Results 1 to 9 of 9

Thread: MS Alerts - Q1-2007c

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default MS Alerts - Q1-2007c

    FYI...

    - http://www.microsoft.com/technet/sec.../ms07-apr.mspx
    April 3, 2007
    "...Summary...

    ...Critical (1)

    Microsoft Security Bulletin MS07-017
    Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
    - http://www.microsoft.com/technet/sec.../ms07-017.mspx
    Executive Summary: This update resolves vulnerabilities in GDI that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution ...

    > http://update.microsoft.com/microsoftupdate

    ISC Analysis
    - http://isc.sans.org/diary.html?n&storyid=2562
    Last Updated: 2007-04-03 18:06:53 UTC

    .
    Last edited by AplusWebMaster; 2007-04-03 at 22:14. Reason: Added ISC analysis post...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Question MS07-017 / MS07-008 conflict (?) fix...

    FYI...

    - http://isc.sans.org/diary.html?storyid=2565
    Last Updated: 2007-04-04 00:38:52 UTC ~ "We have received several emails today from people who are having problems with the patch. One that is confirmed by Microsoft is the Realtek problem. Microsoft has been working on this problem and have provided a patch* for the problem..."
    Other possible issues have been reported and are being investigated. Microsoft is asking anyone having problems after installing the patch to contact them at Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for the support relating to Microsoft Security Updates.
    http://support.microsoft.com/ ."

    * http://support.microsoft.com/kb/935448/
    Last Review: April 3, 2007
    Revision: 2.0
    "...This problem may occur after you install security update 925902 (MS07-017) and security update 928843 (MS07-008). The Hhctrl.ocx file that is included in security update 928843 and the User32.dll file that is included in security update 925902 have conflicting base addresses. This problem occurs if the program loads the Hhctrl.ocx file before it loads the User32.dll file..."

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post MS Security Bulletin Advance Notification - April 2007 - #2

    FYI...

    - http://www.microsoft.com/technet/sec...n/advance.mspx
    Updated: April 5, 2007
    "...On 10 April 2007 Microsoft is planning to release:

    Security Updates
    • -Four- Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates will require a restart.
    • -One- Microsoft Security Bulletin affecting Microsoft Content Management Server. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

    Microsoft Windows Malicious Software Removal Tool
    • Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
    Note that this tool will NOT be distributed using Software Update Services (SUS).

    Non-security High Priority updates on MU, WU, WSUS and SUS
    • Microsoft will release -2- NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
    • Microsoft will release -4- NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

    Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released..."

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS07-017 info updated...

    FYI...

    MS07-017: Vulnerability in GDI could allow remote code execution
    - http://support.microsoft.com/kb/925902
    Last Review: April 6, 2007
    Revision: 4.0 <<<
    "...Note: As of April 5, 2007, Microsoft is aware of the following third-party programs that are affected by this problem:
    • Realtek HD Audio Control Panel
    • ElsterFormular 2006/2007
    • TUGZip
    • CD-Tag
    If you receive a similar message when you use other programs, install the update that is mentioned in Microsoft Knowledge Base article 935448. If we confirm that other programs are affected by this problem, we will update Microsoft Knowledge Base article 935448* with more information..."
    * http://support.microsoft.com/kb/935448/
    Last Review: April 6, 2007
    Revision: 3.0...

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Microsoft Security Bulletin Summary for April 2007 - V2.0 (April 10, 2007)

    FYI...

    Microsoft Security Bulletin Summary for April 2007
    - http://www.microsoft.com/technet/sec.../ms07-apr.mspx
    Updated: April 10, 2007
    Version: 2.0
    "...Critical (5)

    Microsoft Security Bulletin MS07-017
    Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
    - http://www.microsoft.com/technet/sec.../MS07-017.mspx
    Executive Summary: This update resolves vulnerabilities in GDI that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution...

    Microsoft Security Bulletin MS07-018
    Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (925939)
    - http://www.microsoft.com/technet/sec.../MS07-018.mspx
    Executive Summary: This update resolves vulnerabilities in Microsoft Content Management Server that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS07-019
    Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (931261)
    - http://www.microsoft.com/technet/sec.../MS07-019.mspx
    Executive Summary: This update resolves a vulnerability in Universal Plug and Play that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS07-020
    Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168)
    - http://www.microsoft.com/technet/sec.../MS07-020.mspx
    Executive Summary: This update resolves a vulnerability in Microsoft Agent that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution

    Microsoft Security Bulletin MS07-021
    Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)
    - http://www.microsoft.com/technet/sec.../MS07-021.mspx
    Executive Summary: This update resolves vulnerabilities in Windows Client/Server Run-time Subsystem (CSRSS) that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution...


    Important (1)...

    Microsoft Security Bulletin MS07-022
    Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784)
    - http://www.microsoft.com/technet/sec.../MS07-022.mspx
    Executive Summary: This update resolves a vulnerability in Windows Kernel that could allow elevation of privilege.
    Maximum Severity Rating: Important
    Impact of Vulnerability: Elevation of Privilege...

    Revisions:
    • V1.0 (April 3, 2007): Bulletin summary published for the release of MS07-17.
    • V2.0 (April 10, 2007): Bulletin summary revised for the release of MS07-018, MS07-019, MS07-020, MS07-021, and MS07-022."
    ----------------------

    ISC Analysis
    - http://isc.sans.org/diary.html?storyid=2598
    Last Updated: 2007-04-10 17:48:53 UTC

    .
    Last edited by AplusWebMaster; 2007-04-10 at 21:05. Reason: Added link to ISC Analysis...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation New MS Office Zero-Days

    FYI...

    - http://www.avertlabs.com/research/blog/?p=253
    April 10, 2007 ~ "Some of these flaws may allow for remote code execution. McAfee Avert Labs is investigating all these zero-days. Today is Patch Tuesday for April. So, yes: this is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximize the public’s exposure to these flaws until the next month’s Patch Tuesday.
    Update, 2pm PST
    Further research by Avert Labs indicates that all but one of the Office zero-days reported yesterday result in denial of service. There is one heap-overflow flaw that might be exploited for code execution. We’ll keep you updated.
    Update, 5pm PST
    Avert Labs has been analyzing proof-of-concept code for a zero-day vulnerability in Microsoft Windows’s handling of HLP files. This is another heap-overflow flaw that might be exploited for code execution. Stay tuned."

    - http://news.com.com/2102-1002_3-6175...=st.util.print
    Apr 10 2007 ~ "... McAfee is still investigating the security vulnerabilities. They may not actually all be new, said Dave Marcus, security research and communications manager at (McAfee). "Sometimes what people claim to be zero-days may in fact be related to something that's already known," he said. Should the three Office bugs be new, the tally of zero-day vulnerabilities in the productivity suite waiting for a fix would jump to five. Microsoft did not deliver any patches for Office on Tuesday*..."

    * See: http://forums.spybot.info/showpost.p...9&postcount=30
    ----------------------------------------

    - http://www.theregister.com/2007/04/1...soft_zerodays/
    11th April 2007 ~ "...Microsoft says it is investigating the reports and isn't aware of any customers being targeted by the flaws. It also reiterated an advisory* deeming .HLP files as unsafe unless the user is assured they are not malicious..."

    Overview of unsafe file types in Microsoft products
    * http://support.microsoft.com/kb/925330/en-us

    - http://support.microsoft.com/kb/883260

    Last edited by AplusWebMaster; 2007-04-12 at 13:26. Reason: Added refs MS KB articles...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Question Svchost, Microsoft Updates, and 99% CPU Usage

    FYI...

    - http://isc.sans.org/diary.html?storyid=2624
    Last Updated: 2007-04-12 20:50:51 UTC ...(Version: 2)
    "We received a couple emails today talking about the latest Microsoft Updates and the svchost service taking up 99% of CPU Utilization after applying them... One of the other handlers pointed me to this KB article* ...Take a look at that if you are affected..."

    * http://support.microsoft.com/kb/916089/
    Article ID: 916089
    Last Review: April 9, 2007
    Revision: -6.2-
    "...SYMPTOMS
    When you run Microsoft Windows Update to scan for updates or to apply updates to any applications that use Microsoft Windows Installer (MSI) 3.1 together with Windows Update, CPU utilization may reach 100 percent for prolonged periods... You may experience this problem when you try to scan for Microsoft Office updates. You may also experience this problem when you use the following update mechanisms:
    • The Microsoft Update Web site
    • Automatic Updates through the Internet or through Windows Server Update Services (WSUS)
    • Microsoft Systems Management Server Inventory Tool for Microsoft Updates (SMS ITMU)
    • Microsoft Baseline Security Analyzer (MBSA)
    • Any application that performs update scans by using the offline scan CAB file (Wsusscan.cab) that uses the Windows Update Agent (WUA)..."

    > http://support.microsoft.com/kb/927891/

    Windows Installer 3.1 v2 (3.1.4000.2435) is available
    > http://support.microsoft.com/kb/893803/
    Article ID: 893803
    Last Review: March 19, 2007
    Revision: -4.3-

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Microsoft Security Advisory (935964)

    FYI...

    Microsoft Security Advisory (935964)
    Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.
    - http://www.microsoft.com/technet/sec...ry/935964.mspx
    April 12, 2007 ~ "Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2..."

    > http://isc.sans.org/diary.html?storyid=2627
    Last Updated: 2007-04-13 04:42:08 UTC ...(Version: 2)
    "...Microsoft has a few suggested actions that can mitigate the risk with the caveat that some tools may break.
    1. Disable remote management over RPC for the DNS server via a registry key setting.
    2. Block unsolicited inbound traffic on ports 1024-5000 using IPsec or other firewall.
    3. Enable the advanced TCP/IP Filtering options on the appropriate interfaces of the server..."

    > http://www.us-cert.gov/current/#winrpc

    > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1748
    ---------------------------------------------

    - http://isc.sans.org/diary.html?storyid=2633
    Last Updated: 2007-04-13 21:06:53 UTC ~ "...We have knowledge of a successful attack that occurred on April 4, 2007. This appears to be an opportunistic attack (instead of a targeted attack). So it's likely that others have been compromised as well. If you have a vulnerable MS DNS server (Win2K SP4 or Win2003 SP1 or SP2) accessible to the Internet and don't have ports above 1024 blocked, then you may have already been targeted in an attack. At this point, there seems to be a very small number of known compromises...
    Update: If you have a large number of domain controllers and want to automate the disabling of RPC, check out this blog entry: http://preview.tinyurl.com/2ymwsv "
    ---------------------------------------------

    - http://isc.sans.org/diary.html?storyid=2633
    Last Updated: 2007-04-14 14:30:08 UTC ...(Version: 2)
    "Update 2: We have two confirmed sources that were attacked on April 4th and 5th. Both were universities in the US. The initial report was from the Information Security Office at Carnegie Mellon University. Nice catch guys! The attacking source IP was the same in both cases: 61.63.227.125
    Here is the attack details from the Carnegie Mellon folks. First, a TCP port scan to ports 1024-2048. Then a TCP connection to the right TCP port running the vulnerable RPC service. Shellcode binds to TCP port 1100. Attacker uploads a VBscript on this port and then runs it. VBscript downloads an executable DUP.EXE (MD5: a5ae220fec052a1f2cd22b4eb89a442e) from 203.66.151.92/images/. Executable is self-extracting and contains PWDUMP v5 and an associated DLL.
    Update 3: There is now a publicly available exploit for this vulnerability in Metasploit 3"
    -----------------------------------------------

    - http://isc.sans.org/diary.html?storyid=2637
    Last Updated: 2007-04-16 12:11:28 UTC ...(Version: 2)
    "...UPDATE:
    - Microsoft has now added that for users with valid authentication credentials, exploitation may be possible over port 445.
    - A public exploit now appears to be available that supports the port 445 vector and support Windows 2003 Server SP2...
    - Microsoft added to their advisory that DNS server local administration and configuration may not work if the computer name is 15 characters of longer. They suggest using the FQDN (Fully Qualified Domain Name) of the host to ensure this works correctly."
    - http://www.microsoft.com/technet/sec...ry/935964.mspx
    Revisions:
    • April 15, 2007: Advisory “Suggested Actions” section updated to include additional information regarding TCP and UDP port 445 and the 15 character computer name known issue.

    > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1748

    > http://www.us-cert.gov/current/#rpcexpl

    Last edited by AplusWebMaster; 2007-04-16 at 22:04. Reason: Additional updates for 4.16.2007...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation ...Scanning for port 1025 DNS/RPC

    FYI...

    New Rinbot scanning for port 1025 DNS/RPC
    - http://isc.sans.org/diary.html?storyid=2643
    Last Updated: 2007-04-16 22:27:56 UTC ...(Version: 3)
    "We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp. Once connected, it attempts to do a Windows 2000 DnsservQuery, attempting to exploit the recent Microsoft DNS RPC vulnerability. Detection of this virus is currently very poor, and we are working with the AV vendors to improve this:
    AhnLab-V3 2007.4.14.0 04.16.2007 Win32/IRCBot.worm.199680.I
    AntiVir 7.3.1.52 04.16.2007 HEUR/Crypted
    AVG 7.5.0.447 04.16.2007 Win32/CryptExe
    DrWeb 4.33 04.16.2007 BackDoor.IRC.Sdbot.1299
    eSafe 7.0.15.0 04.16.2007 Suspicious Trojan/Worm
    Fortinet 2.85.0.0 04.16.2007 suspicious
    Kaspersky 4.0.2.24 04.16.2007 Backdoor.Win32.VanBot.bx
    Prevx1 V2 04.16.2007 Malware.Trojan.Backdoor.Gen
    Symantec 10 04.16.2007 W32.Rinbot.A
    Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Crypted

    McAfee also has a writeup on this worm here*..."

    * http://vil.nai.com/vil/content/v_142025.htm
    ---------------------------------------------------------

    Microsoft Security Advisory (935964)
    Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.
    - http://www.microsoft.com/technet/sec...ry/935964.mspx
    Revisions:
    • April 12, 2007: Advisory published.
    • April 13, 2007: Advisory updated to include additional details about Windows Small Business Server. Mitigations also updated to include additional information regarding the affected network port range and firewall configuration. Additional details also provided for registry key mitigation values. .
    • April 15, 2007: Advisory “Suggested Actions” section updated to include additional information regarding TCP and UDP port 445 and the 15 character computer name known issue.
    • April 16, 2007: Advisory updated: Ongoing monitoring indicates that we are seeing a new attack that is attempting to exploit this vulnerability.
    ---------------------------

    MSRC Blog entry re: MS DNS issue
    - http://preview.tinyurl.com/2beczj
    April 17, 2007 8:34 PM

    Last edited by AplusWebMaster; 2007-04-18 at 15:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •