Old MS Alerts

Win7 SP1 available

FYI...

Win7 SP1 available
- http://support.microsoft.com/kb/976932
Last Review: February 22, 2011 - Revision: 3.1

- http://windows.microsoft.com/installwindows7sp1
"... How to get SP1
The recommended (and easiest) way to get SP1 is to turn on automatic updating in Windows Update in Control Panel, and wait for Windows 7 to notify you that SP1 is ready to install. It takes about 30 minutes to install, and you'll need to restart your computer about halfway through the installation..."

What's included in Windows 7 SP1
- http://windows.microsoft.com/en-US/windows7/whats-included-in-windows-7-service-pack-1-sp1

- http://windows.microsoft.com/en-US/windows7/learn-how-to-install-windows-7-service-pack-1-sp1
"... Installation method
Estimated amount of free disk space required
Windows Update
• x86-based (32-bit): 750 MB
• x64-based (64-bit): 1050 MB
Downloading SP1 from the Microsoft website
• x86-based (32-bit): 4100 MB
• x64-based (64-bit): 7400 MB
Installing SP1 using an installation DVD
• x86-based (32-bit): 4100 MB
• x64-based (64-bit): 7400 MB

:blink:
 
Last edited:
MS Malware Protection Engine advisory...

FYI...

Microsoft Security Advisory (2491888)
Vulnerability in Microsoft Malware Protection Engine Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/2491888.mspx
February 23, 2011 - "... an update to the Microsoft Malware Protection Engine also addresses a security vulnerability reported to Microsoft. The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid logon credentials has created a specially crafted registry key. An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users. Since the Microsoft Malware Protection Engine is a part of several Microsoft anti-malware products, the update to the Microsoft Malware Protection Engine is installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly. Typically, no action is required of enterprise administrators or end users to install this update, because the built-in mechanism for the automatic detection and deployment of this update will apply the update within the next 48 hours. The exact time frame depends on the software used, Internet connection, and infrastructure configuration..."
- http://support.microsoft.com/kb/2510781
February 23, 2011 - "... how to verify that the updates have been installed... This update requires Windows Live OneCare..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0037
Last revised: 02/28/2011 - CVSS v2 Base Score: 7.2 (HIGH) - "... before 1.1.6603.0, as used in Microsoft Malicious Software Removal Tool (MSRT), Windows Defender, Security Essentials, Forefront Client Security, Forefront Endpoint Protection 2010, and Windows Live OneCare..."
___

- http://secunia.com/advisories/43468/
Release Date: 2011-02-24
Solution Status: Partial Fix
...The vulnerability is reported in version 1.1.6502.0 and prior of Microsoft Malware Protection Engine.
Solution: Ensure that systems are running version 1.1.6603.0 or later of Microsoft Malware Protection Engine. Typically, malware definitions and updates for Microsoft Malware Protection Engine are applied automatically...

- http://www.h-online.com/security/ne...-scanner-causes-security-problem-1196731.html
24 February 2011 - "... such updates are usually installed within 48 hours, but that users can also initiate the process manually..."

:fear:
 
Last edited:
Win7 SP1 problems...

FYI...

Win7 / 2008 R2 SP1 problems...
- http://isc.sans.edu/diary.html?storyid=10453
Last Updated: 2011-02-24 13:45:34 UTC ...(Version: 1) - "... some of the problems we are hearing about with Windows 7 SP1 and Windows 2008 R2 SP1. Right now, there is no urgent reason to install this service pack and it should be tested first...
Specific examples. Consider them anecdotal but if you run any software mentioned here, or similar software, this list should give you a guide to test.
* Users with old versions of Microsoft Security Essentials may not be able to install SP1. Upgrade first.
* Samsung Galaxy S phone drivers may have problems with SP1
* some users reported very long install times (> 1hr. but not all that unusual for a service pack)
* Chrome 10 and 11 have issues according to some tweets
* Word 2003 VBA
* slower boot times with SP1 then without
* some reports of download issues due to overloaded servers
* Lenovo's Thinkvantage System Update may not work (update it before applying the SP)
* EVGA Precision Utility 2.0.2 (Graphics card stats program liked by gamers)
* MSI Afterburner
* some issues with Bitlocker are reported. But no confirmation at this point and it may also be due to entering the wrong password on reboot (you have to reboot a couple times in certain situations)

Link to a technet page with reports of install issues:
http://technet.microsoft.com/en-us/library/ff817622(WS.10).aspx
If all fails, here's a link with an uninstall procedure for SP1:
http://windows.microsoft.com/en-US/windows7/uninstall-sp1
To temporarily block installation of the service pack:
http://www.microsoft.com/downloads/...7a-5267-4bd6-87d0-e2a72099edb7&displaylang=en
...This tool can be used with:
• Windows 7 Service Pack 1 (valid through 2/22/2012)
• Windows Server 2008 R2 Service Pack 1 (valid through 2/22/2012) ..."

:fear::fear:
 
Last edited:
MS Autorun update v2.1 now "automatic" from Windows Update

FYI...

MS Autorun update v2.1 now "automatic" from Windows Update
- http://isc.sans.edu/diary.html?storyid=10468
Last Updated: 2011-03-02 06:27:56 UTC - "Microsoft has moved their Windows Autorun V2.1 [1] (967940) update patch from optional updates to automatic updates. This is the same patch that was released in last month’s patch Tuesday. When Windows update is next run, this patch will automatically be selected to apply to your machine. This is more likely to affect home users, as companies should be using group policies to control how USB autorun settings operate. Expect one or two calls... why their favorite autorun USB stick application has stopped working."

[1] http://www.microsoft.com/technet/security/advisory/967940.mspx

:sad:
 
MS Security Bulletin Advance Notification - March 2011

FYI...

MS Security Bulletin Advance Notification - March 2011
- http://www.microsoft.com/technet/security/Bulletin/MS11-mar.mspx
March 03, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on March 8, 2011..."
(Total of -3-)

Bulletin 1
Critical - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 2
Important - Remote Code Execution - May require restart - Microsoft Windows
Bulletin 3
Important - Remote Code Execution - May require restart - Microsoft Office

.
 
MS Security Bulletin Summary - March 2011

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-mar.mspx
March 08, 2011 - "This bulletin summary lists security bulletins released for March 2011... (Total of -3-)

Microsoft Security Bulletin MS11-015 - Critical
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)
- http://www.microsoft.com/technet/security/bulletin/ms11-015.mspx
Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-017 - Important
Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)
- http://www.microsoft.com/technet/security/Bulletin/MS11-017.mspx
Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-016 - Important
Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047)
- http://www.microsoft.com/technet/security/Bulletin/MS11-016.mspx
Remote Code Execution - May require restart - Microsoft Office
___

MS11-015: http://secunia.com/advisories/43626/
Highly critical - System access - From remote
MS11-016: http://secunia.com/advisories/41104/
Highly critical - System access - From remote
MS11-017: http://secunia.com/advisories/43628/
Highly critical - System access - From remote

MS11-015:
- http://www.securitytracker.com/id/1025169
- http://www.securitytracker.com/id/1025170
MS11-016:
- http://www.securitytracker.com/id/1025171
MS11-017:
- http://www.securitytracker.com/id/1025172
___

- http://blogs.technet.com/b/msrc/archive/2011/03/08/march-2011-security-bulletin-release.aspx
"8 Mar 2011
MS11-015. This bulletin resolves one Critical-level and one Important-level vulnerability affecting certain media files in all versions of Microsoft Windows. It has an Exploitability Index rating of 1 ...
MS11-016 is a DLL-preloading issue affecting Microsoft Groove 2007 Service Pack 2, which makes this an Office bulletin. Versions 2007 and 2010 of Groove are unaffected, as is Microsoft SharePoint Workspace 2010.
MS11-017 is also a DLL-preloading issue, in this instance in Microsoft Windows Remote Client Desktop. This security update is rated Important for Remote Desktop Connection 5.2 Client, Remote Desktop Connection 6.0 Client, Remote Desktop Connection 6.1 Client, and Remote Desktop Connection 7.0 Client..."

Deployment Priority
- http://blogs.technet.com/cfs-filesy...Files/00-00-00-45-71/0247.1103-deployment.png

Severity and Exploitability
- http://blogs.technet.com/cfs-filesy...00-00-00-45-71/5460.1103-severity_2D00_xi.png
___

MSRT
- http://support.microsoft.com/?kbid=890830
March 8, 2011 - Revision: 85.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Renocide

- http://blogs.technet.com/b/mmpc/archive/2011/03/09/msrt-march-11-featuring-win32-renocide.aspx
9 Mar 2011

Download:
- http://www.microsoft.com/downloads/...E0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.17.exe

To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/...DE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.17.exe
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=10510
Last Updated: 2011-03-08 18:17:20 UTC

.
 
Last edited:
MS Security Advisories updated

FYI...

Microsoft Security Advisory (2491888)
Vulnerability in Microsoft Malware Protection Engine Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/2491888.mspx
• V1.1 (March 8, 2011): Revised advisory FAQ to announce updated version of the MSRT...
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0037
Last revised: 02/28/2011
CVSS v2 Base Score: 7.2 (HIGH)
"... before 1.1.6603.0..."

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
• V6.0 (March 8, 2011): Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-015, "Vulnerabilities in Windows Media Could Allow Remote Code Execution;" MS11-016, "Vulnerability in Microsoft Groove Could Allow Remote Code Execution;" and MS11-017, "Vulnerability in Remote Desktop Client Could Allow Remote Code Execution."

:fear:
 
Last edited:
Forefront update fails - KB2508823

FYI...

Forefront update fails - KB2508823
- http://isc.sans.edu/diary.html?storyid=10522
Last Updated: 2011-03-09 23:13:29 UTC - "Included in this Patch Tuesday is a Forefront update KB2508823[1] (Client Version: 1.5.1996.0). We have received a number of reports that the KB2508823 update fails during the install. Once the update fails, the existing Forefront client is also removed. This leaves the machine without any anti-malware protection. We recommend you hold off deploying the update until confirmation from Microsoft. Microsoft have posted a similar warning here:
- http://blogs.technet.com/b/clientsecurity/archive/2011/03/08/fcs-v1-march-2011-update.aspx
"Update 9 March 2011... you may want to hold off approving this update for the moment..."
___

- http://blogs.technet.com/b/clientsecurity/archive/2011/03/08/fcs-v1-march-2011-update.aspx
"Update 10 March 2011... We have received reports of an installation issue with our March update of Forefront Client Security when the option of “install updates and shutdown” is used. We wanted to be clear on the issue and exactly what steps we are taking to rectify it.
Symptom: A computer attempts to use the install updates and shutdown Windows feature to update to the latest version of FCSv1. After restart, the computer does not have the Antimalware agent installed, but will still have the Security State Assessment(SSA) and Microsoft Operation Manager components installed.
The problem: This issue only occurs on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It does not occur on Windows XP, Windows Server 2003 or Windows 2000. This issue was not introduced in the March Update. It is caused by a previously undetected problem in the October 2010 update. Please review the steps below for what options you should take. For the bug to occur, the system must have either the policy setting changing the default shutdown behavior or the user clicks on “Apply updates at Shutdown”. If the update is deployed or manually installed in other ways, this bug does not occur..."
(MS recommended steps to take at the URL above.)

[1] http://support.microsoft.com/kb/2508823

:eek:
 
Last edited:
MS advisory - escalation ...

FYI...

MS advisory - updated (2501696)
Vulnerability in MHTML Could Allow Information Disclosure
* http://www.microsoft.com/technet/security/advisory/2501696.mspx
• V1.1 (March 11, 2011): Revised Executive Summary to reflect investigation of limited, targeted attacks.

- https://www.computerworld.com/s/art...ks_leverage_unpatched_IE_flaw_Microsoft_warns
March 12, 2011 - "An Internet Explorer flaw made public by a Google security researcher two months ago is now being used in online attacks. The flaw, which has not yet been patched, has been used in "limited, targeted attacks," Microsoft said Friday*... The attack is triggered when the victim is tricked into visiting a maliciously encoded Web page - what's known as a Web drive-by attack... Microsoft has released a Fixit tool** that users can download to repair the problem, but has not said when, or even if, it plans to push out a comprehensive security update to all users..."
** http://support.microsoft.com/kb/2501696#FixItForMe

- http://www.theregister.co.uk/2011/03/12/windows_bug_target_google_users/
12 March 2011

- http://www.pcmag.com/article2/0,2817,2381881,00.asp
PCmag.com - "... Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules..."

:fear::mad:
 
Last edited:
MSRT results...

FYI...

MSRT 2011.03 results...
- http://blogs.technet.com/b/mmpc/archive/2011/03/16/win32-renocide-the-aftermath.aspx
16 Mar 2011 - "On March 8th, we announced the release of our latest Malicious Software Removal Tool (MSRT), version that included detection and cleaning capabilities for a backdoor enabled worm we are calling Win32/Renocide... According to our telemetry, this new addition was among the top 5 detected threats (in the first week of release), both when it comes to infected machines and when classified based on number of detected files... The high tally of affected machines reflects Renocide's relative age; the botnet has been around since 2008 and has slowly but steadily increased its prevalence. Our first detection dates back to the first half of 2008... Sality leads in the threat count ranking due to the fact that it is a file infector..."
(Charts available at the URL above.)

:fear:
 
MS advisory - Browser fraud threat...

FYI...

Microsoft Security Advisory (2524375)
Fraudulent Digital Certificates Could Allow Spoofing
- http://www.microsoft.com/technet/security/advisory/2524375.mspx
March 23, 2011 - "Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against -all- Web browser users including users of Internet Explorer... Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used. An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375*..."
* http://support.microsoft.com/kb/2524375
March 23, 2011 - Revision: 1.0

- http://www.securitytracker.com/id/1025248
Mar 23 2011

- http://isc.sans.edu/diary.html?storyid=10603
Last Updated: 2011-03-23 18:11:20 UTC
___

- http://www.secureworks.com/research/threats/rsacompromise/
March 18, 2011

:fear:
 
Last edited:
March M$ ...

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-mar.mspx
• V1.1 (March 16, 2011): Removed an erroneous reference to Windows XP Home Edition SP3 and Windows XP Tablet PC Edition SP3 as not affected in the notes for MS11-015 under Affected Software and Download Locations. This is an informational change only. There were no changes to the security update files or detection logic. For customers who are running these editions of Windows XP and who have not already applied this update, Microsoft recommends applying the update immediately. Customers who have already applied the update do not need to take any action.

Microsoft Security Bulletin MS11-015 - Critical
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)
- http://www.microsoft.com/technet/security/bulletin/ms11-015.mspx
Remote Code Execution - May require restart - Microsoft Windows

:sad:
 
MS Security Bulletin Advance Notification - April 2011

FYI...

- https://www.computerworld.com/s/art..._sets_mammoth_Patch_Tuesday_will_fix_64_flaws
April 7, 2011 - "... will patch a record 64 vulnerabilities in Windows, Office, Internet Explorer, Windows graphics framework, and other software next week..."

- http://www.microsoft.com/technet/security/bulletin/ms11-apr.mspx
April 07, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on April 12, 2011... (Total of -17-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Bulletin 2 - Critical - Remote Code Execution - Requires restart - Microsoft Windows

Bulletin 3 - Critical - Remote Code Execution - Requires restart - Microsoft Windows

Bulletin 4 - Critical - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 5 - Critical - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 6 - Critical - Remote Code Execution - May require restart - Microsoft Windows, Microsoft Office

Bulletin 7 - Critical - Remote Code Execution - Requires restart - Microsoft Windows

Bulletin 8 - Critical - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 9 - Critical - Remote Code Execution - Requires restart - Microsoft Windows
___

Bulletin 10 - Important - Remote Code Execution - May require restart - Microsoft Office

Bulletin 11 - Important - Remote Code Execution - May require restart - Microsoft Office, Microsoft Server Software

Bulletin 12 - Important - Remote Code Execution - May require restart - Microsoft Office

Bulletin 13 - Important - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 14 - Important - Remote Code Execution - May require restart - Microsoft Developer Tools and Software

Bulletin 15 - Important - Information Disclosure - Requires restart - Microsoft Windows

Bulletin 16 - Important - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 17 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
___

- http://blogs.technet.com/b/msrc/arc...vice-for-the-april-2011-bulletin-release.aspx

:sad:
 
Last edited:
MS Security Bulletin Summary - April 2011

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-apr.mspx
April 12, 2011 - "This bulletin summary lists security bulletins released for April 2011...(Total of -17-)

Critical

Microsoft Security Bulletin MS11-018 - Critical
Cumulative Security Update for Internet Explorer (2497640)
- http://www.microsoft.com/technet/security/Bulletin/MS11-018.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS11-019 - Critical
Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)
- http://www.microsoft.com/technet/security/Bulletin/MS11-019.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-020 - Critical
Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
- http://www.microsoft.com/technet/security/Bulletin/MS11-020.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-027 - Critical
Cumulative Security Update of ActiveX Kill Bits (2508272)
- http://www.microsoft.com/technet/security/Bulletin/MS11-027.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-028 - Critical
Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)
- http://www.microsoft.com/technet/security/Bulletin/MS11-028.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-029 - Critical
Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)
- http://www.microsoft.com/technet/security/bulletin/MS11-029.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-030 - Critical
Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
- http://www.microsoft.com/technet/security/bulletin/ms11-030.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-031 - Critical
Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)
- http://www.microsoft.com/technet/security/Bulletin/MS11-031.mspx
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-032 - Critical
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)
- http://www.microsoft.com/technet/security/Bulletin/MS11-032.mspx
Critical - Remote Code Execution - Requires restart - Microsoft Windows

Important

Microsoft Security Bulletin MS11-021 - Important
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)
- http://www.microsoft.com/technet/security/bulletin/ms11-021.mspx
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS10-022 - Important
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
- http://www.microsoft.com/technet/security/Bulletin/MS10-022.mspx
Important - Remote Code Execution - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS11-023 - Important
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)
- http://www.microsoft.com/technet/security/Bulletin/MS11-023.mspx
Important - Remote Code Execution - May require restart - Microsoft Office

Microsoft Security Bulletin MS11-024 - Important
Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)
- http://www.microsoft.com/technet/security/Bulletin/MS11-024.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-025 - Important
Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
- http://www.microsoft.com/technet/security/Bulletin/MS11-025.mspx
Important - Remote Code Execution - May require restart - Microsoft Developer Tools and Software

Microsoft Security Bulletin MS11-026 - Important
Vulnerability in MHTML Could Allow Information Disclosure (2503658)
- http://www.microsoft.com/technet/security/bulletin/ms11-026.mspx
Important - Information Disclosure - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS11-033 - Important
Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)
- http://www.microsoft.com/technet/security/Bulletin/MS11-033.mspx
Important - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS11-034 - Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)
- http://www.microsoft.com/technet/security/bulletin/ms11-034.mspx
Important - Elevation of Privilege - Requires restart - Microsoft Windows
___

Deployment Priority
- http://blogs.technet.com/cfs-filesy...0-45-71/0245.Bulletin-Deployment-Priority.png

Severity and Exploitability index
- http://blogs.technet.com/cfs-filesy...71/8510.Severity-and-Exploitability-Index.png
___

ISC Analysis
- http://isc.sans.edu/diary.html?storyid=10693
Last Updated: 2011-04-13 00:13:23 UTC ...(Version: 3)
___

- http://www.securitytracker.com/id/1025327 - MS11-018
- http://www.securitytracker.com/id/1025328 - MS11-019
- http://www.securitytracker.com/id/1025329 - MS11-020
- http://www.securitytracker.com/id/1025337 - MS11-021
- http://www.securitytracker.com/id/1025340 - MS11-022

- http://www.securitytracker.com/id/1025343 - MS11-023
- http://www.securitytracker.com/id/1025347 - MS11-024
- http://www.securitytracker.com/id/1025346 - MS11-025
- http://www.securitytracker.com/id/1025330 - MS11-027
- http://www.securitytracker.com/id/1025331 - MS11-028

- http://www.securitytracker.com/id/1025335 - MS11-029
- http://www.securitytracker.com/id/1025332 - MS11-030
- http://www.securitytracker.com/id/1025333 - MS11-031
- http://www.securitytracker.com/id/1025334 - MS11-032
- http://www.securitytracker.com/id/1025344 - MS11-033
- http://www.securitytracker.com/id/1025345 - MS11-034
___

MSRT
- http://support.microsoft.com/?kbid=890830
April 12, 2011 - Revision: 86.0
(Recent additions)
- http://www.microsoft.com/security/pc-security/malware-families.aspx
... added this release...
• Afcore:
- http://blogs.technet.com/b/mmpc/archive/2011/04/13/msrt-april-11-win32-afcore.aspx
13 Apr 2011 - "... added the Win32/Afcore family of trojans to its detections. This malware is -aka- Coreflood* ..."
* http://forums.spybot.info/showpost.php?p=401072&postcount=13

Download:
- http://www.microsoft.com/downloads/...E0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
File Name: windows-kb890830-v3.18.exe - 12.2MB

To download the x64 version of MSRT, click here:
- http://www.microsoft.com/downloads/...DE-367F-495E-94E7-6349F4EFFC74&displaylang=en
File Name: windows-kb890830-x64-v3.18.exe - 12.6MB

.
 
Last edited:
MS Security Advisories - 4.12.2011 ...

FYI...

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
• V1.12 (April 12, 2011): Updated the FAQ with information about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.

Microsoft Security Advisory (2506014)
Update for the Windows Operating System Loader
- http://www.microsoft.com/technet/security/advisory/2506014.mspx
4/12/2011 - "Microsoft is announcing the availability of an update to winload.exe to address an issue in driver signing enforcement... this update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware to stay resident on a system after the initial infection. The issue affects, and the update is available for, x64-based editions* of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2..."
* http://support.microsoft.com/kb/2506014

Microsoft Security Advisory (2501696)
Vulnerability in MHTML Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/2501696.mspx
Published: January 28, 2011 | Updated: April 12, 2011 - "We have issued MS11-026* to address this issue..."
* http://www.microsoft.com/technet/security/bulletin/ms11-026.mspx

Microsoft Security Advisory (2501584)
Release of Microsoft Office File Validation for Microsoft Office
- http://www.microsoft.com/technet/security/advisory/2501584.mspx
Last Updated: 4/12/2011 - "Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened... known issues* that customers may experience when utilizing the Office File Validation feature..."
* http://support.microsoft.com/kb/2501584

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2269637.mspx
• V7.0 (April 12, 2011): Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-023, "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution;" and MS11-025, "Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution."

.
 
TDL rootkit vuln/fix...

FYI...

TDL rootkit vuln/fix...
- http://sunbeltblog.blogspot.com/2011/04/tdl-rootkit-vulnerability-fix-in-patch.html
April 14, 2011 - "... It appears that at least part of this vulnerability has been patched. From the Technet blog:
- http://blogs.technet.com/b/srd/arch...g-the-risk-of-the-april-security-updates.aspx
12 Apr 2011 - "... The second advisory, KB 2506014*, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family..."
[MS11-034 - "30 of this month’s 64 vulnerabilities being addressed in this bulletin..."]
Update April 13: Corrected the MS11-028 bulletin severity and affected products. Also moved this bulletin up higher in priority due to this correction.
*Update April 15: Corrected the MS11-032 bulletin exploitability due to a rating error. Also moved MS11-032 higher in priority order.
* http://www.microsoft.com/technet/security/advisory/2506014.mspx

> http://support.microsoft.com/kb/2506014
April 12, 2011 - Revision: 3.0
___

- http://blog.trendmicro.com/stalking-tdl4-all-access-pass-to-the-hard-drive/
April 15, 2011 - "... patch specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. More information can be found in the security bulletin for MS11-034*..."

* http://www.microsoft.com/technet/security/bulletin/ms11-034.mspx
Acknowledgments...
• Tarjei Mandt of Norman for reporting the Vulnerability Type 1: Win32k Use After Free Vulnerability
CVE-2011-0662, CVE-2011-0665, CVE-2011-0666, CVE-2011-0667, CVE-2011-0670, CVE-2011-0671, CVE-2011-0672, CVE-2011-0674, CVE-2011-0675, CVE-2011-1234, CVE-2011-1235, CVE-2011-1236, CVE-2011-1237, CVE-2011-1238, CVE-2011-1239, CVE-2011-1240, CVE-2011-1241, CVE-2011-1242
[ALL] ...CVSS Severity: 7.2 (HIGH)
• Tarjei Mandt of Norman for reporting the Vulnerability Type 2: Win32k Null Pointer De-reference Vulnerability
CVE-2011-0673, CVE-2011-0676, CVE-2011-0677, CVE-2011-1225, CVE-2011-1226, CVE-2011-1227, CVE-2011-1228, CVE-2011-1229, CVE-2011-1230, CVE-2011-1231, CVE-2011-1232, CVE-2011-1233
[ALL] ...CVSS Severity: 7.2 (HIGH)

:blink:
 
Last edited:
Ms11-020 - patch now

FYI...

MS11-020 - PATCH NOW
- http://isc.sans.edu/diary.html?storyid=10714
Last Updated: 2011-04-15 12:22:18 UTC - "Based on notifications received from Microsoft... The Remote Code Exploit is possible -without- authentication, so this presents a serious risk to internal networks. Think Downadup/Conficker, or think lateral movement if that will help motivate patching. Also note that this patch requires a reboot of your system..."
- http://isc.sans.edu/diary.html?storyid=10693
Last Updated: 2011-04-15 12:10:35 UTC ... (Version: -4-)

- http://www.microsoft.com/technet/security/Bulletin/MS11-020.mspx
April 12, 2011
- http://support.microsoft.com/kb/2508429
April 12, 2011

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0661
Last revised: 04/14/2011
CVSS v2 Base Score: 10.0 (HIGH)

:fear::fear:
 
Last edited:
MS11-022 - Known issues...

FYI...

MS11-022 - Known issues...
- http://support.microsoft.com/kb/2464588
Last Review: April 14, 2011
• Presentations that contain layouts with a background images may cause an error when opened in PowerPoint 2003. A dialog will notify you that some contents (text, images or objects) have corrupted; the specific content lost will be what is specified in the layout, not the actual slide content itself. Items that were removed will display a blank box or a box containing “cleansed”.
Workarounds for this issue:
Remove background images from layouts in presentations that have to be accessed and edited from PowerPoint 2003.
After the error message is displayed, save a copy of the presentation and perform edits on the copy.
Microsoft is researching this problem and will post more information in this article when the information becomes available..."

- http://support.microsoft.com/kb/2464588
Last Review: April 19, 2011 - Revision: 3.0
"... Removal information
To remove this security update, use the Add or Remove Programs item or use the Programs and Features item in Control Panel.
Note: When you remove this security update, you may be prompted to insert the disc that contains Microsoft Office PowerPoint 2003. Additionally, you may not have the option to uninstall this security update from the Add or Remove Programs item or the Programs and Features item in Control Panel. There are several possible causes for this issue.
For more information about the removal, click the following article number to view the article in the Microsoft Knowledge Base:
- http://support.microsoft.com/kb/903771
903771 Information about the ability to uninstall Office updates ..."

:fear:
 
Last edited:
PowerPoint 2003 hotfix package

FYI...

PowerPoint 2003 hotfix package
- http://support.microsoft.com/kb/2543241/en-us
Last Review: April 26, 2011 - Revision: 3.0 -
"Issues that this hotfix package fixes:
When you open presentations that contain layouts with background images in PowerPoint 2003, an error may occur. When the error occurs, you receive a message that states that some contents (text, images, or objects) have corrupted. You can determine what content has been lost by viewing the layout, but not by viewing the slide content. Items that were removed will display a blank box or a box that contains "cleansed"... this hotfix is intended to correct only the problems that are described in this article. Apply this hotfix -only- to systems that are experiencing the problems described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix...
Prerequisites: You -must- have Microsoft Office 2003 Service Pack 3 installed to apply this hotfix package...
This hotfix replaces security update 2464588, which is described in bulletin MS11-022*..."
* http://www.microsoft.com/technet/security/bulletin/MS11-022.mspx

:fear:
 
MS Security Bulletin Advance Notification - May 2011

FYI...

- http://www.microsoft.com/technet/security/Bulletin/MS11-may.mspx
May 5, 2011 - "This is an advance notification of security bulletins that Microsoft is intending to release on May 10, 2011... (Total of -2-)

Bulletin 1 - Critical - Remote Code Execution - May require restart - Microsoft Windows

Bulletin 2 - Important - Remote Code Execution - May require restart - Microsoft Office

.
 
You must log in or register to reply here.
Back
Top