Old MS Alerts

Microsoft Security Advisory (950627)

FYI...

Microsoft Security Advisory (950627)
Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/950627.mspx
March 21, 2008 - "Microsoft is investigating new public reports of very limited, targeted attacks using a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word.
Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.
Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.
Microsoft is investigating the public reports and customer impact. We are also investigating whether the vulnerability can be exploited through additional applications. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."

- http://secunia.com/advisories/14896/
Last Update: 2008-03-24
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched...
...affects versions of msjet40.dll prior to 4.0.9505.0...

:fear:
 
Last edited:
MS08-014 Excel exploit released

FYI...

- http://www.symantec.com/avcenter/threatcon/learnabout.html
(03.22.2008) - "...On March 21, 2008 a public exploit was released for the Microsoft Excel Header Parsing Remote Code Execution Vulnerability (BID 27305). This vulnerability was originally published on January 15, 2008 as an unidentified issue due to reports of targeted exploitation occuring in the wild. It was later patched as part of MS08-014 on March 11, 2008, which addressed a number of different Excel issues.
Microsoft Excel Header Parsing Remote Code Execution Vulnerability
( http://www.securityfocus.com/bid/27305 )
MS08-014 ( http://www.microsoft.com/technet/security/Bulletin/MS08-014.mspx ) This is the first of the issues addressed by MS08-014 to have a public exploit available and therefore will likely see public exploitation in the future. The vulnerability specifically involves an uninitialized stack variable issue which was explained by Microsoft in a recent blog posting:
MS08-014: The Case of the Uninitialized Stack Variable Vulnerability
( http://preview.tinyurl.com/2lw6c6 ) [blogs.technet.com/swi]
At the time of writing we are not aware of any public exploitation incidents involving this exploit, however we are anticipating attacks to occur in the near future. Users are advised to apply the updates available in the MS08-014 bulletin immediately. Those unable to do so are advised to review the workarounds listed in the bulletin and avoid opening Excel documents where possible."

:fear:
 
MS Jet Database Engine vulnerability...

RE: http://www.microsoft.com/technet/security/advisory/950627.mspx

- http://isc.sans.org/diary.html?storyid=4192
Last Updated: 2008-03-25 00:41:39 UTC - "...A few minutes ago Microsoft has posted more details about this issue on the MSRC blog*. Summarizing:
- The Jet Database Engine vulnerability is well-known since March 2005. The main issue now is that it can be exploited through a new attack vector, Microsoft Word (specifically two DOC files), avoiding the mitigations enforced by Outlook and Exchange over this unsafe file type (MDB).
- Microsoft is currently working on the fixes, evaluating if an update may prevent Word from opening MDB files, and checking how to apply the fixed msjet40.dll currently available for Windows Server 2003 SP2, Windows Vista, and beta versions of Windows XP SP3 in other OS versions.
- In the meantime, apart from the general recommendation of not opening untrusted MS Word files, you can follow the two workarounds detailed on the initial advisory:
o Computer-based workaround: Restrict the Microsoft Jet Database Engine from running through the "cacls" command, used to modify the access control lists (ACLs) of files. Applications requiring the Jet Database Engine will not function.
o Infrastructure-based workaround: Block specific files at your mail gateway based on string signatures (if it provides file inspection capabilities). The associated strings plus implementation details for specific mail gateways are detailed on the advisory..."
* http://preview.tinyurl.com/2lvatz
 
MS Windows XP SP3

FYI...

- http://www.techarp.com/showarticle.aspx?artno=521&pgno=0
20-03-2008 - "...Due to the changes in language releases and Windows XP SP3 RTM's release, here's the updated schedule.

1. Chinese (Simplified), English, French, German, Japanese, Korean, and Spanish...
Second half of April 2008

2. Arabic, Chinese (Hong Kong), Chinese (Traditional), Czech, Danish, Dutch, Finnish, Greek, Hebrew, Hungarian, Italian, Norwegian, Polish, Portuguese (Brazilian), Portuguese (Portugal), Russian, Swedish, and Turkish...
Approximately 21 days after Wave 1 RTM

With the exception of Windows XP Media Center Edition and Windows XP Tablet Edition, Windows XP Service Pack 3 will be released in both standalone and integrated formats. It will be available in both CD and DVD formats, except for the Japanese language version which will only be in DVD format..."

:blink:
 
MS08-014 Excel exploit "in the wild"

FYI...

- http://www.symantec.com/avcenter/threatcon/learnabout.html
(2008.03.26) - "...This issue is now being exploited by a website in the wild. The attack vector that is used differs from what is typically observed for this type of vulnerability. Normally, an attacker will spam Excel files to potential victims so as to leverage the vulnerability. In this case, the exploit is hosted on a site, and the victim is silently redirected to the exploit in a similar strategy to how ActiveX client-side vulnerabilities are exploited. Specifically, the exploit XLS document is hosted in the domain 'lntop.info'. Victims are then redirected to this site through an IFRAME that is embedded in another site... Symantec AntiVirus detects the malicious XLS file as Trojan.Mdropper.AA. Customers are advised to:
- Ensure that antivirus software is up to date.
- Block access to the domain 'lntop.info'.
- Install the updates in the Microsoft Security Bulletin MS08-014."

> http://www.microsoft.com/technet/security/Bulletin/MS08-014.mspx

:fear::spider::fear:
 
Last edited:
MS08-016 exploit released

FYI...

- http://preview.tinyurl.com/2szypl
March 31, 2008 (Computerworld) - "...The exploit, which was posted yesterday to the Milw0rm.com Web site, takes advantage of one of two flaws fixed by Microsoft in its MS08-016* security update. Microsoft issued the update on March 11 as part of a four-bulletin batch... "The exploit that is currently available uses a PowerPoint file to leverage the vulnerability on Office XP SP3," said Symantec Corp. analyst Anthony Roe in an alert to customers of the company's DeepSight threat network. "The payload is designed to execute the 'calc.exe' calculator program on Windows. However, it will not be difficult to modify this exploit to add a malicious payload"..."
* http://www.microsoft.com/technet/security/bulletin/ms08-016.mspx?
Revisions:
• V1.0 (March 11, 2008): Bulletin published.
• V1.1 (March 12, 2008): Bulletin updated. FAQ added to clarify the reason why a non-vulnerable version of Office will be offered this update. Also removed MS07-015 as a replaced bulletin for Microsoft Office XP Service Pack 3.
• V1.2 (March 26, 2008): Bulletin updated. Added MS07-025 as a replaced bulletin for Microsoft Office 2003 Service Pack 2.

:fear:
 
MS Security Bulletin Advance Notification - April 2008

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx
April 3, 2008 - "This is an advance notification of -eight- security bulletins that Microsoft is intending to release on April 8, 2008...

Critical (5)

Microsoft Security Bulletin 1
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin 2
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin 3
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin 4
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows, Internet Explorer...

Microsoft Security Bulletin 5
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
...The update requires a restart.
Affected Software: Microsoft Windows, Internet Explorer...


Important (3)

Microsoft Security Bulletin 6
Maximum Severity Rating: Important
Impact of Vulnerability: Spoofing
...The update requires a restart.
Affected Software: Microsoft Windows...

Microsoft Security Bulletin 7
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
...The update requires a restart.
Affected Software: Microsoft Windows...

Microsoft Security Bulletin 8
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution
...The update does -not- require a restart.
Affected Software: Microsoft Office...

---

Microsoft Windows Malicious Software Removal Tool
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS
For information about non-security releases on Windows Update and Microsoft update, please see:

Description of Software Update Services and Windows Server Update Services changes in content for 2008. Includes all Windows content.
- http://support.microsoft.com/kb/894199/en-us

New, Revised, and Released Updates for Microsoft Products Other Than Microsoft Windows.
- http://technet.microsoft.com/en-us/wsus/bb466214.aspx ...
 
More "ActiveX" exploits in the wild

FYI...

- http://preview.tinyurl.com/5omupm
April 7, 2008 (Computerworld) - " Hackers are using a new multiple-attack package composed of seven ActiveX exploits, many of them never seen in the wild before, said a security company on Friday... The attack framework probes Windows PCs for vulnerable ActiveX controls from software vendors Microsoft, Citrix Systems and Macrovision, as well as hardware makers D-Link Corp., Hewlett-Packard, Gateway and Sony... said Symantec researcher Patrick Jungles, who wrote an analysis of the multistrike package for customers of the company's DeepSight threat service. According to Jungles, visitors to compromised Web sites are redirected by a rogue IFRAME to a malicious site serving the package. The attack pack tests the victim's PC for each ActiveX control, detects whether a vulnerable version of a control is installed, and then launches an attack when it finds one... The seven exploited in the package outlined by Jungles are a mix of old and brand-new flaws... Four of the seven ActiveX flaws - those in the D-Link, Gateway, Sony, and Macrovision products - have not been patched, said Jungles... Jungles' report recommended that users apply patches, when they're available, and set the "kill bit" on those ActiveX controls which have not yet been updated by their makers."

:fear::fear:
 
FYI...

- http://preview.tinyurl.com/3gnxtp
April 07, 2008 (MS Vista blog) - "... The Microsoft Update Blog* contains some important information about updates to the SP1 prerequisite distribution plan. Starting tomorrow, we are resuming the automatic update and installation of the Servicing Stack Update. In mid-April, we will begin distributing SP1 (in the first 5 languages) using the Automatic Update system. We have a lot of Windows users, so not everyone will get it on the same day. In fact, it will go to a small percentage of Windows Vista users each day..."
* http://preview.tinyurl.com/3fdyu2
April 07, 2008 6:12 PM by Microsoft Update Team Blog - "...you may have read that a few customers experienced an endless reboot cycle while installing one of the prerequisites: KB937287**, the Servicing Stack Update (SSU), which contains the Service Pack 1 installation program. As posted last month on the Windows Vista blog, we suspended automatic distribution of the SSU while we investigated the problem. Over the past few weeks, we’ve learned a lot more about the problem and have taken steps to address the issue. Today, we’d like to let you know that we are resuming automatic distribution of the SSU tomorrow and provide more clarity on what happened.
To clear up any concerns for those of you who have already installed the update: There is no problem with the files that make up the Servicing Stack Update (KB937287**); the problem some customers encountered was with the installation process for the update. That means if you already have the update installed, you do not need to uninstall it or install the rereleased version of the update.
- So what caused the problem? Well, the SSU has special code to check whether there are any pending reboots or other updates to install. If it sees either of these circumstances, it prevents the install from starting. During our investigation, we discovered that there were a few unknown and rare events during the middle of the installation of the update that could cause the update to think it needed a reboot to complete the installation. If this happened, the system entered a repeating reboot loop.
To address this problem for people who have not already installed the SSU, we are releasing a fix tomorrow which will install prior to the SP1 Servicing Stack Update. This pre-SSU update helps to ensure a smooth install of the SSU by working to prevent the system from rebooting during the SP1 SSU installation. We also made additional changes to the SSU installer code, so that it checks for and requires the pre-SSU (KB949939) before it will install. These two updates should now install seamlessly through Windows Update, in the proper order, so those of you with WU set to “install updates automatically” who haven’t already installed the SSU don’t have to take any further action..."
** http://support.microsoft.com/kb/937287

.
 
MS Security Bulletin Summary - April 2008

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS08-apr.mspx
April 8, 2008 - "This bulletin summary lists security bulletins released for April 2008...

Critical (5)

Microsoft Security Bulletin MS08-018
Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183)
- http://www.microsoft.com/technet/security/Bulletin/MS08-018.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

Microsoft Security Bulletin MS08-021
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
- http://www.microsoft.com/technet/security/Bulletin/MS08-021.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-022
Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)
- http://www.microsoft.com/technet/security/Bulletin/MS08-022.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-023
Security Update of ActiveX Kill Bits (948881)
- http://www.microsoft.com/technet/security/Bulletin/MS08-023.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows. Internet Explorer...

Microsoft Security Bulletin MS08-024
Cumulative Security Update for Internet Explorer (947864)
- http://www.microsoft.com/technet/security/Bulletin/MS08-024.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Windows. Internet Explorer...


Important (3)

Microsoft Security Bulletin MS08-020
Vulnerability in DNS Client Could Allow Spoofing (945553)
- http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Spoofing...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-025
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)
- http://www.microsoft.com/technet/security/Bulletin/MS08-025.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege...
Affected Software: Microsoft Windows...

Microsoft Security Bulletin MS08-019
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032)
- http://www.microsoft.com/technet/security/Bulletin/MS08-019.mspx
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution...
Affected Software: Microsoft Office...

---------------------------------------

ISC Analysis
- http://isc.sans.org/diary.html?storyid=4264
Last Updated: 2008-04-08 17:42:25 UTC
 
MS08-021 in-the-wild exploit attempts

FYI...

- http://isc.sans.org/diary.html?storyid=4274
Last Updated: 2008-04-10 21:20:25 UTC - "It appears that Symantec has raised the Threatcon to Level 2 this afternoon...
- http://www.symantec.com/security_response/threatcon/index.jsp
'...The DeepSight honeynet has observed in-the-wild exploit attempts targeting a GDI vulnerability patched by Microsoft on April 8, 2008. The malicious image appears to target the Microsoft Windows GDI Stack Overflow Vulnerability (BID 28570). At least three different sites are hosting the images; two different malicious binaries are associated with the attacks. Analysis of the images has shown that although they appear to be malicious, they do not contain enough data in the associated image property to sufficiently trigger the vulnerability. We are still investigating as to why this may be the case. Users are advised to apply the MS08-021* patches immediately. These attack attempts highlight the severity of this issue -- it is only a matter of time before new images that successfully trigger the issue are observed in the wild... some of the associated malware that is delivered with the attack is not detected...'
* http://www.microsoft.com/technet/security/Bulletin/MS08-021.mspx
(Microsoft Security Bulletin MS08-021 – Critical
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
Published: April 8, 2008 ...)
...If you haven't already patched do so now and don't forget to remind your users not to open image files."
---------------------------------------------------

Exploiting Latest GDI Vulnerability Found in the Wild
- http://preview.tinyurl.com/4nkzn8
April 10, 2008 (Symantec Security Response Weblog) - "...It is possible that these exploits either have been leaked and are "in-work" copies, or that they are functional on some platform that we have not tested. However, the exploit (named "top.jpg") does contain functional payload, which downloads a secondary file (word.gif). Word.gif is really an executable that would be run following a successful infection. Its main function would be to use iexplore.exe to contact a few hosts in China, presumably to download additional malicious code..."

:fear::fear:
 
Last edited:
FYI...

April 2008 - Black Tuesday Overview
- http://isc.sans.org/diary.html?storyid=4264
Last Updated: 2008-04-11 13:59:44 UTC
"...
MS08-021 ...Symantec has reported non-working exploits in the wild...
- http://www.symantec.com/security_response/threatcon/index.jsp
"...Users are advised to apply the MS08-021 patches immediately. These attack attempts highlight the severity of this issue -- it is only a matter of time before new images that successfully trigger the issue are observed in the wild..."

MS08-023 ...PoC exploits were posted on the internet...
( 3rd party killbit for Yahoo! Music Jukebox activeX control )

:fear:
 
FYI...

Elevated ATLAS Threat Index - GDI Exploits in the Wild
- http://asert.arbornetworks.com/2008/04/elevated-atlas-threat-index-gdi-exploits-in-the-wild/
April 11, 2008 - "The ATLAS Threat Index is used to track global security issues as a barometer, and we’re raising the index (something we don’t do very often). We are doing so because see evidence that the GDI vulnerability - MS08-021 - is being exploited in the wild. We have not yet seen widespread attacks, but we anticipate that this attack vector will grow in popularity in the coming days, similar to the WMF and ANI attack vectors in the past couple of years..."

- http://www.us-cert.gov/current/#active_exploitation_of_gdi_vulnerabilities
April 11, 2008 - "US-CERT is following public reports indicating that attackers are attempting to exploit vulnerabilities in GDI. These vulnerabilities are due to buffer overflow conditions that exist in the processing of EMF and WMF image files. By convincing a user to open a specially crafted EMF or WMF file, a remote attacker may be able to execute arbitrary code. These vulnerabilities were addressed in Microsoft Security Bulletin MS08-021. Users who have not applied this patch are vulnerable..."

:fear:
 
FYI...

- http://isc.sans.org/diary.html?storyid=4264
Last Updated: 2008-04-16 01:23:53 UTC ...(Version: 5)

Overview of the April 2008 Microsoft patches and their status...

MS08-020 - DNS client - Update: well published problem

MS08-021 - GDI - Update: April 11th: Arbor networks reporting exploits in the wild

MS08-022 - Scripting engines - Update: PoC available in for pay program

MS08-023 - ActiveX - PoC exploits were posted on the internet

MS08-025 - Windows kernel - Proof of concept available in a for pay program

:fear::spider::fear:
 
Vista SP1 notes...

FYI...

- http://www.theregister.co.uk/2008/04/16/vista_defender_sp1/
16 April 2008 - "Microsoft has admitted it is investigating reports that a recent Windows Vista security update causes havoc with some USB devices, but the software giant is yet to provide a fix for the cock-up. The Windows Defender update was released last week, but some unfortunate Vista customers have claimed that their USB mice and keyboards among other devices refuse to work after the update is installed on their computers... the automatic version of the (SP1) download remains missing in action. Redmond had chalked mid-April as the date when SP1 would start downloading onto computers across the world..."

:sad:
 
FYI...

Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/951306.mspx
April 17, 2008 - "Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability. Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers..."
 
FYI...

(Another tale of "Windows Genuine Annoyance" - an Office nag)
- http://preview.tinyurl.com/4wona3
April 19, 2008 (Computerworld) - "... By early Wednesday, administrators in the U.S., the U.K., New Zealand and elsewhere were posting messages on Microsoft support newsgroups, asking why their WSUS systems had received the Office nag. In some cases, administrators reported that the update had fingered large numbers of desktop PCs as running counterfeit copies of Office. "Update KB949810 arrived via WSUS yesterday, and now all my XP workstations running Word 2002 are telling me it needs activating," said a user... in the U.K. "The only problem is that the software is genuine and was activated three years ago"... "There is nothing more frustrating as a Microsoft shareholder to constantly see Microsoft shoot themselves in the foot by treating legal customers in this manner.*"..."
* http://forums.microsoft.com/Genuine/ShowPost.aspx?PostID=3188048&SiteID=25

:lip:
 
XPSP3 released to manufacturing

FYI...

- http://preview.tinyurl.com/3nkl3q
April 21, 2008 (Computerworld) - "Microsoft Corp. today finally slapped a "Done" sticker on Windows XP Service Pack 3 and pushed it out the door. The designation of SP3 as RTM, short for "release to manufacturing"..."
(Many "Q&A's" at the URL above.)

Overview of Windows XP SP3 - link to .pdf file here
- http://preview.tinyurl.com/35uwdq
428 K
Windows XP SP3 forum
- http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=2010&SiteID=17

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207401041
April 21, 2008 - "...the third and final service pack for its Windows XP operating system and that the update will be available for public download on April 29... The service pack should offer a number of enhancements over the current version of the OS. It includes all updates issued since Windows XP Service Pack 2 was released in 2004, and some new elements. Among them: A feature called Network Access Protection that's borrowed from the newer Windows Vista operating system. NAP automatically validates a computer's health, ensuring that it's free of bugs and viruses before allowing it access to a network. Windows XP SP3 also includes improved "black hole" router detection -- a feature that automatically detects routers that are silently discarding packets. In XP SP3, the feature is turned on by default, according to Microsoft..."
 
Last edited:
Vista SP1 out on "Automatic Update"...

FYI...

- http://preview.tinyurl.com/5vu4aw
April 23, 2008 (Infoworld) -"...Vista Service Pack 1 will download automatically to PCs that have the automatic update feature of the OS turned on, the company said. Previously, Vista was available to customers via Windows Update, but people had to specifically download it. Not all customers will receive SP1 immediately via Automatic Update, however. The company is distributing it in phases to "ensure a seamless download experience," Microsoft said. A timeline for when all customers would receive Vista SP1 via Automatic Update was not immediately available..."

- http://support.microsoft.com/?kbid=948343
Last Review: April 23, 2008
Revision: 7.0...
 
You must log in or register to reply here.
Back
Top