Old MS Alerts

MS Security Advisories updated - 2010.07.13 ...

FYI...

Microsoft Security Advisory (2219475)
Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2219475.mspx
Published: June 10, 2010 | Updated: July 13, 2010 - "... We have issued M10-042* to address this issue..."
* http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx

Microsoft Security Advisory (2028859)
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2028859.mspx
Published: May 18, 2010 | Updated: July 13, 2010 - "... We have issued MS10-043** to address this issue..."
** http://www.microsoft.com/technet/security/Bulletin/MS10-043.mspx

>> http://forums.spybot.info/showpost.php?p=377301&postcount=144

:fear::fear:
 
MS Security Advisory (2286198)

FYI...

Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2286198.mspx
July 16, 2010 - "Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue. The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."
• V1.1 (July 19, 2010)... "Microsoft is currently working to develop a security update for Windows to address this vulnerability..."

- http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx
16 Jul 2010

- http://www.kb.cert.org/vuls/id/940193
Last Updated: 2010-07-19

- http://www.us-cert.gov/current/#microsoft_windows_lnk_vulnerability
updated July 19, 2010

0-Day exploit is public
- http://www.f-secure.com/weblog/archives/00001991.html
July 19, 2010

- http://securitytracker.com/alerts/2010/Jul/1024216.html
Updated: July 20 2010

:fear:
 
Last edited:
"Fixit" released for MS shortcut vuln ...

FYI...

"Fixit" released for MS shortcut vuln...
Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2286198.mspx
• V1.2 (July 20, 2010): Clarified the vulnerability exploit description and updated the workarounds...
Disable the displaying of icons for shortcuts ...
Note: See Microsoft Knowledge Base Article 2286198* to use the automated Microsoft Fix it solution to enable or disable this workaround. This Fix it solution will require a restart upon completion in order to be effective. This Fix it solution deploys the workaround, and thus has the same user impact. We recommend that administrators review the KB article closely prior to deploying this Fix it solution.
NOTE: Applying the fixit will remove the graphical representation of icons on the Task bar and Start menu bar and replace them with white icons without the graphical representation of the icon...
Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk...
* http://support.microsoft.com/kb/2286198
Last Review: July 21, 2010 - Revision: 1.0
---
Disable the WebClient service ...
---
Block the download of .LNK and .PIF files from the internet ...
___

Embedded Shortcuts in Documents...
- http://www.f-secure.com/weblog/archives/00001994.html
July 21, 2010

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2568
Last revised: 07/22/2010
CVSS v2 Base Score: 9.3 (HIGH)

:fear::fear:
 
Last edited:
Exploits in the wild for Windows shortcut vuln

FYI...

Exploits in the wild for Windows shortcut vuln
- http://blog.trendmicro.com/exploits-for-windows-shortcut-vulnerability-in-the-wild/
July 22, 2010 - "Exploits for the recently discovered Windows shortcut vulnerability are now fully out in the wild and affecting users. While earlier samples were seen in more narrowly targeted attacks, the new samples Trend Micro analysts found are now aimed at broader audiences and pose a threat to users at large. Indonesia and India have been particularly hard-hit by this attack, accounting for more than 75 percent of the total number of infections. In addition, a recent update to Microsoft’s advisory has added a new vector for this vulnerability. File formats that support embedded shortcuts (e.g., Microsoft Office documents) can now be used to spread exploits as well. This means that users who download and open such files could find themselves the latest victim of this vulnerability. It has also been reported that this attack could be used in drive-by attack scenarios, further increasing risks... Below is a summary of these possibilities:
1. USB drive infection...
2. Network shares...
3. Malicious website...
4. Documents..."

(More detail at the URL above.)

- http://threatinfo.trendmicro.com/vi...a Windows Shortcut Vulnerability Exploit.html

- http://www.symantec.com/connect/de/blog-tags/w32stuxnet
July 22, 2010 - "... Within the past 72 hours we've seen close to 14,000 unique IP addresses infected with W32.Stuxnet attempt to contact the C&C server..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2568
Last revised: 07/23/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://www.f-secure.com/v-descs/trojan-dropper_w32_stuxnet.shtml
- http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99&tabid=2
- http://www.sophos.com/security/analyses/viruses-and-spyware/w32stuxnetb.html

:fear::fear:
 
Last edited:
MS .lnk 0-day attack vector - SEIMENS WinCC sites

FYI...

MS .lnk 0-day attack vector
- http://atlas.arbor.net/briefs/index#1754998770
Severity: Extreme Severity
Analysis: This is a serious risk, and a critical one for SEIMENS WinCC sites. We encourage all Windows sites to review the bulletin* for mitigation options in the absence of a patch..."
* http://www.microsoft.com/technet/security/advisory/2286198.mspx

NEW malware families using .LNK vulnerability
- http://blogs.technet.com/b/mmpc/arc...malware-families-using-lnk-vulnerability.aspx
23 Jul 2010

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2772
Last revised: 07/26/2010

- http://www.networkworld.com/news/2010/072310-virus-writers-are-picking-up.html
July 22, 2010 - "... Siemens issued a Security Update** for its customers on Thursday, but Microsoft has yet to patch the Windows bug that permits the worm to spread..."
** http://support.automation.siemens.c...lib.csinfo&lang=en&objid=43876783&caller=view

- http://www.symantec.com/connect/blog-tags/w32stuxnet
July 25, 2010

:fear:
 
Last edited:
SophosLabs free tool - validates MS Shortcut

FYI...

Windows Shortcut Exploit protection tool
- http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html
"... The Windows Shortcut Exploit is a zero-day vulnerability in all versions of Windows that allows a Windows shortcut link to run a malicious DLL file. Our free, easy-to-use tool blocks this exploit from running on your computer..."

- http://isc.sans.edu/diary.html?storyid=9268
Last Updated: 2010-07-26 17:03:58 UTC

- http://www.sophos.com/support/knowledgebase/article/111570.html
Last updated: 26 Jul 2010

- http://www.sophos.com/blogs/gc/g/2010/07/26/shortcut-exploit-free-tool/
Video: 1:57

- http://www.f-secure.com/weblog/archives/00001996.html
July 26, 2010 - "... several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198). But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors*. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit..."
* http://www.virustotal.com/analisis/...2b1041304c558a1be74cb3b553dbb29965-1280146392
File dsafnegweje.lnk received on 2010.07.26 12:13:12 (UTC)
Result: 18/42 (42.86%)

- http://blog.trendmicro.com/zeuszbot-and-sality-jump-on-the-lnk-exploit-bandwagon/
July 27, 2010 - "... exploits targeting the Windows shortcut zero-day vulnerability have risen in number. It is also now being used to spread ZBOT variants via malicious attachments to spammed messages... with the subject Microsoft Windows Security Advisory..."

.
 
Last edited:
MS shortcut/vuln fix to be released 8.2.2010

FYI...

MS shortcut/vuln fix to be released 8.2.2010
- http://blogs.technet.com/b/msrc/arc...ress-microsoft-security-advisory-2286198.aspx
29 Jul 2010 - "... we're announcing plans to release a security update to address the vulnerability discussed in Security Advisory 2286198* on Monday, August 2, 2010 at or around 10 AM PDT..."
* http://www.microsoft.com/technet/security/advisory/2286198.mspx

- http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx
July 30, 2010

- http://blogs.technet.com/b/mmpc/arc...malicious-lnks-and-then-there-was-sality.aspx
30 Jul 2010 - "... Microsoft announced plans to release of an out-of-band update... numbers show infection attempts upon systems -we- protect... threats are becoming more widespread...
Malicious links exploiting CVE-2010-2568
Exploit:Win32/CplLnk.A
Exploit:Win32/CplLnk.B
Stuxnet
TrojanDropper:Win32/Stuxnet.A
Trojan:WinNT/Stuxnet.A
Trojan:WinNT/Stuxnet.B (initially called VirTool:WinNT/Rootkitdrv.HK)
Trojan:Win32/Stuxnet.A
Worm:Win32/Stuxnet.A
Worm:Win32/Stuxnet.B
Sality
Virus:Win32/Sality.AU (initial detection provided by generic signature Virus:Win32/Sality.AT)
Vobfus
Worm:Win32/Vobfus.H
Worm:Win32/Vobfus.P
Chymine
Trojan:Win32/Chymine.A
TrojanSpy:Win32/Chymine.A
TrojanDownloader:Win32/Chymine.A ..."

:fear:
 
Last edited:
MS10-046 released - 2010.08.02

FYI...

Microsoft Security Bulletin MS10-046 - Critical
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
- http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx
August 02, 2010
Remote Code execution
Critical
... This vulnerability is currently being exploited...

- http://www.microsoft.com/technet/security/Bulletin/MS10-aug.mspx
August 02, 2010

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=9313
Last Updated: 2010-08-02
PATCH NOW!

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2568
Last revised: 08/03/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://blogs.technet.com/b/msrc/archive/2010/08/02/ms10-046-released-out-of-band-today.aspx
2 Aug 2010 - "... today we released Security Bulletin MS10-046* out-of-band to address a vulnerability in Windows. This security update addresses a vulnerability in the handling of shortcuts that affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2... For customers using automatic updates, this update will automatically be applied once it is released. Customers not using automatic updates should download, test and deploy this update as quickly as possible..."

- http://www.sophos.com/security/topic/shortcut.html
August 2, 2010 - "... If you have the Sophos Windows Shortcut Exploit Protection Tool on your machine, uninstall it before deploying Microsoft's patch."

- http://atlas.arbor.net/briefs/index#1754998770
August 03, 2010
Severity: Extreme Severity
Analysis: This is a serious risk, and a critical one especially for SEIMENS WinCC sites. We encourage all Windows sites to review the bulletin for mitigation options and apply the update as soon as possible.

Stuxnet - Rootkit for SCADA Devices...
- http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices
August 6, 2010

:fear:
 
Last edited:
MS Security Bulletin -Advance- Notification - August 2010

FYI...

MS Security Bulletin -Advance- Notification - August 2010
- http://www.microsoft.com/technet/security/Bulletin/MS10-aug.mspx
August 05, 2010 - "... advance notification of security bulletins that Microsoft is intending to release on August 10, 2010... (Total of -14-)

Critical -8-
Bulletin 1 / Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 / Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 3 / Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 4 / Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 5 / Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 6 / Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 7 / Critical - Remote Code Execution - May require restart - Microsoft Office
Bulletin 8 / Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft Silverlight

Important -6-
Bulletin 9 / Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 10 / Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 11 / Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 12 / Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 13 / Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 14 / Important - Elevation of Privilege - May require restart - Microsoft Windows ...

- http://www.computerworld.com/s/arti...ecord_setting_monster_Patch_Tuesday_next_week
August 5, 2010 - "Microsoft today said it will deliver a record 14 security updates next week to patch a record-tying 34 vulnerabilities in Windows, Internet Explorer (IE), Office and Silverlight..."
- http://blogs.technet.com/b/msrc/arc...10-bulletin-release-advance-notification.aspx

:fear:
 
Last edited:
LNK vuln (MS10-046) now leveraged by botnet...

FYI...

LNK vuln (MS10-046) now leveraged by botnet...
- http://www.symantec.com/connect/blogs/sality-goes-lnk
August 9, 2010 - "... The discovery of the LNK vulnerability (BID 41732*), initially used by Stuxnet, gave malware authors a cheap, easy, and effective way to propagate their creations. The Sality gang didn’t waste much time and jumped on the bandwagon in the early days of August. However, it seems that it was only this weekend that they decided to leverage their botnet to potentially infect even more computers. The latest package downloaded by Sality (sequence ID 122) refers to a few URLs, including Sality-standard hack tools (mail relay, HTTP proxy), but also to a dropper for Sality itself... make sure your operating system is properly patched..."
* http://www.securityfocus.com/bid/41732/references

- http://forums.spybot.info/showpost.php?p=379430&postcount=153
"Critical ... This vulnerability is currently being exploited..."

:fear::fear:
 
MS Security Bulletin Summary - August 2010 V2.0

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS10-aug.mspx
• V2.0 (August 10, 2010): Added the bulletins, MS10-047 to MS10-060.
... (Total of -14-)

Critical -8-

Microsoft Security Bulletin MS10-049 - Critical
Vulnerabilities in SChannel could allow Remote Code Execution (980436)
- http://www.microsoft.com/technet/security/Bulletin/MS10-049.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-051 - Critical
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)
- http://www.microsoft.com/technet/security/Bulletin/MS10-051.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-052 - Critical
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)
- http://www.microsoft.com/technet/security/Bulletin/MS10-052.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-053 - Critical
Cumulative Security Update for Internet Explorer (2183461)
- http://www.microsoft.com/technet/security/Bulletin/MS10-053.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS10-054 - Critical
Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)
- http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-055 - Critical
Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)
- http://www.microsoft.com/technet/security/Bulletin/MS10-055.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-056 - Critical
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)
- http://www.microsoft.com/technet/security/Bulletin/MS10-056.mspx
Critical - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS10-060 - Critical
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)
- http://www.microsoft.com/technet/security/Bulletin/MS10-060.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight

Important -6-

Microsoft Security Bulletin MS10-047 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)
- http://www.microsoft.com/technet/security/Bulletin/MS10-047.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-048 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)
- http://www.microsoft.com/technet/security/Bulletin/MS10-048.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-050 - Important
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)
- http://www.microsoft.com/technet/security/Bulletin/MS10-050.mspx
Important - Elevation of Privilege - May require restart - Microsoft Windows

Microsoft Security Bulletin MS10-057 - Important
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)
- http://www.microsoft.com/technet/security/Bulletin/MS10-057.mspx
Important - Elevation of Privilege - May require restart - Microsoft Office

Microsoft Security Bulletin MS10-058 - Important
Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)
- http://www.microsoft.com/technet/security/Bulletin/MS10-058.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS10-059 - Important
Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)
- http://www.microsoft.com/technet/security/Bulletin/MS10-059.mspx
Important - Elevation of Privilege - May require restart - Microsoft Windows
___

Severity and Exploitability index
- http://blogs.technet.com/cfs-filesy...-00-00-45-71/8816.August-2010-Severity-XI.png

Deployment priority
- http://blogs.technet.com/cfs-filesy...5-71/0601.August-2010-Overview-Deployment.png
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=9361
Last Updated: 2010-08-16 15:15:31 UTC ...(Version: -5-)
___

MSRT
- http://support.microsoft.com/?kbid=890830
August 10, 2010 - Revision: 77.0
(Recent additions)
- http://www.microsoft.com/security/malwareremove/families.aspx
... added this release...
• Stuxnet
• CplLnk
• Vobfus.A
• Vobfus.B
• Vobfus.C
• Vobfus!dll
• Worm:Win32/Sality.AU
• Virus:Win32/Sality.AU
• Trojan:WinNT/Sality

Download:
- http://www.microsoft.com/downloads/...E0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.10.exe
Version: 3.10
Date Published: 8/10/2010
To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/...DE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.10.exe
___

10th Aug, 2010
http://secunia.com/advisories/40871/ - MS10-047
http://secunia.com/advisories/40878/ - MS10-048
http://secunia.com/advisories/40879/ - MS10-049
http://secunia.com/advisories/40883/ - MS10-049
http://secunia.com/advisories/38931/ - MS10-050

http://secunia.com/advisories/40893/ - MS10-051
http://secunia.com/advisories/40934/ - MS10-052
http://secunia.com/advisories/40895/ - MS10-053
http://secunia.com/advisories/40935/ - MS10-054
http://secunia.com/advisories/40936/ - MS10-055

http://secunia.com/advisories/40937/ - MS10-056
http://secunia.com/advisories/40750/ - MS10-057
http://secunia.com/advisories/40904/ - MS10-058
http://secunia.com/advisories/40817/ - MS10-059
http://secunia.com/advisories/40872/ - MS10-060

.
 
Last edited:
MS Security Advisories - issued/updated 2010.08.10

FYI...

Microsoft Security Advisory (2264072)
Elevation of Privilege Using Windows Service Isolation Bypass
- http://www.microsoft.com/technet/security/advisory/2264072.mspx
August 10, 2010 - "Microsoft is aware of the potential for attacks that leverage the Windows Service Isolation feature to gain elevation of privilege... Although, in most situations, untrusted code is not running under the NetworkService identity, the following scenarios have been identified as possible exceptions:
• Systems running Internet Information Services (IIS) in a non-default configuration are at an increased risk, particularly if IIS is running on Windows Server 2003 and Windows Server 2008, because the default worker process identity on these systems is NetworkService.
• Systems running SQL Server where users are granted SQL Server administrative privileges are at an increased risk.
• Systems running Windows Telephony Application Programming Interfaces (TAPI) are at an increased risk...
For the TAPI scenario, Microsoft is providing a non-security update*...
(FAQ) The Windows Service Isolation feature is an optional configuration that some customers may choose to deploy. This feature is not appropriate for all customers..."
- http://support.microsoft.com/kb/2264072

* TAPI non-security update: http://support.microsoft.com/kb/982316

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1886
Last revised: 08/17/2010
CVSS v2 Base Score: 6.8 (MEDIUM)
___

Microsoft Security Advisory (977377)
Vulnerability in TLS/SSL Could Allow Spoofing
- http://www.microsoft.com/technet/security/advisory/977377.mspx
Published: February 09, 2010 | Updated: August 10, 2010 - "... We have issued MS10-049* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/MS10-049.mspx
___

Update on the publicly disclosed Win32k.sys EoP Vulnerability
- http://blogs.technet.com/b/msrc/arc...y-disclosed-win32k-sys-eop-vulnerability.aspx
10 Aug 2010 - "... investigating a publicly disclosed vulnerability in the Windows Kernel-mode drivers (win32k.sys) affecting all supported operating systems. We are not aware of attacks that try to use the reported vulnerability or of any customer impact at this time... we are now able to report that this is a local elevation of privilege vulnerability only. This type of issue allows attackers to gain system-level privileges after they have already obtained an account on the target system. For this issue to be exploited, an attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system. The vulnerability cannot be exploited remotely, or by anonymous users. We will not be releasing a security advisory for this issue, but it will be included in a future security update...."

:fear:
 
Last edited:
MS Security Advisory (2269637)

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
August 23, 2010 - "Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries. This issue is caused by specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks". These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location. This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security*, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected. In addition to this guidance, Microsoft is releasing a tool** that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.
Mitigating Factors:
• This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security*, that recommend alternate methods to load libraries that are safe against these attacks.
• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
• The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability..."

* http://msdn.microsoft.com/en-us/library/ff919712(VS.85).aspx
8/19/2010

** http://support.microsoft.com/kb/2264107
Last Review: August 25, 2010 - Revision: 3.0

More... DLL Preloading remote attack vector
- http://blogs.technet.com/b/srd/arch...bout-dll-preloading-remote-attack-vector.aspx
23 Aug 2010

- http://isc.sans.edu/diary.html?storyid=9445
Last Updated: 2010-08-24 17:01:04 UTC ...(Version: 3) - "... UPDATE 2: We received some e-mails about active exploitation of this vulnerability in the wild... it appears that the attackers so far are exploiting uTorrent, Microsoft Office and Windows Mail... applications for which Proof of Concept exploits have been published... be very careful about files you open from network shares..."

- http://www.us-cert.gov/current/#microsoft_releases_security_advisory5
August 24, 2010 - "... publicly available exploit code for this vulnerability... workarounds may reduce the functionality of the affected systems. Workarounds include:
• disabling the loading of libraries from WebDAV and remote network shares
• disabling the WebClient service
• blocking TCP ports 139 and 445 at the firewall ...

- http://securitytracker.com/alerts/2010/Aug/1024355.html
Aug 24 2010
___

- http://blog.eset.com/wp-content/media_files/DLLvuln.png
August 26, 2010
___

Insecure Library Loading Vulnerability:
Release Date: 2010-08-25

Microsoft Windows Address Book...
- http://secunia.com/advisories/41050/
uTorrent...
- http://secunia.com/advisories/41051/
Adobe Photoshop...
- http://secunia.com/advisories/41060/
Microsoft Office PowerPoint...
- http://secunia.com/advisories/41063/
Wireshark...
- http://secunia.com/advisories/41064/
Opera...
- http://secunia.com/advisories/41083/
Mozilla Firefox...
- http://secunia.com/advisories/41095/
Windows Live Mail...
- http://secunia.com/advisories/41098/
Microsoft Office Groove...
- http://secunia.com/advisories/41104/
VLC Media Player...
- http://secunia.com/advisories/41107/
avast! Antivirus...
- http://secunia.com/advisories/41109/
Adobe Dreamweaver...
- http://secunia.com/advisories/41110/
TeamViewer...
- http://secunia.com/advisories/41112/

... Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
___

- http://secunia.com/blog/120
24 August 2010 - "... the discovery of the remote vector just made this serious... The vulnerability is not in the Windows OS itself, but is caused by bad (insecure) programming practises in applications when loading libraries combined with how the library search order works in Windows. Ideally, when loading a library (or running an executable), a fully qualified path should be passed to the APIs used (e.g. LoadLibrary()). In case a programmer refrains from doing so and only supplies the library name, Windows searches for the file in a number of directories in a particular order. These directories may include the current working directory, which leads to the core of the problem related to the new, remote attack vector as Windows eventually searches for the file on e.g. a remote SMB or WebDAV share if that happens to be the current directory. This is the case if a user e.g. is tricked into opening a file located on a remote share. By placing a malicious library, which a vulnerable application searches for, on the share it is loaded into the application and code is executed with the privileges of the user running it. As the core problem is not in Windows, but rather caused by applications loading libraries insecurely (i.e. not supplying a fully qualified path or not initially calling SetDllDirectory() with a blank path), Secunia will not be issuing a general advisory for Windows. Instead, (likely, quite a lot of) advisories will be issued as affected applications are identified. Currently, we are seeing reports from various researchers having identified everywhere between 40 to 200 vulnerable applications, but the actual number may be a lot higher..."

- http://www.kb.cert.org/vuls/id/707943
Date Last Updated: 2010-08-25

:fear::fear:
 
Last edited:
DLL - Insecure Library Loading Vulnerability

FYI...

- http://www.computerworld.com/s/arti...ts_boom_hackers_post_attacks_for_40_plus_apps
August 25, 2010 - "... The flaws stem from the way many Windows applications call code libraries - dubbed "dynamic-link library," or "DLL" - that give hackers wiggle room they can exploit by tricking an application into loading a malicious file with the same name as a required DLL. If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive - and in some cases con them into opening a file - they can hijack a PC and plant malware on it... As of 3 p.m. ET, more than 30 exploits had been posted on Wednesday alone..."

- http://www.kb.cert.org/vuls/id/707943
Date Last Updated: 2010-08-30

- http://secunia.com/advisories/search/?search=Insecure+Library+Loading+Vulnerability
> Updated Jan. 22, 2011 - (Count is now -170-)

Microsoft apps... DLL hijacking attack vuln
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3138
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3139
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3140
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3141
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3142
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3143
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3144
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3145
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3146
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3147
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3148
Last revised: 08/30-31/2010
CVSS v2 Base Score: 9.3 (HIGH)

:fear:
 
Last edited:
DLL "MS Fix it" disables load from WebDAV and remote network shares

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
"...Workarounds:
• Disable loading of libraries from WebDAV and remote network shares...
• Disable the WebClient service...
• Block TCP ports 139 and 445 at the firewall...
(See "Impact of workaround" for each one)..."
• V1.1 (August 31, 2010) Added a link to Microsoft Knowledge Base Article 2264107* to provide an automated Microsoft Fix it solution for the workaround, Disable loading of libraries from WebDAV and remote network shares.
* http://support.microsoft.com/kb/2264107
August 31, 2010 - Revision: 4.0

MS SRD - Update on the DLL-preloading remote attack vector
- http://blogs.technet.com/b/srd/arch...-the-dll-preloading-remote-attack-vector.aspx
31 Aug 2010 - "... Note: The Fix-it itself does not install the workaround tool. You’ll need to separately download and install the tool beforehand.
To instead completely block all DLL-preloading attack vectors, including the threat of malicious files on a USB thumb drive or files arriving via email as a ZIP attachment, set CWDIllegalInDllSearch to 0xFFFFFFFF. This will address any DLL preloading vulnerabilities that may exist in applications running on your system. However, it may have some unintended consequences for applications that require this behavior, so we do recommend thorough testing..."
- http://go.microsoft.com/?linkid=9742148

- http://techblog.avira.com/2010/09/0...lications-dll-search-path-vulnerabilities/en/
September 2, 2010 - "... the company released a Fix-it tool which can be executed after the patch has been applied. It lessens the restrictions introduced by the patch so that most applications do work again. Windows then still blocks loading DLLs from network shares or WebDAV, but if a malicious DLL is located within a local working directory, an attack may still succeed..."

Verified Secunia List:
- http://secunia.com/advisories/windows_insecure_library_loading/
(tables are automatically updated as Secunia issues new advisories)
Number of products affected...
Number of vendors affected...
Number of Secunia Advisories issued...

:fear:
 
Last edited:
Word 2007 updates...

FYI...

Microsoft Security Bulletin MS10-056 - Critical
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)
- http://www.microsoft.com/technet/security/bulletin/MS10-056.mspx?pubDate=2010-09-01
Updated: September 01, 2010
• V1.3 (September 1, 2010): Added note to the affected software table to inform customers using Word 2007 that in addition to security update package KB2251419, they also need to install the security update package KB2277947* to be protected from the vulnerabilities described in this bulletin.
* http://support.microsoft.com/?kbid=2277947

:fear:
 
MS Security Bulletin Advance Notification - September 2010

FYI...

MS Security Bulletin Advance Notification - September 2010
- http://www.microsoft.com/technet/security/Bulletin/MS10-sep.mspx
September 09, 2010 - "This is an advance notification of security bulletins that Microsoft is intending to release on September 14, 2010... (Total of -9-)

Critical -4-
Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 2 - Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft Office
Bulletin 4 - Critical - Remote Code Execution - May require restart - Microsoft Office

Important -5-
Bulletin 5 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 6 - Important - Remote Code Execution - Requires restart - Microsoft Windows
Bulletin 7 - Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 8 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
Bulletin 9 - Important - Elevation of Privilege - Requires restart - Microsoft Windows

.
 
You must log in or register to reply here.
Back
Top