317 replies to this topic

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft...ry/2269637.mspx
"...Workarounds:
• Disable loading of libraries from WebDAV and remote network shares...
• Disable the WebClient service...
• Block TCP ports 139 and 445 at the firewall...
(See "Impact of workaround" for each one)..."
• V1.1 (August 31, 2010) Added a link to Microsoft Knowledge Base Article 2264107* to provide an automated Microsoft Fix it solution for the workaround, Disable loading of libraries from WebDAV and remote network shares.
* http://support.micro....com/kb/2264107
August 31, 2010 - Revision: 4.0

MS SRD - Update on the DLL-preloading remote attack vector
- http://blogs.technet...ack-vector.aspx
31 Aug 2010 - "... Note: The Fix-it itself does not install the workaround tool. You’ll need to separately download and install the tool beforehand.
To instead completely block all DLL-preloading attack vectors, including the threat of malicious files on a USB thumb drive or files arriving via email as a ZIP attachment, set CWDIllegalInDllSearch to 0xFFFFFFFF. This will address any DLL preloading vulnerabilities that may exist in applications running on your system. However, it may have some unintended consequences for applications that require this behavior, so we do recommend thorough testing..."
- http://go.microsoft....?linkid=9742148

- http://techblog.avir...erabilities/en/
September 2, 2010 - "... the company released a Fix-it tool which can be executed after the patch has been applied. It lessens the restrictions introduced by the patch so that most applications do work again. Windows then still blocks loading DLLs from network shares or WebDAV, but if a malicious DLL is located within a local working directory, an attack may still succeed..."

Verified Secunia List:
- http://secunia.com/a...ibrary_loading/
(tables are automatically updated as Secunia issues new advisories)
Number of products affected...
Number of vendors affected...
Number of Secunia Advisories issued...

Edited by AplusWebMaster, 18 October 2010 - 02:55 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2401593)
Vulnerability in Outlook Web Access Could Allow Elevation of Privilege
- http://www.microsoft...ry/2401593.mspx
September 14, 2010 - "Microsoft has completed the investigation of a publicly disclosed vulnerability in Outlook Web Access (OWA) that may affect Microsoft Exchange customers. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session. The attacker could then perform actions on behalf of the authenticated user without the user's knowledge, within the security context of the active OWA session. This vulnerability affects supported editions of Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 (except Microsoft Exchange Server 2007 Service Pack 3). Microsoft Exchange Server 2000, Microsoft Exchange Server 2007 Service Pack 3, and Microsoft Exchange Server 2010 are -not- affected by the vulnerability. For more information, see the section, Affected and Non-Affected Software. Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability. Customers who are unable to upgrade at this time can refer to the Workarounds section for options that can help limit how an attacker can exploit the vulnerability. At this time, we are unaware of any attacks attempting to exploit this vulnerability."
- http://web.nvd.nist....d=CVE-2010-3213
- http://secunia.com/advisories/41421/
"... Solution: The vulnerability is fixed in Microsoft Exchange Server 2007 SP3..."

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft...ory/973811.mspx
• V1.7 (October 12, 2010): Updated the FAQ with information about a non-security update enabling Windows Server Message Block (SMB) to opt in to Extended Protection for Authentication.

Edited by AplusWebMaster, 18 October 2010 - 02:21 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2416728)
Vulnerability in ASP.NET Could Allow Information Disclosure
- http://www.microsoft...ry/2416728.mspx
Updated: September 28, 2010 - "... We have issued MS10-070* to address this issue..."
* http://www.microsoft...n/MS10-070.mspx
___

- http://web.nvd.nist....d=CVE-2010-3332
Last revised: 09/22/2010
CVSS v2 Base Score: 5.0 (MEDIUM)

- http://blogs.technet...und-update.aspx
24 Sep 2010 3:27 PM

- http://blogs.msdn.co...sharepoint.aspx
** Updated 9/24/2010 4:30PM ** – Updated with additional defensive workaround published by the ASP.NET team valid for ALL affected versions of SharePoint...
** Updated 9/22/2010 10:40AM ** – Updated verification step for SharePoint Server 2007 and Windows SharePoint Services 3.0 and added an exception in the workaround for Windows SharePoint Services 2.0 running under ASP.NET 1.1.
** Updated 9/21/2010 11:05PM ** – Updated with workaround for SharePoint Server 2007 and Windows SharePoint Services 3.0 and updated SharePoint 2010 workaround.
** Updated 9/21/2010 3:06PM ** – Included details for previous releases and workaround for WSS 2.0.

- http://weblogs.asp.n...nerability.aspx
September 24, 2010 4:13 PM

- http://securitytrack...ep/1024459.html
Updated: Sep 28 2010

Edited by AplusWebMaster, 29 September 2010 - 07:28 AM.

[AplusWebMaster]

FYI...

MS10-070 released
- http://forums.whatth...=...st&p=685545
___

Out of Band Release to Address Microsoft Security Advisory 2416728
- http://blogs.technet...ry-2416728.aspx
27 Sep 2010 - "... we will release an out-of-band security update to address the vulnerability discussed in Security Advisory 2416728*..."
* http://www.microsoft...ry/2416728.mspx

- http://www.microsoft...n/ms10-sep.mspx
September 27, 2010 - "This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on September 28, 2010...
(rated Important)..."

Edited by AplusWebMaster, 28 September 2010 - 12:40 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2458511)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft...ry/2458511.mspx
• V1.1 (November 3, 2010): Added the opening of HTML mail in the Restricted sites zone as a mitigating factor, the automated Microsoft Fix it solution to the CSS workaround, and a finder acknowledgment. Removed reading e-mail in plain text as a workaround. Also clarified content in the EMET, DEP, and CSS workarounds.
"Microsoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer. The main impact of the vulnerability is remote code execution. This advisory contains workarounds and mitigations for this issue. The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
At this time, we are aware of targeted attacks attempting to use this vulnerability... Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update..."
(Workarounds listed at the URL above.)

- http://support.micro....com/kb/2458511
Last Review: November 4, 2010 - Revision: 3.0 - "...Two fixit solutions are available:
• Fix it solution for the user-defined CSS
- http://support.micro...511#FixItForMe1
• Fixit solution for Data Execution Prevention in Internet Explorer 7
- http://support.micro...ixItForMeAlways

• Enhanced Mitigation Experience Toolkit
- http://support.micro...com/kb/2458544/
November 2, 2010 - Revision: 1.0

CVE-2010-3962

IE 0-Day used in Targeted Attacks
- http://www.symantec....argeted-attacks
Nov. 3, 2010

- http://www.securityt....com/id?1024676
Updated: Nov 4 2010 - "... This vulnerability is being actively exploited..."
- http://secunia.com/advisories/42091/
Last Update: 2010-11-04
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround ...
NOTE: The vulnerability is currently being actively exploited...

- http://blogs.technet...nerability.aspx

- http://isc.sans.edu/...ml?storyid=9874
Last Updated: 2010-11-07 14:30:10 UTC ...(Version: 6) - "... would likely be leveraged in a drive-by-exploit scenario..."

Edited by AplusWebMaster, 16 November 2010 - 04:14 PM.

[AplusWebMaster]

FYI...

IE 0-day fix due out Dec. 14, 2010
- http://blogs.technet...nd-warrior.aspx
9 Dec 2010 - "... the bulletin addressing this issue is planned to be released on Tuesday, Dec. 14 ..."
- http://www.microsoft...10-3962-geo.jpg
CVE-2010-3942 0-day - Attacks thru 12.8.2010 - MMPC charts
- http://www.microsoft...010-3962-OS.jpg
___

IE 0-day in exploit kit...
- http://thompson.blog...xploit-kit.html
November 07, 2010 - "... CVE-2010-3962* is in the Wild, but over the last couple of days, we've begun detecting it in the Eleonore Exploit Kit. This raises the stakes considerably..."
* http://web.nvd.nist....d=CVE-2010-3962
Last revised: 11/11/2010
CVSS v2 Base Score: 9.3 (HIGH) "... as exploited in the wild in November 2010..."
• Fix it solution for the user-defined CSS
- http://support.micro...511#FixItForMe1
November 4, 2010 - Revision: 3.0

- http://www.microsoft...ry/2458511.mspx
• V1.1 (November 3, 2010): Added the opening of HTML mail in the Restricted sites zone as a mitigating factor, the automated Microsoft Fix it solution to the CSS workaround, and a finder acknowledgment. Removed reading e-mail in plain text as a workaround. Also clarified content in the EMET, DEP, and CSS workarounds.

Edited by AplusWebMaster, 10 December 2010 - 06:24 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2269637)
[DLL] Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft...ry/2269637.mspx
• V2.0 (November 9, 2010) Added Microsoft Security Bulletin MS10-087, "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution," to the Updates relating to Insecure Library Loading section.
* http://www.microsoft...n/MS10-087.mspx

> http://forums.whatth...howtopic=115447

[AplusWebMaster]

FYI...

EMET v2.0.0.3 released
- http://blogs.technet...3-released.aspx
17 Nov 2010 - "... some Enhanced Mitigation Experience Toolkit (EMET) v2.0 users may have potential issues with the update functionality of specific applications from Adobe and Google. As a result, today we released a new version of EMET that will help ensure these updaters work as expected when EMET is in place for added protection. No other behavior is being changed with this release. You can download version 2.0.0.3 of EMET here*..."
* http://www.microsoft...34-95c855f69c39

> http://www.computerw...Chrome_problems
November 18, 2010

- http://www.theregist...dobe_conflicts/
Enterprise Security, 19 November 2010

Edited by AplusWebMaster, 19 November 2010 - 12:27 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft...ory/973811.mspx
• V1.8 (December 14, 2010): Updated the FAQ with information about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.
• V1.9 (December 17, 2010): Removed the FAQ entry, originally added December 14, 2010, about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.

Microsoft Security Advisory (2458511)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
12/14/2010 - "We have issued MS10-090* to address this issue..."

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
• V3.0 (December 14, 2010) Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section:
MS10-093*, "Vulnerability in Windows Movie Maker Could Allow Remote Code Execution;"
MS10-094*, "Vulnerability in Windows Media Encoder Could Allow Remote Code Execution;"
MS10-095*, "Vulnerability in Microsoft Windows Could Allow Remote Code Execution;"
MS10-096*, "Vulnerability in Windows Address Book Could Allow Remote Code Execution;" and
MS10-097*, "Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution."

* http://forums.whatth...=...st&p=699752

.

Edited by AplusWebMaster, 22 December 2010 - 06:51 AM.

[AplusWebMaster]

FYI...

MS WMI Admin Tool ActiveX vuln
- http://www.us-cert.g...ve_tool_activex
December 22, 2010 - "... vulnerability affecting the WBEMSingleView.ocx ActiveX control. This control is part of the Microsoft WMI Administrative Tools package. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. US-CERT encourages users and administrators to set the kill bit for CLSID 2745E5F5-D234-11D0-847A00C04FD7BB08 to help mitigate the risks until a fix is available from the vendor... Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#725596* ..."
* http://www.kb.cert.org/vuls/id/725596
Last Updated: 2010-12-22

- http://secunia.com/advisories/42693/
Last Update: 2010-12-23
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft WMI Administrative Tools 1.x, Microsoft WMI Object Viewer ActiveX Control 1.x...
Solution: Set the kill-bit for the affected ActiveX control...

Edited by AplusWebMaster, 24 December 2010 - 04:43 AM.

[AplusWebMaster]

FYI...

- http://blogs.technet...nerability.aspx
swiblog / 22 Dec 2010 6:58 PM - "... the IIS FTP Service is not installed by default, and even after installation, it is not enabled by default..."

0-Day IIS 7.5 DoS (processing FTP requests)
- http://isc.sans.edu/...l?storyid=10126
Last Updated: 2010-12-22 22:05:34 UTC - "A 0-day exploit has been published at exploit-db (see US-Cert advisory*) that takes advantage of a memory corruption vulnerability in IIS 7.5's FTP service. This bug will work pre-authentication.
From the looks of it, it is a pure remote exploit that's chief use would be denial of service. As with any memory corruption bugs, it is theoretically possible to use this to gain access to the server with the permissions of the user that is running IIS... Some defenses would be limiting FTP services that are internet-facing (especially if IIS), using firewalls to limit access to the server and configuring perimeter devices to check for memory attacks..."
* http://www.kb.cert.org/vuls/id/842372

- http://secunia.com/advisories/42713
Last Update: 2010-12-23
Criticality level: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Information Services (IIS) 7.x
Solution: Restrict traffic to the FTP service.

- http://www.securityt....com/id?1024921
Updated: Dec 23 2010

Edited by AplusWebMaster, 24 December 2010 - 04:42 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2488013)
Vulnerability in -IE- Could Allow Remote Code Execution
- http://www.microsoft...ry/2488013.mspx
• V1.1 (December 31, 2010): Revised Executive Summary to reflect investigation of targeted attacks.
December 22, 2010 - "Microsoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer. The main impact of the vulnerability is remote code execution. This advisory contains workarounds and mitigations for this issue. The vulnerability exists due to the creation of uninitialized memory during a CSS function within Internet Explorer. It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs. Currently, Microsoft is unaware of any active exploitation of this vulnerability..."
- http://web.nvd.nist....d=CVE-2010-3971
Last revised: 12/23/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://blogs.technet...ry-2488013.aspx
22 Dec 2010

- http://secunia.com/advisories/42510
Last Update: 2010-12-23
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched...

- http://www.securityt....com/id?1024922
Dec 23 2010

Edited by AplusWebMaster, 01 January 2011 - 11:32 AM.

[AplusWebMaster]

FYI...

- http://community.web...t-explorer.aspx
23 Dec 2010 - "... Two different new zero-day exploits were published on December 22...
1) ... The use of built-in protections of DEP and ASLR on the Windows platform and Internet Explorer doesn't guarantee to stop the exploit. It stems from the fact that the affected DLL mscorie.dll used by Internet Explorer wasn't compiled to support ASLR - this fact allows an attacker to also bypass DEP by using ROP (return to oriented programming) and successfully exploit the system...
2) ... The second vulnerability takes advantage of the Microsoft WMI Administrative Tools ActiveX Control. Internet Explorer is vulnerable only if Microsoft WMI administrative tools is installed..."

[AplusWebMaster]

FYI...

Targeted attacks against MS Office vuln (CVE-2010-3333/MS10-087)
- http://blogs.technet...3-ms10-087.aspx
29 Dec 2010 - "... A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious shellcode which downloads other malware. The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one. The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack... We recommend customers that have not yet installed the security update MS10-087* to do so at their earliest convenience..."
* http://www.microsoft...n/MS10-087.mspx
Updated: December 15, 2010
Version: 2.0

- http://web.nvd.nist....d=CVE-2010-3333
Last revised: 12/21/2010
CVSS v2 Base Score: 9.3 (HIGH)

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft...ry/2490606.mspx
January 04, 2011 - "Microsoft is investigating new public reports of a vulnerability in the Windows Graphics Rendering Engine. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time... Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs..."
[Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly...]
- http://web.nvd.nist....d=CVE-2010-3970
Last revised: 12/23/2010
CVSS v2 Base Score: 10.0 (HIGH)

- http://secunia.com/advisories/42779/
Release Date: 2011-01-05
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Solution: The vendor recommends restricting access to shimgvw.dll...
Original Advisory: Microsoft:
http://www.microsoft...ry/2490606.mspx
Metasploit: http://www.metasploi...eddibsection.rb

- http://www.securityt....com/id?1024932
Jan 4 2011

- http://blogs.technet...ry-2490606.aspx
4 Jan 2011 - "... Microsoft is actively working to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability... we are working to develop a security update to address this vulnerability. The circumstances around the issue do not currently meet the criteria for an out-of-band release; however, we are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog..."

- http://isc.sans.edu/...l?storyid=10201
Last Updated: 2011-01-04 19:26:17 UTC- "... it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious ones). See the Microsoft advisory for details... This particular vulnerability was disclosed in December 2010 by Moti and Xu Hao at the "Power of Community" conference. The conference presentation outlines in some detail how to create a file to exploit this vulnerability. The thumbnail itself is stored in the file as a bitmap. The vulnerability is exploited by setting the number of color indexes in the color table to a negative number (biClrUsed). The published slides do provide hints on how to exploit this vulnerability including bypassing SafeSEH* and DEP ..."
(Might help...) ... f/ Vista SP1, Win7, Server2008 and Server2008R2
* http://support.micro...956607#fixit4me
November 24, 2009 Revision: 3.0 - "... it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems...
• This wizard only applies to Vista SP1 and Server2008...
By default, SEHOP is enabled in Windows Server 2008 R2 and in Windows Server 2008.
By default, SEHOP is disabled in Windows 7 and in Windows Vista..."

Edited by AplusWebMaster, 05 January 2011 - 07:06 AM.