Results 1 to 9 of 9

Thread: MS Alerts - Q2-2007

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default MS Alerts - Q2-2007

    FYI...

    - http://www.microsoft.com/technet/sec...ry/935964.mspx
    • April 19, 2007: Advisory updated: To provide information on Windows Live OneCare malware detection capability and to clarify that the registry key workaround provides protection to all attempts to exploit this vulnerability. Advisory also updated to provide additional data regarding exploitability through port 139*.

    * "Block TCP and UDP port 445 and 139 as well as affected ports greater than 1024 by using IPsec on the affected systems"

    ---------
    Identified Malware:
    Silveras.A - http://www.microsoft.com/security/en...in32/Siveras.A

    Silveras.B - http://www.microsoft.com/security/en...in32/Siveras.B

    Silveras.C - http://www.microsoft.com/security/en...in32/Siveras.C

    Silveras.D - http://www.microsoft.com/security/en...in32/Siveras.D

    > http://atlas.arbor.net/service/tcp/139
    -------------------------------------------------

    - http://asert.arbornetworks.com/2007/...-dns-exploits/
    April 17, 2007 ~ "The latest turn in the Nirbot saga is that they’ve gone and incorporated the MS Windows DNS RPC interface exploit into their bot. We started seeing this in ATLAS starting Sunday evening GMT and it appears that this flood of MS DNS RPC exploits was seeded into an existing botnet. It appears that one of the public exploits was rolled into the bot over the weekend..."
    -------------------------------------------------

    New KB article to help deploy DNS remote RPC block workaround throughout enterprise
    - http://preview.tinyurl.com/2a65ba
    April 20, 2007 7:06 PM ~ "...You can find the KB at
    http://support.microsoft.com/kb/936263 ..."
    Last Review: April 21, 2007
    Revision: 1.0

    .
    Last edited by AplusWebMaster; 2007-04-21 at 19:32. Reason: Added info re: MS KB936263...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default MS web site compromise and partner security

    FYI...

    - http://isc.sans.org/diary.html?storyid=2699
    Last Updated: 2007-04-29 12:04:19 UTC ~ "There’s been a lot of discussion over the last few hours regarding a Microsoft website that apparently got defaced. While the domain name has been taken offline, the defacement itself was rather obvious. Users browsing the page were shown a typical “0wn3d by” message with a picture taken of Bill Gates during what was probably his least pleasant visit to Belgium in 1998. The affected site displayed a remotely hosted image and the attacker’s nickname:

    body onload="document.body.innerHTML='/p align=center//font size=7/Own3d by Cyber-Terrorist//font//img src=http://c2000.com/gifs!/billgates.jpg//p align=center//font size=7>--Cyb3rT--//font///p/';"//noscript/

    The affected site was a subpage of ieak .microsoft .com where users could select a distribution license for the Internet Explorer Administration Kit. The server isn’t, however, located on the Microsoft network, but at a hosting partner. In addition, the source of the page mentions another third party as being responsible for the site’s development... This may be a small time issue, web site defacements have in the recent past often involved malicious code distribution. Being unavailable and looking a bit silly is one thing to reflect on a brand. Being involved in the distribution of a banking fraud trojan quite another."
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post MS Security Bulletin Advance Notification - May 2007

    FYI...

    - http://www.microsoft.com/technet/sec...n/advance.mspx
    May 3, 2007
    "...On Tuesday 8 May 2007 Microsoft is planning to release:

    Security Updates
    • -2- Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
    • -3- Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
    • -1- Microsoft Security Bulletin affecting Microsoft Exchange. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
    • -1- Microsoft Security Bulletin affecting CAPICOM and BizTalk. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool.

    Microsoft Windows Malicious Software Removal Tool
    • Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
    Note that this tool will NOT be distributed using Software Update Services (SUS).

    Non-security High Priority updates on MU, WU, WSUS and SUS
    • Microsoft will release -1- NON-SECURITY High-Priority Update for Windows on Windows Update (WU) and Software Update Services (SUS).
    • Microsoft will release -6- NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS)..."

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS Security Bulletin Summary - May 2007

    FYI...

    - http://www.microsoft.com/technet/sec.../ms07-may.mspx
    Published: May 8, 2007
    Version: 1.0
    "...Critical (7)

    Microsoft Security Bulletin MS07-023
    Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)
    - http://www.microsoft.com/technet/sec.../MS07-023.mspx
    Executive Summary: This update resolves vulnerabilities in Microsoft Excel that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution...

    Microsoft Security Bulletin MS07-024
    Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)
    - http://www.microsoft.com/technet/sec.../MS07-024.mspx
    Executive Summary: This update resolves vulnerabilities in Microsoft Word that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution...

    Microsoft Security Bulletin MS07-025
    Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)
    - http://www.microsoft.com/technet/sec.../MS07-025.mspx
    Executive Summary: This update resolves a vulnerability in Microsoft Office that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution...

    Microsoft Security Bulletin MS07-026
    Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)
    - http://www.microsoft.com/technet/sec.../MS07-026.mspx
    Executive Summary: This update resolves vulnerabilities in Microsoft Exchange that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution...

    Microsoft Security Bulletin MS07-027
    Cumulative Security Update for Internet Explorer (931768)
    - http://www.microsoft.com/technet/sec.../MS07-027.mspx
    Executive Summary: This update resolves vulnerabilities in Internet Explorer that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution...

    Microsoft Security Bulletin MS07-028
    Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)
    - http://www.microsoft.com/technet/sec.../MS07-028.mspx
    Executive Summary: This update resolves a vulnerability in the Cryptographic API Component Object Model (CAPICOM) that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution...

    Microsoft Security Bulletin MS07-029
    Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution (935966)
    - http://www.microsoft.com/technet/sec.../MS07-029.mspx
    Executive Summary: This update resolves a vulnerability in RPC on Windows DNS Server that could allow remote code execution.
    Maximum Severity Rating: Critical
    Impact of Vulnerability: Remote Code Execution...


    Revisions:
    • V1.0 (May 8, 2007)...


    ----------------------

    ISC Analysis
    - http://isc.sans.org/diary.html?storyid=2769
    Last Updated: 2007-05-08 18:08:06 UTC

    ----------------------

    - http://www.us-cert.gov/current/#micr...urity_bulletin
    May 8, 2007 ~ "...Updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Windows DNS RPC Interface, Office, Exchange, CAPICOM, and BizTalk... US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied."

    .
    Last edited by AplusWebMaster; 2007-05-09 at 17:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default "Malware Update with Windows Update"

    FYI...

    - http://preview.tinyurl.com/24vtqw
    May 10, 2007 (Computerworld) - "Hackers are using the file transfer component used by Windows Update to sneak malware past firewalls, Symantec researchers* said today. The Background Intelligent Transfer Service (BITS) is used by Microsoft Corp.'s operating systems to deliver patches via Windows Update. BITS, which debuted in Windows XP and is baked into Windows Server 2003 and Windows Vista, is an asynchronous file transfer service with automatic throttling -- so downloads don't impact other network chores. It automatically resumes if the connection is broken... Microsoft was unable to immediately respond to questions about unauthorized BITS use."

    * http://preview.tinyurl.com/2dfohl

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Problems with updates (surprise, surprise...)

    FYI...

    - http://isc.sans.org/diary.html?storyid=2792
    Last Updated: 2007-05-10 22:43:00 UTC ...(Version: 2) ~ "Some readers reported 99% CPU eaten up by svchost.exe after they had applied the recent batch of MS updates. Cause and effect are not quite clear, but a common thread seems to be that MS recommends a look at KBID 927891* and some readers have also pointed us to the WSUS Blog* where the same issue is mentioned. According to another ISC reader, to resolve the issue it is necessary to -first- apply 927891*, and then to do the WU client upgrade***..."

    * http://support.microsoft.com/?kbid=927891

    ** http://blogs.technet.com/wsus/archiv...update-on.aspx

    *** http://download.windowsupdate.com/v7...gent30-x86.exe

    Last edited by AplusWebMaster; 2007-05-11 at 03:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Unhappy Still failing? ...join the growing large club:

    - http://preview.tinyurl.com/ywkd4m
    May 11, 2007 ~ "Windows XP systems are still locking up during patch update attempts -- even after users deployed the fix suggested by Microsoft. Symptoms of the long-running problem -- which the Windows Server Update Services (WSUS) team dubbed the "svchost/msi issue" -- include 100 percent CPU usage by svchost.exe and its multiple processes during Automatic Updates scanning, update downloads, and sometimes even if AU is simply enabled on a machine... Every month at patch time, Microsoft's support boards fill with complaints from users... "Disabling Automatic Updates resolves the issue. [What] did Microsoft just release?" A hotfix*, updated just Thursday, is available on the Microsoft support site... The fix can be downloaded* and installed manually on Windows XP and Windows Server 2003 systems. Users will also need to download and install the new stand-alone WSUS 3.0 client -- even those who don't rely on the enterprise-centric WSUS for updates -- to completely patch the problem... The new client and the WSUS update to version 3.0 will be available to WSUS on May 22. Like the hotfix, the client can also be downloaded manually and installed now. Instructions and a link to the download have been posted to the MSDN (Microsoft Developers Network) site**. Thursday and Friday, however, users poured out their frustration on the WSUS blog after installing the hotfix and updating the WSUS client. "I installed both WindowsXP-KB927891-v3-x86 and WindowsUpdateAgent30-x86 on Windows XP SP2 boxes configured to get updates from a WSUS 2.0 server. The problem still exists," said Summit Tuladhar in a comment to the blog. "Doesn't appear that the fixes address the issue I experience on multiple machines," said ltpolaris. "This is clearly a very serious worldwide issue," said Alan O'Riordan. "I will advise the disabling of the Automatic Updates until a clear resolution is found"..."

    * http://support.microsoft.com/?kbid=927891

    ** http://msdn2.microsoft.com/en-us/library/aa387285.aspx



    ---------------------------------------------------------
    FYI... (something else to try)

    > http://isc.sans.org/diary.html?storyid=2792
    Last Updated: 2007-05-11 13:03:24 UTC ~ "...David from the UK (thanks David) writes the following on the svchost.exe issue.
    "The problem is due to the Automatic Update Service which uses the Generic Host Service which runs a svchost.exe process. If you switch off the Automatic Update Service the problem with svchost.exe using 100% of the CPU cycles stops. Once you have done all of the updates you can switch the Automatic Updates Service back on."

    .
    Last edited by AplusWebMaster; 2007-05-12 at 10:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post MS ANS changes - June 2007...

    FYI...

    - http://blogs.technet.com/msrc/archiv...n-updates.aspx
    May 16, 2007 ~ "...This month we are announcing changes to our Advanced Notification Service (ANS) as well as some changes we are planning to make to the format of our security bulletins in June.
    ANS changes:
    ...Customers have also told us that additional information would be even more helpful. Based on that, we are incorporating additional detail about the upcoming security updates. We plan to implement this change with June’s ANS release on Thursday, June 7... the ANS subset will contain the following for each bulletin and not be grouped by just the platform:
    · Maximum Severity Rating
    · Impact of Vulnerability
    · Detection information
    · Affected Software
    Once the security bulletins are released on the second Tuesday of the month, the bulletin summary page will be updated with complete details...
    Security Bulletin Design Changes:
    ...Goals:
    · Move all applicable decision making information to the top of the page
    · Create a table of affected products (instead of a list) with links to the download location of the updates
    · Change the section titles to be more representative of the content under them
    · Re-arrange content to areas that make them more intuitive to find
    · Reduce some of the repetitive content in the bulletin...

    Preview:
    http://www.microsoft.com/technet/sec...ew-layout.mspx ..."


    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Vista/Office2007 users miss updates ..."Failure to deploy"...

    FYI...

    - http://preview.tinyurl.com/ypm4qk
    May 21, 2007 (Computerworld) - "Office 2007 users running Windows Vista may not have realized that their systems had not received several of this month's patches, Microsoft Corp. said last week when it acknowledged that its security update services had failed to deploy the fixes.
    "We have updated the detection logic for the May 8th security and non-security updates for Office 2007," said Mark Griesi, a program manager with the Microsoft Security Response Center (MSRC), in an entry on the team's blog*. "In some cases, the original detection logic may not have offered the updates or the updates may not have been installed successfully on systems running Windows Vista," Griesi added. Only Vista users with Office 2007 on their hard drives who rely on Microsoft Update or Windows Server Update Services (WSUS) for patches were affected, Microsoft said. (Window Vista calls its baked-in update service "Windows Update," but it actually uses the Microsoft Update technology.) The updates that may not have been deployed two weeks ago included ones for Excel 2007 and Office 2007 in general. All were rated "important," the second-highest ranking in Microsoft's four-level threat system... Administrators running WSUS must reapprove the updates, and end users served by WSUS will also be prompted again to install the fixes if they weren't installed correctly when the bulletins were first released. Griesi urged users to run Windows Update or WSUS again to guarantee that Office 2007 is up to date..."

    MSRC Blog entry:
    * http://preview.tinyurl.com/2l3seu

    > http://support.microsoft.com/?kbid=934233

    > http://support.microsoft.com/kb/934873

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •