MS Alerts - 2007-Q4-2
FYI...
Microsoft Security Advisory (944653)
Vulnerability in Macrovision SECDRV.SYS Driver on Windows Could Allow Elevation of Privilege
-
http://www.microsoft.com/technet/security/advisory/944653.mspx
November 5, 2007 - "Microsoft is working with Macrovision, investigating new public reports of a vulnerability in the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. This vulnerability does not affect Windows Vista. We are aware of limited attacks that try to use the reported vulnerability. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process..."
>
http://www.macrovision.com/promolanding/7352.htm
-
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5587
:fear:
FYI...
Follow-up on Macrovision Secdrv exploit
-
http://www.symantec.com/enterprise/...g/2007/11/followup_on_macrovision_secdrv.html
November 6, 2007 - "...Microsoft posted Microsoft Security Advisory (944653) about this issue. With the release of this advisory, I’d like to answer a few follow-up questions for blog readers:
Q: I don’t play games and I don’t use Macrovision software, so am I safe?
A: No. The vulnerable component affected by the bug is the Macrovision driver SECDRV.SYS, which is shipped by default with Windows systems. It is usually installed under the %System%\drivers folder.
Q: Is Windows Vista affected by this vulnerability?
A: Vista is not affected.
Only SECDRV versions shipped with Windows XP and 2003 are. Instead the version shipped with Vista is a completely different driver, reworked and not vulnerable to this attack.All users should keep in mind that, in a multi-layered defense perspective, it is possible that malware dropped on the system via some other exploit (e.g. browser vulnerability or the recent PDF exploit) could potentially take advantage of the SECDRV bug to take further control of the computer and bypass other layers of protection.
Q: Where is the patch?
A: Macrovision released a version of the driver today (almost identical to the one shipped with Vista) that fixes this problem. The update is available here:
http://www.macrovision.com/promolanding/7352.htm
It’s not clear at the moment if Microsoft will distribute this update with the next cycle of Windows Update."
-
http://www.microsoft.com/technet/security/advisory/944653.mspx
Revisions:
• November 05, 2007: Advisory published
• November 07, 2007: Advisory revised to include indentified workarounds for this vulnerability and additional information on what is secdrv.sys.
:fear:
FYI...
-
http://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx
November 13, 2007
"...The security bulletins for this month are as follows, in order of severity:
Critical (1)
Microsoft Security Bulletin MS07-061
Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)
-
http://www.microsoft.com/technet/security/bulletin/MS07-061.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...
Important (1)
Microsoft Security Bulletin MS07-062
Vulnerability in DNS Could Allow Spoofing (941672)
-
http://www.microsoft.com/technet/security/bulletin/MS07-062.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Spoofing...
Affected Software: Windows...
------------------------------------
ISC Analysis
-
http://isc.sans.org/diary.html?storyid=3642
Last Updated: 2007-11-13 18:47:44 UTC
.
FYI...
-
http://www.eweek.com/article2/0,1759,2218894,00.asp?kc=EWRSS03119TX1K0000594
November 18, 2007 - "An MSN Messenger Trojan is growing a botnet by hundreds of infected PCs per hour, adding VMs to the mix as well... The malware is being introduced by MSN Messenger files posing as pictures, mostly seeming to come from known acquaintances. The files are a new type of Trojan that has snared several thousand PCs for a bot network within hours of its launch earlier on Nov. 18 and is being used to discover virtual PCs as a means of increasing its growth vector. The eSafe CSRT (Content Security Response Team) at Aladdin — a security company — detected the new threat propagating around noon EST on Nov. 18. At 18:00 UTC (Coordinated Universal Time), eSafe had detected 1 operator and more than 500 on-command bots in the network. Less than three hours later, or by 2:30 EST, when eWEEK spoke with Roei Lichtman, eSafe director of product management, the number had soared to several thousand PCs and was growing by several hundred systems per hour. eSafe is monitoring the IRC channel used to control the botnet. The only inhabitants of the network besides the operator are in fact infected PCs. The Trojan is an IRC bot that's spreading through MSN Messenger by sending itself in a .zip file with two names. One of the names includes the word "pics" as a double extension executable — a name generally used by scanners and digital cameras: for example,
DSC00432.jpg.exe. The Trojan is also contained in a .zip file with the name "images" as a .pif executable—for example,
IMG34814.pif... Given the familiar social engineering aspect of the attack, individuals are being urged to not open files sent unexpectedly from either friends or strangers..."
-
http://www.us-cert.gov/current/#msn_messenger_trojan
November 19, 2007 - "...The Trojan arrives as a chat message that appears to contain an image file, that when opened, downloads and installs a Internet Relay Chat Bot. These messages may appear to come from a known contact..."
:fear:
FYI...
-
http://preview.tinyurl.com/2sezx7
November 21, 2007 (Computerworld) - "Windows XP, Microsoft Corp.'s most popular operating system, sports the same encryption flaws that Israeli researchers recently disclosed in Windows 2000, Microsoft officials confirmed late Tuesday... As recently as last Friday, Microsoft hedged in answering questions about whether XP and Vista could be attacked in the same way, saying only that later versions of Windows "contain various changes and enhancements to the random number generator." Yesterday, however, Microsoft responded to further questions and acknowledged that Windows XP is vulnerable to the complex attack that Pinkas, Gutterman and Dorrendorf laid out in their paper, which was published earlier this month. Windows Vista, Windows Server 2003 and the not-yet-released Windows Server 2008, however, apparently use a modified or different random number generator; Microsoft said they were immune to the attack strategy. In addition, Microsoft said Windows XP Service Pack 3 (SP3), a major update expected sometime in the first half of 2008, includes fixes that address the random number generator problem... Because the company has determined that the PRNG problem is not a security vulnerability, it is unlikely to provide a patch."
:fear:
FYI...
Microsoft Security Advisory (945713)
Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure
-
http://www.microsoft.com/technet/security/advisory/945713.mspx
December 3, 2007 - "Microsoft is investigating new public reports of a vulnerability in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). The technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Microsoft has not received any information to indicate that this vulnerability has been publicly used to attack customers, and Microsoft is not aware of any customer impact at this time. Microsoft is aggressively investigating the public reports. Customers whose domain name begins in a third-level or deeper domain, such as “contoso.co.us”, or for whom the following mitigating factors do not apply, are at risk from this vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers...
Mitigating Factors:
• Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured. Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by this vulnerability.
• Customers whose DNS domain name is registered as a second-level domain (SLD) below a top-level domain (TLD) are not affected by this vulnerability. Customers whose DNS suffixes reflect this registration would not be affected by this vulnerability. An example of a customer who is not affected is contoso.com or fabrikam.gov, where “contoso” and “fabrikam” are customer registered SLDs under their respective “.com” and “.gov” TLDs.
• Customers who have specified a proxy server via DHCP server settings or DNS are not affected by this vulnerability.
• Customers who have a trusted WPAD server in their organization are not affected by this vulnerability. (See the Workaround section for specific steps in creating a WPAD.DAT file on a WPAD server.)
• Customers who have manually specified a proxy server in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.
• Customers who have disabled 'Automatically Detect Settings' in Internet Explorer are not at risk from this vulnerability when using Internet Explorer..."
-
http://secunia.com/advisories/27901/
"...WPAD feature resolves "wpad" hostnames up to the second-level domain, which is potentially untrusted. This can be exploited to conduct man-in-the-middle attacks against third-level or deeper domains..."
:fear:
FYI...
-
http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx
Published: December 11, 2007
Version: 1.0
"This bulletin summary lists security bulletins released for December 2007..."
Critical (3)
Microsoft Security Bulletin MS07-064
Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)
-
http://www.microsoft.com/technet/security/bulletin/MS07-064.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, DirectX, DirectShow...
Microsoft Security Bulletin MS07-068
Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)
-
http://www.microsoft.com/technet/security/bulletin/MS07-068.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Windows Media Format Runtime...
Microsoft Security Bulletin MS07-069
Cumulative Security Update for Internet Explorer (942615)
-
http://www.microsoft.com/technet/security/bulletin/MS07-069.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows, Internet Explorer...
Important (4)
Microsoft Security Bulletin MS07-063
Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)
-
http://www.microsoft.com/technet/security/bulletin/MS07-063.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...
Microsoft Security Bulletin MS07-065
Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)
-
http://www.microsoft.com/technet/security/bulletin/MS07-065.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Windows...
Microsoft Security Bulletin MS07-066
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078)
-
http://www.microsoft.com/technet/security/bulletin/MS07-066.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Windows...
Microsoft Security Bulletin MS07-067
Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653)
-
http://www.microsoft.com/technet/security/bulletin/MS07-067.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Local Elevation of Privilege...
Affected Software: Windows..."
===================================
ISC Analysis
-
http://isc.sans.org/diary.html?storyid=3735
Last Updated: 2007-12-11 19:14:09 UTC
===================================
-
http://blog.washingtonpost.com/securityfix/2007/12/microsoft_plugs_11_windows_sec.html
December 11, 2007 - "...December's
seven update bundles includes fixes for four separate security holes in Internet Explorer 6 and IE7, vulnerabilities that are considered critical for Windows 2000, Windows XP and Windows Vista users. Microsoft rates a flaw "critical" if it can be exploited to break into vulnerable systems with little or no help from the user, save perhaps for browsing a Web site or by clicking on a malicious link in an e-mail or instant message. The IE patch is probably the most important update Redmond issued this month, as the vulnerabilities it corrects have the potential to affect the largest number of people. Microsoft said that
criminals already exploited one of the IE flaws to remotely compromise IE users. Microsoft also issued critical updates to fix at least two different problems with the way Windows handles the processing and display of various video and audio files..."
:santa:
