Old MS Alerts

[AplusWebMaster]

FYI...

- http://www.theregister.co.uk/2009/05...ersity_server/
20 May 2009 - "Hackers have wasted no time targeting a gaping hole in Microsoft's Internet Information Services webserver, according to administrators at Ball State University, who say servers that used the program were breached on Monday... On Monday, Microsoft confirmed what it called an "elevation of privilege vulnerability" in versions 5 and 6 of IIS when it runs an extension known as WebDAV. Microsoft said at the time it was unaware of any in-the-wild exploits of the vulnerability. The assessment was at odds with this warning*..."
* http://www.us-cert.gov/current/index...n_services_iis
updated May 19, 2009 - "... US-CERT is also aware of publicly available exploit code and active exploitation of this vulnerability... note that disabling WebDAV may affect the functionality of other applications such as SharePoint..."

- http://www.theregister.co.uk/2009/05...tate_retracts/
21 May 2009 - "Network administrators at Ball State University have retracted their claims that a campus website was brought down by a zero-day vulnerability in Microsoft's Internet Information Services webserver... corrects an advisory campus officials issued Tuesday that claimed the breach was the result of someone targeting a vulnerability in versions 5 and 6 of IIS that allows attackers to list, access, and in some cases upload files in a password-protected folders of vulnerable machines. The vulnerability exists when IIS uses the WebDAV protocol. The advisory was featured prominently on the university's website. "Initially, both Microsoft and Ball State suspected the intruder used the WebDAV vulnerability that was made public by Microsoft on May 15," Proudfoot said..."

Corrected CVE:
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1676
Last revised: 05/20/2009
CVSS v2 Base Score: 7.6 (HIGH)

// http://forums.spybot.info/showpost.p...7&postcount=98

[AplusWebMaster]

FYI...

- http://www.theinquirer.net/inquirer/...ice-pack-light
26 May 2009 - "... Microsoft has finally released the next official first aid kit for Windows Vista - SP2. If you've been running the BETA of Service Pack 2 that was released last year, then you'll need to uninstall that before installing the official service pack. Plus, you'll also need to have Service Pack 1 installed first. Although the Service Pack hasn't made it to Windows Update yet, you can now grab the official downloads from Microsoft's Download Center. The installer includes Service Pack 2 for both Windows Vista and Windows Server 2008, resulting in a 348.3MB file for 32-bit version - and a 577.4MB file for 64-bit version. Despite the massive file size, however, there's not much to get excited about. The update mainly includes all of the bits and bobs that have been released since Service Pack 1, although this doesn't include Internet Explorer 8..."

- http://technet.microsoft.com/en-us/w.../dd262148.aspx
May 26, 2009

[AplusWebMaster]

FYI...

Microsoft Security Advisory (971778)
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/971778.mspx
May 28, 2009 - "Microsoft is investigating new public reports of a new vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted QuickTime media file. Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."

- http://www.theregister.co.uk/2009/05...vulnerability/
28 May 2009 22:37 GMT - "... Microsoft has offered several work-arounds until a patch is available. The most straight-forward of them involves visiting this link* and clicking on the "Fix it" icon. (We got an error when using Firefox, but it worked fine with Internet Explorer)..."
* http://support.microsoft.com/kb/971778

> http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1537

- http://secunia.com/advisories/35268/2/
Release Date: 2009-05-29
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
Solution: Disable the parsing of QuickTime content in quartz.dll. Please see the vendor's advisory for more information. Do not browse untrusted websites or follow untrusted links. Do not open untrusted media files...

[AplusWebMaster]

FYI...

Problems confirmed with Vista SP2
- http://windowssecrets.com/comp/090604#known0
2009-06-04

[AplusWebMaster]

FYI...

- http://www.microsoft.com/technet/sec.../MS09-jun.mspx
June 4, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on June 9, 2009...
(Total of -10-)

Critical -6-

Windows 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Windows 2
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

IE
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer...

Word
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Excel
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Office
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Important -3-

Windows 3
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Windows 4
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Windows 5
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Moderate -1-

Windows 6
Maximum Severity Rating: Moderate
Vulnerability Impact: Information Disclosure
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

- http://blogs.technet.com/msrc/archiv...ification.aspx
June 04, 2009

.

[AplusWebMaster]

FYI...

- http://www.microsoft.com/technet/sec.../MS09-jun.mspx
June 9, 2009 - "This bulletin summary lists security bulletins released for June 2009... The following table summarizes the security bulletins for this month in order of severity... (Total of -10-)

Critical -6-

Microsoft Security Bulletin MS09-018
Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
- http://www.microsoft.com/technet/sec.../MS09-018.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution, Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-022
Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
- http://www.microsoft.com/technet/sec.../MS09-022.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-019
Cumulative Security Update for Internet Explorer (969897)
- http://www.microsoft.com/technet/sec.../MS09-019.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer ...
- http://atlas.arbor.net/briefs/
"...major update to IE 6, 7 and 8 for all platforms. This could affect thousands of users and, as we have seen, be used in drive by attacks for years to come. Source: MS09-019 ..."

Microsoft Security Bulletin MS09-027
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
- http://www.microsoft.com/technet/sec.../MS09-027.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS09-021
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
- http://www.microsoft.com/technet/sec.../MS09-021.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS09-024
Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
- http://www.microsoft.com/technet/sec.../MS09-024.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office...

Important -3-

Microsoft Security Bulletin MS09-026
Vulnerability in RPC Could Allow Elevation of Privilege (970238)
- http://www.microsoft.com/technet/sec.../MS09-026.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-025
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
- http://www.microsoft.com/technet/sec.../MS09-025.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS09-020
Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
- http://www.microsoft.com/technet/sec.../MS09-020.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...

Moderate -1-

Microsoft Security Bulletin MS09-023
Vulnerability in Windows Search Could Allow Information Disclosure (963093)
- http://www.microsoft.com/technet/sec.../MS09-023.mspx
Maximum Severity Rating: Moderate
Vulnerability Impact: Information Disclosure
Restart Requirement: Requires restart
Affected Software: Microsoft Windows...
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=6538
Last Updated: 2009-06-10 13:01:38 UTC ...(Version: 2)
___

- http://www.reuters.com/article/techn...090609?sp=true
Jun 9, 2009 - "Microsoft Corp issued software to fix 31 security flaws in its programs, a single-day record for the company whose products are targeted by hackers because they sit on the vast majority of computers..."
___

MSRT
- http://www.microsoft.com/security/ma...e/default.mspx
Version: 2.11
Knowledge Base (KB) Articles: http://support.microsoft.com/?kbid=890830
Date Published: 6/9/2009 ...
Recent adds:
Win32/Waledac - April 2009 (V 2.9) Moderate
Win32/Winwebsec - May 2009 (V 2.10) Moderate
Win32/InternetAntivirus - June 2009 (V 2.11) Moderate

[AplusWebMaster]

FYI...

Microsoft Security Advisory (971888)
Update for DNS Devolution
- http://www.microsoft.com/technet/sec...ry/971888.mspx
Published or Last Updated: 6/9/2009

Microsoft Security Advisory (971492)
Vulnerability in Internet Information Services Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/sec...ry/971492.mspx
Published: May 18, 2009 | Updated: June 9, 2009 - "... We have issued MS09-020 to address this issue..." - http://www.microsoft.com/technet/sec.../MS09-020.mspx

Microsoft Security Advisory (969898)
Update Rollup for ActiveX Kill Bits
- http://www.microsoft.com/technet/sec...ry/969898.mspx
June 9, 2009 - "Microsoft is releasing a new set of ActiveX kill bits with this advisory.
The update includes a kill bit from a previously published Microsoft Cumulative Update:
• Microsoft Visual Basic 6.0 Service Pack 6 Cumulative Update (KB957924)
- http://www.microsoft.com/downloads/d...displaylang=en
The update also includes kill bits for the following third-party software:
• Derivco. This security update sets a kill bit for an ActiveX control developed by Derivco. Derivco has released a security update that addresses a vulnerability in the affected component. For more information and download locations, see the security release from Derivco. This kill bit is being set at the request of the owner of the ActiveX controls...
• eBay Advanced Image Upload Component. This security update sets a kill bit for an ActiveX control developed by eBay. eBay has released a security update that addresses a vulnerability in the affected component. For more information and download locations, see the security release from eBay. This kill bit is being set at the request of the owner of the ActiveX controls...
• HP Virtual Room v7.0. This security update sets a kill bit for an ActiveX control developed by Research In Motion (RIM). RIM has released a security update that addresses a vulnerability in the affected component. For more information and download locations, see the security release from HP. This kill bit is being set at the request of the owner of the ActiveX controls..."

Microsoft Security Advisory (945713)
Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure
- http://www.microsoft.com/technet/sec...ry/945713.mspx
Published: December 3, 2007 | Updated: June 9, 2009 - "... We have issued MS09-008 to address the WPAD issue and have released configuration guidance and updates for DNS devolution in Microsoft Security Advisory 971888. The vulnerabilities addressed are DNS Server Vulnerability in WPAD Registration Vulnerability CVE-2009-0093 and WPAD WINS Server Registration Vulnerability CVE-2009-0094..."
- http://www.microsoft.com/technet/sec.../MS09-008.mspx
- http://www.microsoft.com/technet/sec...ry/971888.mspx
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0093
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0094

[AplusWebMaster]

FYI...

DirectShow Exploit In the Wild, Part II
- http://preview.tinyurl.com/lhmtkd
06-19-2009 Symantec Security Response Blog - "... With no patch for this vulnerability available as of yet, the fact that we are seeing this exploit used more commonly in the wild is worrying... To trigger this vulnerability, attackers are currently enticing users to visit a malicious page. Attackers have become quite adept at doing this by embedding iframe tags in legitimate pages, among other techniques. This is the most likely attack vector. We have seen iframe tags pointing to this exploit inside phishing pages already and we do expect to see iframe tags added to more pages. The vulnerability exists in the code within Microsoft DirectX and can be triggered by a specially crafted QuickTime media file. The attackers Web page will try to play the malicious QuickTime file, not using the QuickTime player, but using Windows Media Player instead. This will trigger the vulnerability and allow the attacker to execute code on the visitor’s computer. The vulnerable code exists in quartz.dll and is a null-byte overwrite. It allows the attacker to overwrite just one byte of memory with a null byte... (end-user) work-around*."
* http://support.microsoft.com/kb/971778#FixItForMeAlways
June 3, 2009 (Get the Enable Workaround "FixIt" here. MUST be run in Admin mode.)

- http://www.microsoft.com/technet/sec...ry/971778.mspx

> http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1537
Last revised: 06/09/2009
CVSS v2 Base Score: 9.3 (HIGH)
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service...

[AplusWebMaster]

FYI...

0-day in MS DirectShow (msvidctl.dll) used in drive-by attacks
- http://isc.sans.org/diary.html?storyid=6733
Last Updated: 2009-07-06 08:56:55 UTC - "A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites. Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available. A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400 ..."

- http://securitylabs.websense.com/con...erts/3432.aspx
07.06.2009 - "Websense... is currently tracking -legitimate- sites that have been compromised to lead to a zero-day exploit targeting an Internet Explorer vulnerability. The compromised sites lead to a handful of payload sites hosting the exploit code which targets msvidctl.dll - an ActiveX control for streaming video. The new zero-day exploit has been added to other exploits on Chinese payload sites. We have been monitoring these sites, which have been systematically injected throughout the last year..."

- http://secunia.com/advisories/35683/2/
Release Date: 2009-07-06
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS: Microsoft Windows XP Home Edition, Microsoft Windows XP Professional ...
... The vulnerability is caused due to a boundary error in the ActiveX control for streaming video (msvidctl.dll) and can be exploited to cause a stack-based buffer overflow via specially crafted image content.
Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website.
NOTE: The vulnerability is currently being actively exploited...
Solution: Set the kill-bit for the affected ActiveX control...

- http://www.f-secure.com/weblog/archives/00001716.html
July 6, 2009 - "... The exploit targets Microsoft Internet Explorer… so one work around is kind of obvious. Use some other browser besides Internet Explorer until this vulnerability is patched..."

>>> http://support.microsoft.com/kb/972890#FixItForMe
July 6, 2009 (Get the Enable Workaround "FixIt" here. MUST be run in Admin mode.)

[AplusWebMaster]

FYI...

Microsoft Security Advisory (972890)
Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/972890.mspx
July 06, 2009 - "Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention. We are aware of attacks attempting to exploit the vulnerability.
Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure. Customers may prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually using the instructions in the Workaround section or automatically using the solution found in Microsoft Knowledge Base Article 972890*..."
* http://support.microsoft.com/kb/972890#FixItForMe
July 6, 2009 (Get the Enable Workaround "FixIt" here. MUST be run in Admin mode.)

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-0015
Last revised: 07/09/2009
CVSS v2 Base Score: 9.3 (HIGH)
Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service ...

- http://securitylabs.websense.com/con...logs/3434.aspx
07.09.2009