317 replies to this topic

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft...ry/2490606.mspx
• V1.1 (January 5, 2011): Added a link* to the automated Microsoft Fix it solution for the Modify the Access Control List (ACL) on shimgvw.dll workaround.
* http://support.micro...0606#FixItForMe
January 19, 2011 - Revision: 3.0

[Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly...]

- http://web.nvd.nist....d=CVE-2010-3970
Last revised: 01/19/2011
CVSS v2 Base Score: 9.3 (HIGH)
- http://web.nvd.nist....d=CVE-2011-0347
Last revised: 01/19/2011
CVSS v2 Base Score: 9.3 (HIGH)
IE on Windows XP allows remote attackers to trigger an incorrect GUI display...
Advisory: http://www.microsoft...ry/2490606.mspx
___

Current unpatched Windows/IE vulns
- http://isc.sans.edu/...l?storyid=10216
Last Updated: 2011-01-05 20:49:56 UTC

Edited by AplusWebMaster, 23 January 2011 - 06:18 AM.

[AplusWebMaster]

FYI...

Current unpatched Windows/IE vulns...
- http://isc.sans.edu/...l?storyid=10216
Last Updated: 2011-01-08 01:58:58 UTC ...(Version: 2)
"Update: Microsoft now created its own version of this table*..."

* http://blogs.technet...y-the-msrc.aspx
7 Jan 2011 5:00 PM

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2488013)
Vulnerability in -IE- Could Allow Remote Code Execution
- http://www.microsoft...ry/2488013.mspx
• V1.3 (January 11, 2011): "Revised the workaround, Prevent the recursive loading of CSS style sheets in Internet Explorer, to add the impact for the workaround...
Impact of workaround: There are side effects to blocking the recursive loading of a cascading style sheet (CSS). Users may encounter some slight performance issues due to the increased checking that is required to block the loading of the CSS files...
Workaround: Microsoft Fix it: http://support.micro...8013#FixItForMe
January 12, 2011 - Revision: 3.0 - ... This Fixit solution adds a check to check whether a cascading style sheet is about to be loaded recursively. If this is the case, the Fixit solution cancels the loading of the cascading style sheet. This Fixit solution takes advantage of a feature that is typically used for application compatibility fixes. This feature can modify the instructions of a specific binary when it is loaded..."

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft...ry/2269637.mspx
• V4.0 (January 11, 2011): Added Microsoft Security Bulletin MS11-001*, Vulnerability in Windows Backup Manager Could Allow Remote Code Execution, to the Updates relating to Insecure Library Loading section.
* http://www.microsoft...n/MS11-001.mspx

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft...ory/973811.mspx
• V1.10 (January 11, 2011): Updated the FAQ with information about a new release enabling Microsoft Office Live Meeting Service Portal to opt in to Extended Protection for Authentication.

.

Edited by AplusWebMaster, 22 January 2011 - 01:13 PM.

[AplusWebMaster]

FYI...

IE drive-by bug...
- http://www.theregist..._execution_bug/
12 January 2011 - "Microsoft on Tuesday warned that attackers have begun exploiting a critical vulnerability in Internet Explorer and rolled out a temporary fix* until a permanent patch is issued. The vulnerability in IE versions 6, 7 and 8, which involves the way the browser handles cascading style sheets, allows adversaries to perform drive-by malware attacks by luring victims to booby-trapped webpages. The exploits are triggered by recursive CSS pages, in which style sheets include their own addresses..."
* http://blogs.technet...ry-2488013.aspx
11 Jan 2011 - "... It’s important to note that the workaround will protect Internet Explorer only if the latest security updates have been applied, including MS10-090 which was released on December 14, 2010. You can find MS10-090 at http://www.microsoft...n/MS10-090.mspx
> To install the workaround, click here: http://download.micr...tFixit50591.msi
> If you’d like to uninstall the workaround after you have installed it, click here: http://download.micr...tFixit50592.msi ..."

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft...ry/2490606.mspx
• V1.2 (January 19, 2011): Clarified that the Modify the Access Control List (ACL) on shimgvw.dll workaround only applies to Windows XP and Windows Server 2003 systems and added a new workaround, Disable viewing of thumbnails in Windows Explorer on Windows Vista and Windows Server 2008 systems.
"... Workarounds:
• Modify the Access Control List (ACL) on shimgvw.dll on Windows XP and Windows Server 2003 systems...
Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly...
• Disable viewing of thumbnails in Windows Explorer on Windows Vista and Windows Server 2008 systems...
Impact of Workaround: Windows Explorer will not display thumbnail images..."

- http://web.nvd.nist....d=CVE-2010-3970
Original release date: 12/22/2010
Last revised: 01/19/2011
CVSS v2 Base Score: 9.3 (HIGH)

Edited by AplusWebMaster, 19 January 2011 - 04:30 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2501696)
Vulnerability in MHTML Could Allow Information Disclosure
- http://www.microsoft...ry/2501696.mspx
January 28, 2011 - "Microsoft is investigating new public reports of a vulnerability in all supported editions of Microsoft Windows. The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities. Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability. At this time, Microsoft has not seen any indications of active exploitation of the vulnerability. The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim's Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user... we recommend that customers apply one or more of the client-side workarounds provided in the Suggested Actions section of this advisory to help block potential attack vectors regardless of the service...
CVE Reference: CVE-2011-0096
Suggested Actions:
• Enable the MHTML protocol lockdown ...
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones...
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone...
Additional Suggested Actions:
• Review the Microsoft Knowledge Base Article that is associated with this advisory - For more information about this issue, see Microsoft Knowledge Base Article: http://support.micro...1696#FixItForMe
January 28, 2011 - Revision: 1.0 - ...The fixit solution described in this section is not intended to be a replacement for any security update. We recommend that you always install the latest security updates. However, we offer this fixit solution as a workaround option for some scenarios..."

- http://blogs.technet...nerability.aspx
28 Jan 2011

- http://blogs.technet...ry-2501696.aspx
28 Jan 2011
___

- http://secunia.com/advisories/43093/
Release Date: 2011-01-29
Impact: Cross Site Scripting
Where: From remote ...
Solution: Enable MHTML protocol lockdown (either manually or using the available automated "Microsoft Fix it" solution).
> http://support.micro...1696#FixItForMe
___

- http://isc.sans.edu/...l?storyid=10318
Last Updated: 2011-01-28 18:47:54 UTC

Edited by AplusWebMaster, 29 January 2011 - 05:38 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (967940)
Update for Windows Autorun
- http://www.microsoft...ory/967940.mspx
Published: February 24, 2009 | Updated: February 08, 2011 - "... availability of updates to the Autorun feature that help to restrict AutoPlay functionality to only CD and DVD media on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Restricting AutoPlay functionality to only CD and DVD media can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file...
FAQS: ...After installing the initial update described in Microsoft Knowledge Base Article 967715, the default registry setting to disable Autorun on network drives is properly enforced. After installing the 971029 update*, customers may experience the following AutoPlay behavior:
• Many existing devices in market, and many upcoming devices, use the Autorun feature with the AutoPlay dialog box to present and install software when DVDs, CDs, and USB flash drives are inserted. The AutoPlay behavior with CD and DVD media is not affected by this update.
• Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB flash drives. Users will have to manually install the software. To do this, users click Open folder to view the files, browse to the software's setup program, and then double-click the setup program to run the program manually.
• Some USB flash drives have firmware that present these USB flash drives as CD drives when you insert them into computers. The AutoPlay behavior with these USB flash drives is not affected by this update..."

• V2.0 (February 8, 2011): Summary and update FAQ revised to notify users that the 971029 update to Autorun that restricts AutoPlay functionality to CD and DVD media will be offered via automatic updating.

- http://blogs.technet...940-update.aspx
8 Feb 2011

* http://support.microsoft.com/kb/971029
Last Review: February 8, 2011 - Revision: 4.0

- http://support.microsoft.com/kb/967715
Last Review: September 9, 2010 - Revision: 6.2

Virus families using Autorun / MMPC charts - MSE detections
- http://www.microsoft...0207_image1.jpg
MSRT - major virus families using Autorun
- http://www.microsoft...0207_image2.jpg
Also see Table 1: Top Families, 2H 2010, by Number of Detections
- http://blogs.technet...nd-autorun.aspx
8 Feb. 2011

(Optional MS update) Restrict USB Autorun: Update for Windows (KB971029)
- http://www.f-secure....s/00002096.html
February 9, 2011
___

Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft...ry/2490606.mspx
Updated: February 08, 2011 - "... We have issued MS11-006* to address this issue..."
* http://www.microsoft...n/MS11-006.mspx

Microsoft Security Advisory (2488013)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft...ry/2488013.mspx
Updated: February 08, 2011 - "... We have issued MS11-003** to address this issue..."
** http://www.microsoft...n/MS11-003.mspx

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft...ry/2269637.mspx
Published: August 23, 2010 | Updated: February 08, 2011 - Version: 5.0
... Update released on February 8, 2011
• Microsoft Security Bulletin MS11-003**, "Cumulative Security Update for Internet Explorer," provides support for a vulnerable component of Internet Explorer that is affected by the Insecure Library Loading class of vulnerabilities described in this advisory.

Edited by AplusWebMaster, 09 February 2011 - 06:54 PM.

[AplusWebMaster]

FYI... Autorun advisory updated - again.

Microsoft Security Advisory (967940)
Update for Windows Autorun
- http://www.microsoft...ory/967940.mspx
Updated: February 22, 2011
Version: 2.1
• V2.1 (February 22, 2011): Summary revised to notify users of a change in the deployment logic for updates described in this advisory. This change is intended to minimize the user interaction required to install the updates on systems configured for automatic updating.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2491888)
Vulnerability in Microsoft Malware Protection Engine Could Allow Elevation of Privilege
- http://www.microsoft...ry/2491888.mspx
February 23, 2011 - "... an update to the Microsoft Malware Protection Engine also addresses a security vulnerability reported to Microsoft. The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid logon credentials has created a specially crafted registry key. An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users. Since the Microsoft Malware Protection Engine is a part of several Microsoft anti-malware products, the update to the Microsoft Malware Protection Engine is installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly. Typically, no action is required of enterprise administrators or end users to install this update, because the built-in mechanism for the automatic detection and deployment of this update will apply the update within the next 48 hours. The exact time frame depends on the software used, Internet connection, and infrastructure configuration..."
- http://support.micro....com/kb/2510781
February 23, 2011 - "... how to verify that the updates have been installed... This update requires Windows Live OneCare..."
- http://web.nvd.nist....d=CVE-2011-0037
Last revised: 02/28/2011 - CVSS v2 Base Score: 7.2 (HIGH) - "... before 1.1.6603.0, as used in Microsoft Malicious Software Removal Tool (MSRT), Windows Defender, Security Essentials, Forefront Client Security, Forefront Endpoint Protection 2010, and Windows Live OneCare..."
___

- http://secunia.com/advisories/43468/
Release Date: 2011-02-24
Solution Status: Partial Fix
...The vulnerability is reported in version 1.1.6502.0 and prior of Microsoft Malware Protection Engine.
Solution: Ensure that systems are running version 1.1.6603.0 or later of Microsoft Malware Protection Engine. Typically, malware definitions and updates for Microsoft Malware Protection Engine are applied automatically...

- http://www.h-online....em-1196731.html
24 February 2011 - "... such updates are usually installed within 48 hours, but that users can also initiate the process manually..."

Edited by AplusWebMaster, 01 March 2011 - 04:54 AM.

[AplusWebMaster]

FYI...

MS Autorun update v2.1 now "automatic" from Windows Update
- http://isc.sans.edu/...l?storyid=10468
Last Updated: 2011-03-02 06:27:56 UTC - "Microsoft has moved their Windows Autorun V2.1 [1] (967940) update patch from optional updates to automatic updates. This is the same patch that was released in last month’s patch Tuesday. When Windows update is next run, this patch will automatically be selected to apply to your machine. This is more likely to affect home users, as companies should be using group policies to control how USB autorun settings operate. Expect one or two calls... why their favorite autorun USB stick application has stopped working."

[1] http://www.microsoft...ory/967940.mspx

Edited by AplusWebMaster, 02 March 2011 - 11:02 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2491888)
Vulnerability in Microsoft Malware Protection Engine Could Allow Elevation of Privilege
- http://www.microsoft...ry/2491888.mspx
• V1.1 (March 8, 2011): Revised advisory FAQ to announce updated version of the MSRT...
- http://web.nvd.nist....d=CVE-2011-0037
Last revised: 02/28/2011
CVSS v2 Base Score: 7.2 (HIGH)
"... before 1.1.6603.0..."

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft...ry/2269637.mspx
• V6.0 (March 8, 2011): Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-015, "Vulnerabilities in Windows Media Could Allow Remote Code Execution;" MS11-016, "Vulnerability in Microsoft Groove Could Allow Remote Code Execution;" and MS11-017, "Vulnerability in Remote Desktop Client Could Allow Remote Code Execution."

Edited by AplusWebMaster, 14 March 2011 - 01:52 PM.

[AplusWebMaster]

FYI...

MS advisory - updated (2501696)
Vulnerability in MHTML Could Allow Information Disclosure
* http://www.microsoft...ry/2501696.mspx
• V1.1 (March 11, 2011): Revised Executive Summary to reflect investigation of limited, targeted attacks.

- https://www.computer...Microsoft_warns
March 12, 2011 - "An Internet Explorer flaw made public by a Google security researcher two months ago is now being used in online attacks. The flaw, which has not yet been patched, has been used in "limited, targeted attacks," Microsoft said Friday*... The attack is triggered when the victim is tricked into visiting a maliciously encoded Web page - what's known as a Web drive-by attack... Microsoft has released a Fixit tool** that users can download to repair the problem, but has not said when, or even if, it plans to push out a comprehensive security update to all users..."
** http://support.micro...1696#FixItForMe

- http://www.theregist...t_google_users/
12 March 2011

- http://www.pcmag.com...,2381881,00.asp
PCmag.com - "... Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules..."

Edited by AplusWebMaster, 13 March 2011 - 04:39 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2524375)
Fraudulent Digital Certificates Could Allow Spoofing
- http://www.microsoft...ry/2524375.mspx
March 23, 2011 - "Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against -all- Web browser users including users of Internet Explorer... Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used. An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375*..."
* http://support.micro....com/kb/2524375
March 23, 2011 - Revision: 1.0

- http://www.securityt....com/id/1025248
Mar 23 2011

- http://isc.sans.edu/...l?storyid=10603
Last Updated: 2011-03-23 18:11:20 UTC
___

- http://www.securewor.../rsacompromise/
March 18, 2011

Edited by AplusWebMaster, 28 March 2011 - 03:14 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (973811)
Extended Protection for Authentication
- http://www.microsoft...ory/973811.mspx
• V1.12 (April 12, 2011): Updated the FAQ with information about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.

Microsoft Security Advisory (2506014)
Update for the Windows Operating System Loader
- http://www.microsoft...ry/2506014.mspx
4/12/2011 - "Microsoft is announcing the availability of an update to winload.exe to address an issue in driver signing enforcement... this update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware to stay resident on a system after the initial infection. The issue affects, and the update is available for, x64-based editions* of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2..."
* http://support.micro....com/kb/2506014

Microsoft Security Advisory (2501696)
Vulnerability in MHTML Could Allow Information Disclosure
- http://www.microsoft...ry/2501696.mspx
Published: January 28, 2011 | Updated: April 12, 2011 - "We have issued MS11-026* to address this issue..."
* http://www.microsoft...n/ms11-026.mspx

Microsoft Security Advisory (2501584)
Release of Microsoft Office File Validation for Microsoft Office
- http://www.microsoft...ry/2501584.mspx
Last Updated: 4/12/2011 - "Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened... known issues* that customers may experience when utilizing the Office File Validation feature..."
* http://support.micro....com/kb/2501584

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft...ry/2269637.mspx
• V7.0 (April 12, 2011): Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-023, "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution;" and MS11-025, "Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution."

.

[AplusWebMaster]

FYI...

MSIR Vol. 10 released
- http://blogs.technet...-volume-10.aspx
11 May 2011 - "... in-depth regional threat intelligence for 117 countries based on data from more than 600 million machines worldwide. The report highlights a polarization of cybercriminal behavior and an increasing trend of cybercriminals using "marketing-like" approaches and deception methods to target consumers... key data points that indicate these tactics are on the rise:
• Rogue Security Software – Rogue security software was detected and blocked on almost 19 million systems in 2010, and the top five families were responsible for approximately 13 million of these detections.
• Phishing – Phishing using social networking as the lure increased 1,200 percent – from a low of 8.3 percent of all phishing in January to a high of 84.5 percent in December 2010. Phishing that targeted online gaming sites reached a high of 16.7 percent of all phishing in June.
• Adware – Global detections of adware when surfing websites increased 70 percent from the second quarter to the fourth quarter of 2010. This increase was almost completely caused by the detection of a pair of new Adware families, JS/Pornpop and Win32/ClickPotato, which are the two most prevalent malware in many countries.
... notable that Windows 7 operating systems are infected only about half as often as Vista, and Vista half as often as Windows XP..."
___

- http://www.theinquir...script-exploits
May 12 2011 - "... In Microsoft's latest security intelligence report, the firm revealed that in the third quarter of 2010 the number of Java attacks increased to fourteen times the number of attacks it saw in the previous quarter... Java attacks surpassed every other exploitation category that the Microsoft Malware Protection tracked..."
___

Java - most common target for attacks
- http://www.h-online....iew=zoom;zoom=1

- http://www.h-online....iew=zoom;zoom=4

- http://www.h-online....iew=zoom;zoom=5

Edited by AplusWebMaster, 20 May 2011 - 09:36 PM.