317 replies to this topic

[AplusWebMaster]

FYI...

Microsoft Security Advisory (973882)
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
- http://www.microsoft...ory/973882.mspx
• V4.0 (October 13, 2009): Advisory revised to add an entry in the Updates related to ATL section to communicate the release of Microsoft Security Bulletin MS09-060, "Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution."
- http://www.microsoft...n/ms09-060.mspx

Microsoft Security Advisory (975191)
Vulnerabilities in the FTP Service in Internet Information Services
- http://www.microsoft...ory/975191.mspx
• V3.0 (October 13, 2009): Advisory updated to reflect publication of security bulletin (MS09-053).
- http://www.microsoft...n/ms09-053.mspx

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://www.microsoft...ory/975497.mspx
• V2.0 (October 13, 2009): Advisory updated to reflect publication of security bulletin (MS09-050).
- http://www.microsoft...n/ms09-050.mspx

[AplusWebMaster]

FYI...

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft...ory/973811.mspx
Updated: October 14, 2009 - "... Microsoft Security Bulletin MS09-054 contains a defense-in-depth, non-security update that enables WinINET to opt in to Extended Protection for Authentication.
• V1.1 (October 14, 2009): Updated the FAQ with information about a non-security update included in MS09-054* relating to WinINET.
* http://www.microsoft...n/ms09-054.mspx

[AplusWebMaster]

FYI...

Microsoft Security Advisory (977544)
Vulnerability in SMB Could Allow Denial of Service
- http://www.microsoft...ory/977544.mspx
November 13, 2009 - "Microsoft is investigating new public reports of a possible denial of service vulnerability in the Server Message Block (SMB) protocol. This vulnerability cannot be used to take control of or install malicious software on a user’s system. However, Microsoft is aware that detailed exploit code has been published for the vulnerability. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities..."

- http://isc.sans.org/...ml?storyid=7597
Last Updated: 2009-11-14 02:36:34 UTC - "... Assuming that you block TCP ports 139 and 445 the only impact would be an internal attacker could disable affected systems until restarted. In the grand scheme of things this would not be a critical issue unless all of a sudden your servers had to be rebooted on a regular basis, in that case you may have bigger problems because the fox would already be in the henhouse. The list of affected systems is: Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems (includig Server Core), and Windows Server 2008 R2 for Itanium-based Systems..."

[AplusWebMaster]

FYI...

Microsoft Security Advisory (977981)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft...ory/977981.mspx
November 23, 2009 - "... Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected. The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code. At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers...
Mitigating Factors:
• Internet Explorer 8 is -not- affected.
• Protected Mode in Internet Explorer 7 in Windows Vista limits the impact of the vulnerability.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario..."
(Also see: Workarounds)

- http://forums.whatth...=...st&p=613636
Updated: November 25, 2009

Edited by AplusWebMaster, 26 November 2009 - 11:22 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (977981)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft...ory/977981.mspx
Updated: December 08, 2009 - "Microsoft has completed investigating public reports of this vulnerability. We have issued Microsoft Security Bulletin MS09-072* to address this issue..." * http://www.microsoft...n/ms09-072.mspx

Microsoft Security Advisory (974926)
Credential Relaying Attacks on Integrated Windows Authentication
- http://www.microsoft...ory/974926.mspx
December 08, 2009 - "This advisory addresses the potential for attacks that affect the handling of credentials using Integrated Windows Authentication (IWA), and the mechanisms Microsoft has made available for customers to help protect against these attacks..."

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft...ory/973811.mspx
Updated: December 08, 2009 - "Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform..."

Microsoft Security Advisory (954157)
Security Enhancements for the Indeo Codec
- http://www.microsoft...ory/954157.mspx
December 08, 2009 - "... customers who do not have a use for the codec may choose to take an additional step and deregister the codec completely. Deregistering the codec would remove all attack vectors that leverage the Indeo codec. See Microsoft Knowledge Base Article 954157* for directions on how to deregister the codec..."
* http://support.microsoft.com/kb/954157

Edited by AplusWebMaster, 08 December 2009 - 02:49 PM.

[AplusWebMaster]

FYI...

New Reports of a Vulnerability in IIS
- http://blogs.technet...ity-in-iis.aspx
December 27, 2009 - "On Dec. 23 we were made aware of a new claim of a vulnerability in Internet Information Services (IIS). We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration. Customers using out of the box configurations and who follow security best practices are at reduced risk of being impacted by issues like this. Once we’re done investigating, we will take appropriate action to help protect customers...
IIS 6.0 Security Best Practices
http://technet.micro...762(WS.10).aspx
Securing Sites with Web Site Permissions
http://technet.micro...133(WS.10).aspx
IIS 6.0 Operations Guide
http://technet.micro...089(WS.10).aspx
Improving Web Application Security: Threats and Countermeasures
http://msdn.microsof...y/ms994921.aspx ..."

- http://isc.sans.org/...ml?storyid=7819
Last Updated: 2009-12-28 15:36:57 UTC (Version: 3) - "... they (MS) note that if the administrator had not altered the default configuration and followed best practices in the securing of the webserver, then this exploit wouldn't work. Unfortunately, we know that doesn't always wind up being the case..."

8 Basic Rules to Implement Secure File Uploads
- https://blogs.sans.o...e-file-uploads/
December 28, 2009

- http://secunia.com/advisories/37831/2/
Last Update: 2009-12-28
Critical: Less critical
Impact: Security Bypass, System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Information Services (IIS) 6
Solution: Restrict file uploads to trusted users only and remove "execute" permissions for upload directories...

- http://learn.iis.net...le-system-acls/
Updated on December 23, 2009

Edited by AplusWebMaster, 28 December 2009 - 10:58 AM.

[AplusWebMaster]

FYI...

IIS vuln - Metasploit added...
- http://www.symantec....e-vulnerability
December 29, 2009 - "... There are varying reports on the severity of this issue, but according to Microsoft only poorly configured Web servers are at risk from this issue: “An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration.”
Essentially your site is at risk if it:
1. Runs on IIS.
2. Allows files to be uploaded.
3. Has execute permissions for the directory where the uploaded files are stored.
On December 28, Metasploit added support into their framework to allow exploitation of this issue. This makes it trivial to compromise badly configured servers as outlined above. This development could see a rise in exploitation of this issue..."

[AplusWebMaster]

FYI...

Results of Investigation into Holiday IIS Claim
* http://blogs.technet...-iis-claim.aspx
December 29, 2009 - "... there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server. The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack. However, customers who are using IIS 6.0 in the default configuration or following our recommended best practices don’t need to worry about this issue. If, however, you are running IIS in a configuration that allows both “write” and “execute” privileges on the same directory like this scenario requires, you should review our best practices and make changes to better secure your system from the threats that configuration can enable. Once again, here’s a list of best practices resources:
· IIS 6.0 Security Best Practices
http://technet.micro...762(WS.10).aspx
· Securing Sites with Web Site Permissions
http://technet.micro...133(WS.10).aspx
· IIS 6.0 Operations Guide
http://technet.micro...089(WS.10).aspx
· Improving Web Application Security: Threats and Countermeasures
http://msdn.microsof...y/ms994921.aspx
The IIS folks are evaluating a change to bring the behavior of IIS 6.0 in line with the other versions. In the meantime, they’ve put more information up about this on their weblog*..."
* http://blogs.iis.net...ons-in-url.aspx
December 29, 2009

- http://secunia.com/advisories/37831/2/
Last Update: 2009-12-30

- http://securitytrack...ec/1023387.html
Updated: Dec 29 2009

- http://www.theregist...r_bug_rebuttal/
30 December 2009 - "... Microsoft's nothing-to-worry-about-please-move-along advisory, which helpfully provides links to best practice web server security guidelines, can be found here*."

- http://web.nvd.nist....d=CVE-2009-4444

- http://web.nvd.nist....d=CVE-2009-4445

Edited by AplusWebMaster, 04 January 2010 - 10:19 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (979267)
Vulnerabilities in Adobe Flash Player 6 Provided in Windows XP Could Allow Remote Code Execution
- http://www.microsoft...ory/979267.mspx
January 12, 2010 - "Microsoft is aware of reports of vulnerabilities in Adobe Flash Player 6 provided in Windows XP. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time but recommend that users install the latest version of Flash Player* provided by Adobe..."
* http://get.adobe.com/flashplayer/
December 8, 2009 - Flash Player v10.0.42.34

MS Windows Flash Player multiple vulnerabilities
- http://secunia.com/advisories/27105/2/
Release Date: 2010-01-12
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS: Microsoft Windows XP Home Edition, Microsoft Windows XP Professional
Solution: Uninstall the bundled version of Flash Player and optionally install the latest supported version of Flash Player from Adobe...
Original Advisory:
Secunia Research: http://secunia.com/s...search/2007-77/
Other References: How to remove the Flash Player ActiveX control:
http://kb2.adobe.com...7/tn_12727.html
How to uninstall the Adobe Flash Player plug-in and ActiveX control:
http://kb2.adobe.com...1/tn_14157.html

[AplusWebMaster]

FYI...

0-day vuln in IE 6, 7 and 8
- http://isc.sans.org/...ml?storyid=7993
Last Updated: 2010-01-14 22:19:56 UTC

MS IE arbitrary code execution
- http://secunia.com/advisories/38209/2/
Release Date: 2010-01-15
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x, Microsoft Internet Explorer 7.x, Microsoft Internet Explorer 8.x
Solution: Do not browse untrusted websites or follow untrusted links.
Provided and/or discovered by: Reported as a 0-day.
Original Advisory: Microsoft (KB979352):
http://www.microsoft...ory/979352.mspx
http://blogs.technet...ory-979352.aspx
Other References: US-CERT VU#492515:
http://www.kb.cert.org/vuls/id/492515

- http://web.nvd.nist....d=CVE-2010-0249
Last revised: 01/15/2010

Microsoft Security Advisory (979352)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft...ory/979352.mspx
January 14, 2010 - "Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue. Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 -are- affected. The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes..."

- http://blogs.technet...ory-979352.aspx
January 14, 2010 - "Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks... We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with protections against exploit of this vulnerability..."

- http://support.micro...ixItForMeAlways
January 14, 2010 - "... We have also created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet Explorer. You do -not- need this database if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3) or on Windows Vista SP1 or later versions. This is because Internet Explorer 8 opts-in to DEP by default on these platforms. To enable or disable DEP automatically, click the Fix it button or link..."

- http://www.krebsonse...n-google-adobe/
January 14, 2010

Edited by AplusWebMaster, 17 January 2010 - 11:24 PM.

[AplusWebMaster]

FYI...

(IE 0-day) Exploit code available for CVE-2010-0249
- http://isc.sans.org/...ml?storyid=8002
Last Updated: 2010-01-15 21:35:51 UTC - "The details for CVE-2010-0249* aka Microsoft Security Advisory 979352 ( http://www.microsoft...ory/979352.mspx ) aka the Aurora exploit has been made public. It is a vulnerability in mshtml.dll that works as advertised on IE6 but if DEP is enabled on IE7 or IE8 the exploit does not execute code. I expect Microsoft will have a patch available for the standard February patch day. There will not likely be an out-of-band patch for this unless a 3rd party makes their own available."

* http://web.nvd.nist....d=CVE-2010-0249
Last revised: 01/15/2010

- http://www.symantec....eatconlearn.jsp
"The ThreatCon is currently at Level 2: Elevated...
Microsoft has released a security advisory and mitigation for a new unpatched vulnerability affecting Internet Explorer... On January 14, 2009, the Metasploit exploitation framework added an exploit for the bug that would allow an attacker to gain control of the system. Availability of this exploit will increase the chance of in-the-wild exploitation of this issue..."

- http://blogs.technet...nerability.aspx
January 15, 2010

Edited by AplusWebMaster, 17 January 2010 - 06:18 AM.

[AplusWebMaster]

FYI...

MS IE Advisory 979352 Update - January 18
- http://blogs.technet...january-18.aspx
January 18, 2010 - "... earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista. We are actively investigating, but cannot confirm, these claims. Today we also published a guidance page, including an online video, for home users who may be confused, or concerned, about this security vulnerability and want to know what they should do to protect themselves from the known attacks. This page is located here*..."
* http://www.microsoft...updates/ie.aspx
"Microsoft has determined that one of the technologies used in the recent criminal attacks against Google and other corporate networks was Internet Explorer 6. Customers using Internet Explorer 8 are not affected by currently known attacks. We recommend that anyone not already using Internet Explorer 8 upgrade immediately. Internet Explorer 8 offers many additional security protections..."
- http://www.microsoft.com/ie

[AplusWebMaster]

FYI...

IE - out-of-cycle patch coming...
- http://isc.sans.org/...ml?storyid=8017
Last Updated: 2010-01-19 20:10:13 UTC - "No, there still isn't a patch, but there will be one before the regular Microsoft patch day in February. The MSRC has posted a note on their blog* saying the timing will be announced tomorrow. In the meantime, we are hearing that the folks at VUPEN have found a way to bypass DEP as long as javascript is enabled (no, this doesn't appear to be the .NET ones from last year) which would make even IE8 vulnerable, we don't have the details at present, but if true this is a major development. This is a concern since Microsoft's advice is for those using IE6 and IE7 to move to IE8 where DEP is on by default. In any event, we continue to monitor the situation."
* http://blogs.technet...ut-of-band.aspx
January 19, 2010 - "We wanted to provide a quick update on the threat landscape and announce that we will release a security update out-of-band to help protect customers from this vulnerability... We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time. We will provide the specific timing of the release tomorrow..."

- http://securitylabs....Blogs/3534.aspx
01.19.2010 - "... Our ThreatSeeker network has identified two more malicious URLs that are used in live attacks, this time hxxp ://201002.[REMOVED]:2988/log/ie .html and hxxp ://m.[REMOVED].net:81/m/index .html. According to reports from our friends at Ahnlab, the second URL was spread through the Instant Messenger network Misslee Messenger, a popular IM client in South Korea... Due to the attention the new vulnerability has received, Microsoft has announced that they will release an out-of-band patch for Internet Explorer..."

- http://www.shadowser...lendar/20100119
2010-01-19

- http://www.microsoft...ry/archive.mspx
Updated: January 18, 2010

Edited by AplusWebMaster, 20 January 2010 - 04:43 AM.

[AplusWebMaster]

FYI...

MS10-002 tomorrow...
- http://blogs.technet...in-release.aspx
January 20, 2010 - "... we will be releasing MS10-002 tomorrow, January 21st, 2010. We are planning to release the update as close to 10:00 a.m. PST (UTC -8) as possible. This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and small subset of corporations, as well as several other vulnerabilities... Today we also updated Security Advisory 979352* to include technical details addressing additional customer questions..."
* http://www.microsoft...ory/979352.mspx
• V1.2 (January 20, 2010): Revised Executive Summary to reflect the changing nature of attacks attempting to exploit the vulnerability. Clarified information in the Mitigating Factors section for Data Execution Prevention (DEP) and Microsoft Outlook, Outlook Express, and Windows Mail. Clarified several Frequently Asked Questions to provide further details about the vulnerability and ways to limit the possibility of exploitation. Added "Enable or disable ActiveX controls in Office 2007" and "Do not open unexpected files" to the Workarounds section.

Edited by AplusWebMaster, 20 January 2010 - 02:25 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (979682)
Vulnerability in Windows Kernel Could Allow Elevation of Privilege
- http://www.microsoft...ory/979682.mspx
January 20, 2010 - "Microsoft is investigating new public reports of a vulnerability in the Windows kernel. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."
Revisions:
• V1.1 (January 22, 2010): Added links to Microsoft Knowledge Base Article 979682 in the Issue References table and Additional Suggestion Actions section. Added a link to Microsoft Knowledge Base Article 979682* to provide an automated Microsoft Fix it solution for the workaround, Disable the NTVDM subsystem.
* http://support.microsoft.com/kb/979682

- http://web.nvd.nist....d=CVE-2010-0232
Last revised: 01/22/2010
CVSS v2 Base Score: 6.6 (MEDIUM)

- http://blogs.technet...2-released.aspx
January 20, 2010

- http://secunia.com/advisories/38265/2/
Release Date: 2010-01-20
Impact: Privilege escalation
Where: Local system
Solution Status: Unpatched...
Original Advisory:
http://archives.neoh...10-01/0346.html

- http://www.sophos.co...-vulnerability/
January 21, 2010

Edited by AplusWebMaster, 24 January 2010 - 01:00 PM.