Old MS Alerts

SMBv2 automated Fix-it...

FYI...

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
Updated: September 17, 2009 - "...Workarounds:
• Disable SMB v2... See Microsoft Knowledge Base Article 975497* to use the automated Microsoft Fix it solution to enable or disable this workaround...
* http://support.microsoft.com/kb/975497

• V1.1 (September 17, 2009): Clarified the FAQ, What is SMBv2? Added a link to Microsoft Knowledge Base Article 975497 to provide an automated Microsoft Fix it solution* for the workaround, Disable SMB v2...

- http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx
September 18, 2009

:fear:
 
Last edited:
SMB v2 - Impact of workaround

FYI...

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
• V1.2 (September 23, 2009): Clarified the FAQ, What is Server Message Block Version 2 (SMBv2)? Also clarified the impact of the workaround, Disable SMB v2.
(See: "Workarounds... Impact of Workaround...")
"... Some of the applications or services that could be impacted are listed..."

:fear:
 
SMBv2 - Metasploit exploit module released

FYI...

Metasploit exploit module released
- http://www.symantec.com/security_response/threatconlearn.jsp
"... tracking a remotely exploitable vulnerability affecting the SMB kernel component ('srv2.sys'). Microsoft has reported that Windows Vista (SP1 and SP2) and Windows Server 2008 are affected. Reportedly, some beta builds of Windows 7 may also be affected.

On September 28, 2009, a remote code-execution exploit Metasploit module was released publicly. Attackers may be able to convert this module into other exploits and use it in the wild. We strongly advise users to block TCP port 445 immediately until patches are available. The researcher who discovered the flaw has stated that file sharing must be enabled for the issue to be exploit. Unless file sharing is explicitly required, users should disable it..."

:fear:
 
MS Bulletin Advance Notification - October 2009

FYI...

- http://www.theregister.co.uk/2009/10/09/patch_tues_oct_pre_alert/
9 October 2009 - "... biggest ever Patch Tuesday update... 13 bulletins collectively address 34 security flaws..."

- http://www.microsoft.com/technet/security/Bulletin/MS09-oct.mspx
October 8, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on October 13, 2009... (Total of -13-)

Critical -8-

Bulletin 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 2
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 3
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 5
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows, Internet Explorer

Bulletin 6
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 11
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Office

Bulletin 12
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows, Microsoft Silverlight

Bulletin 13
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows, Microsoft Office, Microsoft SQL Server, Microsoft Developer Tools, Microsoft Forefront

Important -5-

Bulletin 4
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 7
Maximum Severity Rating: Important
Vulnerability Impact: Spoofing
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 8
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 9
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows

Bulletin 10
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Windows
___

October 2009 Bulletin Release Advance Notification
- http://blogs.technet.com/msrc/archive/2009/10/08/october-2009-bulletin-release.aspx
October 08, 2009 - "... Among the updates this month, we are closing out two current security advisories:
Vulnerabilities in SMB Could Allow Remote Code Execution (975497)
http://www.microsoft.com/technet/security/advisory/975497.mspx
Vulnerabilities in the FTP Service in Internet Information Services (975191)
http://www.microsoft.com/technet/security/advisory/975191.mspx
Usually we do not go into this level of detail in the advance notification but we felt that it is important guidance so customers can plan accordingly and deploy these updates as soon as possible..."

.
 
Last edited:
MS Security Bulletin Summary - October 2009

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-oct.mspx
October 13, 2009 - "This bulletin summary lists security bulletins released for October 2009...
(Total of -13-)

Critical -8-

Microsoft Security Bulletin MS09-050
Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)
- http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-051
Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682)
- http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-052
Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112)
- http://www.microsoft.com/technet/security/bulletin/ms09-052.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-054
Cumulative Security Update for Internet Explorer (974455)
- http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-055
Cumulative Security Update of ActiveX Kill Bits (973525)
- http://www.microsoft.com/technet/security/bulletin/ms09-055.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-060
Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)
- http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS09-061
Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)
- http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight

Microsoft Security Bulletin MS09-062
Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)
- http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Microsoft SQL Server, Microsoft Developer Tools, Microsoft Forefront

Important -5-

Microsoft Security Bulletin MS09-053
Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)
- http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-056
Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571)
- http://www.microsoft.com/technet/security/bulletin/ms09-056.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Spoofing
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-057
Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)
- http://www.microsoft.com/technet/security/bulletin/ms09-057.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-058
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486)
- http://www.microsoft.com/technet/security/bulletin/ms09-058.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-059
Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467)
- http://www.microsoft.com/technet/security/bulletin/ms09-059.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7345
Last Updated: 2009-10-13 21:08:21 UTC
___

Severity summary and exploitability index
- http://blogs.technet.com/photos/msrcteam/images/3286577/original.aspx
October 13, 2009

Deployment priority
- http://blogs.technet.com/photos/msrcteam/images/3286578/original.aspx
October 13, 2009
___

MSRT
- http://support.microsoft.com/?kbid=890830
October 13, 2009 - Revision: 65.0
(Recent additions)
Win32/FakeRean August 2009 (V 2.13) Moderate
Win32/Bredolab September 2009 (V 2.14) Moderate
Win32/Daurso September 2009 (V 2.14) Moderate
Win32/FakeScanti October 2009 (V 3.0) Moderate
- http://www.microsoft.com/security/malwareremove/families.aspx

//
 
Last edited:
MS Security Advisories updated

FYI...

Microsoft Security Advisory (973882)
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973882.mspx
• V4.0 (October 13, 2009): Advisory revised to add an entry in the Updates related to ATL section to communicate the release of Microsoft Security Bulletin MS09-060, "Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution."
- http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx

Microsoft Security Advisory (975191)
Vulnerabilities in the FTP Service in Internet Information Services
- http://www.microsoft.com/technet/security/advisory/975191.mspx
• V3.0 (October 13, 2009): Advisory updated to reflect publication of security bulletin (MS09-053).
- http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
• V2.0 (October 13, 2009): Advisory updated to reflect publication of security bulletin (MS09-050).
- http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx

:fear:
 
Do NOT Apply MS09-056/KB974571 to LCS/OCS Servers

FYI...

Do NOT Apply MS09-056/KB974571 to LCS/OCS Servers
- http://blogs.technet.com/dodeitte/archive/2009/10/13/do-not-apply-kb974571-to-lcs-ocs-servers.aspx
October 13, 2009 11:04 PM - "Currently an issue is being observed after applying KB974571 (MS09-056: Vulnerabilities in CryptoAPI could allow spoofing) to LCS/OCS servers, that is causing them to believe that they are running an evaluation version of LCS/OCS and that it has expired..."
- http://support.microsoft.com/kb/974571/

:fear::fear:
 
Microsoft Security Advisory (973811) updated

FYI...

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
Updated: October 14, 2009 - "... Microsoft Security Bulletin MS09-054 contains a defense-in-depth, non-security update that enables WinINET to opt in to Extended Protection for Authentication.
• V1.1 (October 14, 2009): Updated the FAQ with information about a non-security update included in MS09-054* relating to WinINET.
* http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx

:spider:
 
MS Update released for MS09-054

FYI...

Update released for MS09-054
- http://blogs.technet.com/msrc/archive/2009/11/02/update-released-for-ms09-054.aspx
November 02, 2009 - "Today we released an update 976749 that addresses two issues with MS09-054 that a limited number customers reported to us through our Customer Service and Support (CSS) group. These two issues can affect the proper display of web pages. For additional details, please refer to Microsoft Knowledge Base article 976749*. Security update MS09-054 was released as part of the October Security Bulletin Release cycle and protects against the vulnerabilities outlined in the bulletin. Also, we’re not currently aware of any attempts to attack the vulnerabilities. While the number of customers affected by these two issues is limited, after working both with affected customers and our CSS group, we feel the best thing for all customers is to proactively provide this update as widely as possible to help prevent other customers from encountering the issues outlined in the KB. Because of this, we plan to release this update through the same broad release channels as the original security update, MS09-054. Customers will see 976749 offered by default through Windows Update, Microsoft Update, and Automatic Updates. Customers who have applied MS09-054 should go ahead and apply 976749. Customers who have not yet applied MS09-054 should apply -both- MS09-054 and 976749..."
* http://support.microsoft.com/kb/976749
November 3, 2009 - Revision: 5.0 - "...Important: Do not install this update if you have not installed security update 974455. If you install this update without first installing security update 974455, Internet Explorer may not work correctly. If this occurs, uninstall this update, install security update 974455, and then reinstall this update..."

- http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
• V2.0 (November 2, 2009): Revised to announce the availability of a hotfix to address application compatibility issues. Customers who have already applied this update may install the hotfix from Microsoft Knowledge Base Article 976749. Also corrected the log file names, spuninst folder names, and registry key values for Microsoft Windows 2000.

- http://secunia.com/advisories/36979/2/
Critical: Highly critical
2009-11-03: Updated "Solution" section as Microsoft issues an update to address certain problems introduced by the original patches. Added link in "Original Advisory" section.

:fear:
 
Last edited:
MS Bulletin Advance Notification - November 2009

FYI...

- http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx
November 05, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on November 10, 2009..."
(Total of -6-)

Critical -3-

Bulletin 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 2
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 3
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Important -3-

Bulletin 4
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 5
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Office

Bulletin 6
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Office

//
 
MS Security Bulletin Summary - November 2009

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-nov.mspx
November 10, 2009 - "This bulletin summary lists security bulletins released for November 2009..." (Total of -6-)

Critical -3-

Microsoft Security Bulletin MS09-063 - Critical
Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565)
- http://www.microsoft.com/technet/security/bulletin/ms09-063.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-064 - Critical
Vulnerability in License Logging Server Could Allow Remote Code Execution (974783)
- http://www.microsoft.com/technet/security/bulletin/ms09-064.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-065 - Critical
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)
- http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Important -3-

Microsoft Security Bulletin MS09-066 - Important
Vulnerability in Active Directory Could Allow Denial of Service (973309)
- http://www.microsoft.com/technet/security/bulletin/ms09-066.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-067 - Important
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)
- http://www.microsoft.com/technet/security/bulletin/MS09-067.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS09-068 - Important
Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307)
- http://www.microsoft.com/technet/security/bulletin/MS09-068.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7564
Last Updated: 2009-11-10 18:36:34 UTC
___

Severity summary and exploitability index
- http://blogs.technet.com/photos/msrcteam/images/3292868/original.aspx
November 10, 2009

Deployment priority
- http://blogs.technet.com/photos/msrcteam/images/3292871/original.aspx
November 10, 2009
___

MSRT
- http://support.microsoft.com/?kbid=890830
November 10, 2009 - Revision: 66.0
(Recent additions)
Win32/Bredolab - September 2009 (V 2.14) - Moderate
Win32/Daurso - September 2009 (V 2.14) - Moderate
Win32/FakeScanti - October 2009 (V 3.0) - Moderate
Win32/FakeVimes - November 2009 (V 3.1) - Moderate
Win32/PrivacyCenter - November 2009 (V 3.1) - Moderate

//
 
Last edited:
Microsoft Security Advisory (977544)

FYI...

Microsoft Security Advisory (977544)
Vulnerability in SMB Could Allow Denial of Service
- http://www.microsoft.com/technet/security/advisory/977544.mspx
November 13, 2009 - "Microsoft is investigating new public reports of a possible denial of service vulnerability in the Server Message Block (SMB) protocol. This vulnerability cannot be used to take control of or install malicious software on a user’s system. However, Microsoft is aware that detailed exploit code has been published for the vulnerability. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities..."

- http://isc.sans.org/diary.html?storyid=7597
Last Updated: 2009-11-14 02:36:34 UTC - "... Assuming that you block TCP ports 139 and 445 the only impact would be an internal attacker could disable affected systems until restarted. In the grand scheme of things this would not be a critical issue unless all of a sudden your servers had to be rebooted on a regular basis, in that case you may have bigger problems because the fox would already be in the henhouse. The list of affected systems is: Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems (includig Server Core), and Windows Server 2008 R2 for Itanium-based Systems..."

:clown:
 
New 0-Day IE exploit published

FYI...

0-Day IE exploit published
- http://www.symantec.com/connect/blogs/zero-day-internet-explorer-exploit-published
November 21, 2009 - "A new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future... To minimize the chances of being affected by this issue, Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft."

- http://secunia.com/advisories/37448/2/
Release Date: 2009-11-23
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x, Microsoft Internet Explorer 7.x ...
Solution: Disable support for active scripting for all but trusted websites...

:fear::fear:
 
Last edited:
Microsoft Security Advisory (977981) - IE

FYI...

Microsoft Security Advisory (977981)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/977981.mspx
November 23, 2009 - "... Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected. The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code. At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers...
Mitigating Factors:
• Internet Explorer 8 is -not- affected.
• Protected Mode in Internet Explorer 7 in Windows Vista limits the impact of the vulnerability.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario..."
(Also see: Workarounds)

- http://www.us-cert.gov/current/#microsoft_internet_explorer_vulnerability
November 23, 2009

- http://blogs.iss.net/archive/IE CSS 0day.html
November 23, 2009 - "... For IE users, it is worthwhile to upgrade to IE8 if you haven't already."

- http://forums.spybot.info/showpost.php?p=348968&postcount=140
Updated: November 25, 2009

:fear:
 
Last edited:
MS updates requiring reboot delivered

FYI...

MS updates requiring reboot delivered
- http://isc.sans.org/diary.html?storyid=7645
Last Updated: 2009-11-25 21:40:37 UTC - "... received updates from Microsoft in the last 24 hours (via Automatic Update or similar) that required a reboot. Microsoft has apparently updated several of their bulletins. Two of them are related to previous updates MSXML (v3.0 or v6.0), one with MSXML Core Services 4.0 SP2, one is additional daylight saving time updates, and the 4th is also daylight saving time-related and has to do with an error in the Date and Time control panel on Vista and Windows Server 2008. While it isn't unusual for Microsoft to make some minor updates to bulletins and patches (especially detection fixes) at times other than "Patch Tuesday" some of our readers (and some of us, handlers) were surprised by updates that required reboot.

References:
http://support.microsoft.com/kb/973685
http://support.microsoft.com/kb/973687
http://support.microsoft.com/kb/973688
http://support.microsoft.com/kb/976098
http://support.microsoft.com/kb/976470 ..."

:fear:
 
IE 0-day exploit released

FYI...

IE 0-day exploit released
- http://www.symantec.com/security_response/threatconlearn.jsp
Nov 26, 2009 - "An exploit has been released for the Metasploit framework that can be used to exploit the Microsoft Internet Explorer 'Style' Object Remote Code Execution Vulnerability. This exploit can leverage JavaScript heap-spray and .NET DLL memory-preparation techniques to achieve remote code execution. Customers who are prone to this issue are advised to disable JavaScript for untrusted websites. Also, setting Internet Explorer's security zone settings to high for the Internet zone will prevent the loading of .NET DLLs in Internet Explorer 7. For critical systems, consider upgrading to Internet Explorer 8, which is not vulnerable to this issue."

- http://www.pcworld.com/article/183190/attacks_appear_imminent_as_ie_exploit_is_improved.html
Nov 25, 2009

:fear::fear:
 
IE 0-day workaround - enable DEP for IE6 or IE7

FYI...

Microsoft Security Advisory (977981)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/977981.mspx
Updated: November 25, 2009
• V1.1 (November 25, 2009): Corrected the CVE reference, added a mitigating factor concerning Web-based attacks, and clarified the workaround involving DEP*.
* "... • Enable DEP for Internet Explorer 6 or Internet Explorer 7 via automated Microsoft Fix It. See Microsoft Knowledge Base Article 977981** to use the automated Microsoft Fix it solution to enable or disable this workaround...
Impact of workaround: Some browser extensions may not be compatible with DEP and may exit unexpectedly. If this occurs, you can disable the add-on, or revert the DEP setting using the Internet Control Panel. This is also accessible using the System Control panel..."
** http://support.microsoft.com/kb/977981

- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3672

- http://isc.sans.org/diary.html?storyid=7654
Last Updated: 2009-11-26 15:11:12 UTC - "... We strongly encourage all IE users to review the new information posted by MS, especially in light of workable exploits that are starting to surface on the web."
___

FIX: Microsoft Security Bulletin MS09-072 - Critical
Cumulative Security Update for Internet Explorer (976325)
- http://www.microsoft.com/technet/security/bulletin/MS09-072.mspx
Revisions:
• V1.0 (December 8, 2009): Bulletin published.
• V1.1 (December 9, 2009): Corrected a reference to Microsoft Knowledge Base Article 976749 in the section, Frequently Asked Questions (FAQ) Related to This Security Update. Also corrected, in the Security Update Deployment section, the registry key for verification of the update for Internet Explorer 7 for all supported x64-based editions of Windows XP.

:fear::fear:
 
Last edited:
Issues with November Security Updates...

FYI...

Reports of issues with November Security Updates
- http://blogs.technet.com/msrc/archi...of-issues-with-november-security-updates.aspx
December 01, 2009 - "We’ve received questions about public reports that customers might be experiencing system issues with the November Security Updates (which some are referring to “Black Screen” issues). We’ve investigated these reports and found that our November Security Updates are not making changes to the system that these reports say are responsible for these issues. While these reports weren’t brought to us directly, from our research into them, it appears they’re saying that our security updates are making permission changes in the registry to the value for the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell key. We’ve conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don’t believe the updates are related to the “black screen” behavior described in these reports. We’ve also checked with our worldwide Customer Service and Support organization, and they’ve told us they’re not seeing “black screen” behavior as a broad customer issue. Because these reports were not brought to us directly, it’s impossible to know conclusively what might be causing a “black screen” in those limited instances where customers have seen it. However, we do know that “black screen” behavior is associated with some malware families such as Daonol*. This underscores the importance of our guidance to customers to contact our Customer Service and Support group any time they think they’re affected by malware or are experiencing issues with security updates. This enables us to determine what might be happening and take steps to help customers by documenting new malware families in our MMPC malware encyclopedia or documenting known issues in our security bulletins and the supporting Knowledge Base articles..."
* http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Daonol malware
Search Term = Daonol malware / 500 entries found

- http://isc.sans.org/diary.html?storyid=7672
Last Updated: 2009-12-02 16:43:47 UTC

:blink:
 
Last edited:
MS Security Bulletin Advance Notification - December 2009

FYI...

MS Security Bulletin Advance Notification - December 2009
- http://www.microsoft.com/technet/security/bulletin/MS09-dec.mspx
December 03, 2009 - "This is an advance notification of security bulletins that Microsoft is intending to release on December 8, 2009... (Total of -6-)

Critical - 3

Bulletin 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 3
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Vulnerability Impact: Microsoft Office

Bulletin 4
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows, Internet Explorer

Important - 3

Bulletin 5
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 6
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows

Bulletin 2
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Vulnerability Impact: Microsoft Windows, Microsoft Office
 
MS Security Bulletin Summary - December 2009

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS09-dec.mspx
December 08, 2009 - "This bulletin summary lists security bulletins released for December 2009..." (Total of -6-)

Critical -3-

Microsoft Security Bulletin MS09-071 - Critical
Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
- http://www.microsoft.com/technet/security/bulletin/MS09-071.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-074 - Critical
Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
- http://www.microsoft.com/technet/security/bulletin/MS09-074.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS09-072 - Critical
Cumulative Security Update for Internet Explorer (976325)
- http://www.microsoft.com/technet/security/bulletin/MS09-072.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows ...
Revisions:
• V1.0 (December 8, 2009): Bulletin published.
• V1.1 (December 9, 2009): Corrected a reference to Microsoft Knowledge Base Article 976749 in the section, Frequently Asked Questions (FAQ) Related to This Security Update. Also corrected, in the Security Update Deployment section, the registry key for verification of the update for Internet Explorer 7 for all supported x64-based editions of Windows XP.

Important -3-

Microsoft Security Bulletin MS09-069 - Important
Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
- http://www.microsoft.com/technet/security/bulletin/MS09-069.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-070 - Important
Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
- http://www.microsoft.com/technet/security/bulletin/MS09-070.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS09-073 - Important
Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)
- http://www.microsoft.com/technet/security/bulletin/MS09-073.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Microsoft Office
___

Severity and Exploitability Index
- http://blogs.technet.com/photos/msrcteam/images/3299186/original.aspx
December 08, 2009

Deployment priority
- http://blogs.technet.com/photos/msrcteam/images/3299187/original.aspx
December 08, 2009
___

MSRT
- http://support.microsoft.com/?kbid=890830
December 8, 2009 - Revision: 67.0
(Recent additions)
Win32/FakeScanti - October 2009 (V 3.0) Moderate
Win32/FakeVimes - November 2009 (V 3.1) Moderate
Win32/PrivacyCenter - November 2009 (V 3.1) Moderate
Win32/Hamweq - December 2009 (V 3.2) Moderate
___

ISC Analysis
- http://isc.sans.org/diary.html?storyid=7711
Last Updated: 2009-12-10 19:42:30 UTC
___

Microsoft Office Project Memory Validation Vuln
- http://secunia.com/advisories/37588/2/
... Original Advisory: http://www.microsoft.com/technet/security/bulletin/MS09-074.mspx
___

Microsoft WordPad / Office Text Converters Memory Corruption Vuln
- http://secunia.com/advisories/37580/2/
... Original Advisory: http://www.microsoft.com/technet/security/bulletin/MS09-073.mspx
___

Internet Explorer multiple vulns
- http://secunia.com/advisories/37448/2/
... Original Advisory: http://www.microsoft.com/technet/security/Bulletin/MS09-072.mspx
___

Microsoft Windows Internet Authentication Service Vuln
- http://secunia.com/advisories/37579/2/
... Original Advisory: http://www.microsoft.com/technet/security/bulletin/MS09-071.mspx

Microsoft Windows MS-CHAP Authentication Bypass
- http://secunia.com/advisories/37543/2/
... Original Advisory: http://www.microsoft.com/technet/security/bulletin/MS09-071.mspx
___

Microsoft Windows Local Security Authority Subsystem DoS
- http://secunia.com/advisories/37524/2/
... Original Advisory: http://www.microsoft.com/technet/security/Bulletin/MS09-069.mspx
___
 
Last edited:
You must log in or register to reply here.
Back
Top