarounds: Deny access to T2EMBED.DLL
Note: See Microsoft Knowledge Base Article 2639658* to use the automated Microsoft Fix it solution to enable or disable this workaround to deny access to t2embed.dll..."
- http://support.microsoft.com/kb/2639658#FixItForMe
November 3, 2011 - Revision: 1.0
Impact of Workaround. Applications that rely on embedded font technology will fail to display properly.
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3402
Last revised: 11/07/2011
CVSS v2 Base Score: 9.3 (HIGH)
___
- https://www.computerworld.com/s/arti...osoft_confirms
November 4, 2011 - "... the Windows kernel vulnerability exploited by the Duqu Trojan is within the TrueType parsing engine, the same component it last patched just last month... So far during 2011, Microsoft has patched 56 different kernel vulnerabilities with updates issued in February, April, June, July, August and October. In April alone, the company fixed 30 bugs, then quashed 15 more in July..."
___
- https://secunia.com/advisories/46724/
Release Date: 2011-11-07
Criticality level: Extremely critical
Impact: System access
Where: From remote...
CVE Reference: http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3402
... Reported as a 0-day.
Solution: Apply the Microsoft Fix it.*...
* http://support.microsoft.com/kb/2639658#FixItForMe
- http://www.securitytracker.com/id/1026271
Updated: Nov 4 2011
Impact: Execution of arbitrary code via network, User access via network
Vendor Confirmed: Yes
Version(s): XP SP3, 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1; and prior service packs...
... A remote user can create a specially crafted document that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with kernel level privileges. The vulnerability resides in the Win32k.sys kernel driver in the parsing of TrueType fonts...
NOTE: "... The vulnerability cannot be exploited automatically via email unless the user opens an attachment sent in an email message..."
Per: https://isc.sans.edu/diary.html?storyid=11950
U.S.CERT: Critical alert
- https://www.us-cert.gov/control_syst...11-291-01E.pdf
November 1, 2011
:fear::fear:
MS Security Bulletin Summary - November 2011
FYI...
- https://technet.microsoft.com/en-us/...letin/ms11-nov
November 08, 2011 - "This bulletin summary lists security bulletins released for November 2011...
(Total of -4-)
Microsoft Security Bulletin MS11-083 - Critical
Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
- https://technet.microsoft.com/en-us/...letin/ms11-083
Critical - Remote Code Execution - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS11-085 - Important
Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/...letin/ms11-085
Important - Remote Code Execution - May require restart - Microsoft Windows
Microsoft Security Bulletin MS11-086 - Important
Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)
- https://technet.microsoft.com/en-us/...letin/ms11-086
Important - Elevation of Privilege - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS11-084 - Moderate
Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
- https://technet.microsoft.com/en-us/...letin/ms11-084
Moderate - Denial of Service - Requires restart - Microsoft Windows
___
Bulletin Deployment priority
- https://blogs.technet.com/cfs-filesy...nt-Graphic.png
Severity and exploitability index
- https://blogs.technet.com/cfs-filesy...ty-Graphic.png
___
- http://www.securitytracker.com/id/1026290 - MS11-083
- http://www.securitytracker.com/id/1026291 - MS11-084
- http://www.securitytracker.com/id/1026292 - MS11-085
- http://www.securitytracker.com/id/1026293 - MS11-085
- http://www.securitytracker.com/id/1026294 - MS11-086
Nov 8 2011
- https://secunia.com/advisories/46731/ - MS11-083
- https://secunia.com/advisories/46751/ - MS11-084
- https://secunia.com/advisories/46752/ - MS11-085
- https://secunia.com/advisories/46755/ - MS11-086
Nov 8 2011
___
Office updates...
- http://support.microsoft.com/kb/2639798
November 8, 2011 - "... -security- and nonsecurity updates. All the following are included in the November 8, 2011 update.
2553455 Description of the Office 2010 update
- http://support.microsoft.com/kb/2553455
2553310 Description of the Office 2010 update
- http://support.microsoft.com/kb/2553310
2553181 Description of the Office 2010 update
- http://support.microsoft.com/kb/2553181
2553290 Description of the OneNote 2010 update
- http://support.microsoft.com/kb/2553290
2553323 Description of the Outlook 2010 update
- http://support.microsoft.com/kb/2553323
982726 Description of the Outlook 2010 Junk Email Filter update
- http://support.microsoft.com/kb/982726
2596972 Description of the Outlook 2003 Junk Email Filter update...
- http://support.microsoft.com/kb/2596972
___
ISC Analysis
- https://isc.sans.edu/diary.html?storyid=11971
Last Updated: 2011-11-08 22:18:48 UTC - Version: 2
Re-released: Microsoft Security Bulletin MS11-037 - Important
Vulnerability in MHTML Could Allow Information Disclosure (2544893)
- https://technet.microsoft.com/en-us/...letin/ms11-037
Published: Tuesday, June 14, 2011 | Updated: Tuesday, November 08, 2011
Version: 2.0 - FAQs: "... The new offering of this update provides systems running Windows XP or Windows Server 2003 with the same cumulative protection that is provided by this update for all other affected operating systems..."
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-1894
Last revised: 09/07/2011
Overview: "The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle a MIME format in a request for embedded content in an HTML document, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted EMBED element in a web page that is visited in Internet Explorer, aka 'MHTML Mime-Formatted Request Vulnerability'..."
CVSS v2 Base Score: 4.3 (MEDIUM)
___
MSRT
- http://support.microsoft.com/?kbid=890830
November 8, 2011 - Revision: 95.0
(Recent additions)
- http://www.microsoft.com/security/pc...-families.aspx
... added this release...
• Carberp
• Cridex
• Dofoil
Download:
- http://www.microsoft.com/download/en...ylang=en&id=16
File Name: windows-kb890830-v4.2.exe - 14.0 MB
- https://www.microsoft.com/download/e...s.aspx?id=9905
x64 version of MSRT:
File Name: windows-kb890830-x64-v4.2.exe - 14.0 MB
- https://blogs.technet.com/themes/blo...erp&GroupKeys=
8 Nov 2011
.
MS Advisory updates - TrueType Font Parsing + Insecure Lib Load
FYI...
Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.microsoft.com/en-us/...visory/2269637
• V12.0 (November 8, 2011): Added the following Microsoft Security Bulletin to the Updates relating to Insecure Library Loading section: MS11-085*, "Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution."
* https://technet.microsoft.com/en-us/...letin/ms11-085
Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
- https://technet.microsoft.com/en-us/...visory/2639658
• V1.4 (November 11, 2011): Revised impact statement for the workaround, Deny access to T2EMBED.DLL, to address applications that rely on T2EMBED.DLL for functionality.
"... vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability..."
> http://support.microsoft.com/kb/2639658#FixItForMe
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3402
Last revised: 11/07/2011
CVSS v2 Base Score: 9.3 (HIGH)
- http://labs.m86security.com/2011/11/...ero-day-event/
November 8th, 2011
___
A simple test of the Duqu workaround...
- http://blogs.computerworld.com/19256...und_is_working
November 12, 2011
:fear: :spider:
MS Advisory - digital certificates
FYI...
Microsoft Security Advisory (2641690)
Fraudulent Digital Certificates Could Allow Spoofing
* http://technet.microsoft.com/security/advisory/2641690
November 10, 2011 - "... The majority of customers have automatic updating enabled and will not need to take any action because the KB2641690 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually..."
- http://support.microsoft.com/kb/2641690
November 10, 2011 Rev 1.0 - "Microsoft has released a Microsoft security advisory about this issue for IT professionals. This update is released for all supported versions of Microsoft Windows. This update revokes the trust of the following DigiCert Sdn. Bhd intermediate certificates by putting them in the Microsoft Untrusted Certificate Store:
Digisign Server ID – (Enrich) issued by Entrust.net Certification Authority (2048)
Digisign Server ID (Enrich) issued by GTE CyberTrust Global Root
The security advisory* contains additional security-related information..."
- https://blogs.technet.com/themes/blo...ore&GroupKeys=
10 Nov 2011
___
- https://www.us-cert.gov/current/#fra...es_could_allow
November 10, 2011
:fear:
MS re-release - KB 2641690
FYI...
Microsoft Security Advisory (2641690)
Fraudulent Digital Certificates Could Allow Spoofing
- https://technet.microsoft.com/en-us/...visory/2641690
• V2.0 (November 16, 2011): Revised to announce the re-release of the KB261690 update. See the Update FAQ in this advisory for more information. Also, added link to Microsoft Knowledge Base Article 2641690* under Known Issues in the Executive Summary.
* http://support.microsoft.com/kb/2641690
November 16, 2011 - Revision: 5.1
"... Before November 16, 2011, Microsoft Windows Server Update Services (WSUS) server customers experienced problems with the versions of update 2641690 for Windows XP x64 and for Windows Server 2003. On November 16, 2011, we re-released update 2641690 to address this issue for Windows XP x64 and for all editions of Windows Server 2003. Most systems have automatic updating enabled. If you do have automatic updating enabled, you do not have to take any action because update 2641690 will be installed automatically. All releases of Windows Vista, of Windows 7, of Windows Server 2008, and of Windows Server 2008 R2 are not affected by this issue..."
:fear::spider: