317 replies to this topic

[AplusWebMaster]

FYI...

MS EMET v2.1 released
- http://blogs.technet...-available.aspx
18 May 2011 - "... new version of the Enhanced Mitigation Experience Toolkit (EMET) with brand new features and mitigations. Users can click here* to download the tool free... new features:
• EMET is an officially-supported product through the online forum
• “Bottom-up Rand” new mitigation randomizes (8 bits of entropy) the base address of bottom-up allocations (including heaps, stacks, and other memory allocations) once EMET has enabled this mitigation.
• Export Address Filtering is now available for 64 bit processes. EAF filters all accesses to the Export Address Table which blocks most of the existing shellcodes
• Improved command line support for enterprise deployment and configuration
• Ability to export/import EMET settings
• Improved SEHOP (structured exception handler overwrite protection) mitigation
• Minor bug fixes..."
* http://www.microsoft...08-115192c491cb

.

[AplusWebMaster]

FYI...

MSRT detections - May 10–20, 2011
- http://blogs.technet...he-numbers.aspx
Family Count Note
Sality 202,351 Classic parasitic virus
Taterf 77,236 Worm
Rimecud 65,149 Worm
Vobfus 59,918 Worm
Alureon 58,884 Evolved parasitic virus
Parite 53,778 Evolved parasitic virus
Ramnit 52,549 Evolved parasitic virus
Brontok 50,392 Worm
Cycbot 50,209 Trojan ...
(Top 25 detections listed at the URL above.)

.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2501584)
Office File Validation for Microsoft Office
- http://www.microsoft...ry/2501584.mspx
Updated: 6/30/2011 - "Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened. The Office File Validation feature described in this advisory applies when opening an Office file using Microsoft Excel 2003, Microsoft PowerPoint 2003, Microsoft Word 2003, Microsoft Publisher 2003, Microsoft Excel 2007, Microsoft PowerPoint 2007, Microsoft Word 2007, or Microsoft Publisher 2007. Office File Validation helps detect and prevent a kind of exploit known as a file format attack. File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code...
Affected Software: Microsoft Office 2003 SP3, Microsoft Office 2007 SP2 ...
Microsoft revised this advisory to announce that as of June 28, 2011, the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584* is available through the Microsoft Update service...
Suggested Actions: Consult TechNet article, Office File Validation for Office 2003 and Office 2007, for information on deployment, installation, and configuration of the Office File Validation feature for Microsoft Office 2003 and Microsoft Office 2007**..."

* http://support.micro....com/kb/2501584

** http://technet.micro...70054287af.aspx

.

[AplusWebMaster]

FYI...

MS Office 2010 SP1 available
- http://blogs.technet...ed_engineering/
June 29, 2011 - "... Today SP1 is available from the Download center. The Downloads Table below provides links to the new packages for SP1. If you have installed all Office Automatic Updates, you will also see SP1 available as a manual download from Microsoft Update. After a 90 day grace period, SP1 will be offered as an automatic update through Microsoft Update..."

- http://technet.micro...e/ee748587.aspx

- http://support.micro....com/kb/2460049

.

[AplusWebMaster]

FYI...

DLL search path algorithm
- http://support.micro....com/kb/2264107
Last Review: June 10, 2011 - Revision: 5.1
___

MS to retire Office XP, Vista SP1 next week
- https://www.computer...a_SP1_next_week
July 5, 2011 - "Microsoft will retire 2001's Office XP and the first service pack for Windows Vista next week, according to the company's published schedule. Both Office XP and Vista Service Pack 1 (SP1) will exit all support July 12, this month's Patch Tuesday. That date will be the last time Microsoft issues security updates for the aging suite and Vista SP1... Microsoft generally patches security vulnerabilities in its products throughout the entire 10-year stretch. Although Office XP's support expires next week, Vista users can continue to receive security updates by upgrading to SP2... Office 2003, the follow-up to Office XP, will receive security updates until April 2014. Office 2007 and Office 2010 will get patches until April 2017 and October 2020, respectively. Office XP and Vista SP1 were last patched three weeks ago when Microsoft issued 16 security updates that fixed 34 flaws."

Office XP
- http://support.micro...ecycle/?p1=2533

Edited by AplusWebMaster, 06 August 2011 - 09:05 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2562937)
Update Rollup for ActiveX Kill Bits
- https://www.microsof...ry/2562937.mspx
August 09, 2011 - "Microsoft is releasing a new set of ActiveX kill bits with this advisory. This update sets the kill bits for the following third-party software:
• CheckPoint SSL VPN On-Demand applications...
• ActBar... IBM...
• EBI R Web Toolkit... Honeywell..."

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://www.microsof...ry/2269637.mspx
August 09, 2011 - "... Update released on August 9, 2011
• MS11-059*, "Vulnerability in Data Access Components Could Allow Remote Code Execution," provides support for a vulnerable component of Microsoft Windows that is affected by the Insecure Library Loading class of vulnerabilities described in this advisory..."
* https://www.microsof...n/ms11-059.mspx

.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2607712)
Fraudulent Digital Certificates Could Allow Spoofing
- https://www.microsof...ry/2607712.mspx
August 29, 2011 V2.0 - "Microsoft is aware of at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store, on all supported releases of Microsoft Windows. Although this is not a vulnerability in a Microsoft product, Microsoft is taking action to protect customers. Microsoft has been able to confirm that one digital certificate affects all subdomains of google.com and may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. Microsoft is continuing to investigate how many more certificates have been fraudulently issued. As a precautionary measure, Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List. All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Users of these operating systems will be presented with an invalid certificate error when they browse to a Web site or try to install programs signed by the DigiNotar root certificate. In those cases users should follow the instructions in the message. Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003. Microsoft is continuing to investigate this issue and may release future updates to help protect customers..."

- https://blogs.techne...ry-2607712.aspx

- https://blog.mozilla...om-certificate/
"... We have received reports of these certificates being used in the wild... we are releasing new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and SeaMonkey (2.3.2) shortly..."
___

- http://h-online.com/-1333088
30 August 2011

Edited by AplusWebMaster, 30 August 2011 - 02:24 PM.

[AplusWebMaster]

FYI...

- http://news.yahoo.co...-215940770.html
Sep. 6, 2011 AMSTERDAM (AP) — "A company that sells certificates guaranteeing the security of websites, GlobalSign, says it is temporarily halting the issuance of new certificates over concerns it may have been targeted by hackers. GlobalSign, the Belgian-based subsidiary of Japan's GMO Internet Inc., is one of the oldest and largest such companies globally. It said in a statement Tuesday it does not know whether it has actually been hacked, but is taking threats by an anonymous hacker seriously in the wake of an attack on a smaller Dutch firm, DigiNotar, that came to light last week. The DigiNotar attack is believed to have allowed the Iranian government to spy on thousands of Iranian citizens' communications with Google email during the month of August."
> http://www.globalsig...y-response.html
___

Microsoft Security Advisory (2607712)... updated
Fraudulent Digital Certificates Could Allow Spoofing
- https://www.microsof...ry/2607712.mspx
Updated: September 06, 2011 - "Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar... For supported releases of Microsoft Windows, typically no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically...
Suggested Actions... Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2607712*..."

Fraudulent digital certificates could allow spoofing
* http://www.microsoft...ry/2607712.mspx
September 6, 2011

- https://blogs.techne...ry-2607712.aspx
6 Sep 2011

Edited by AplusWebMaster, 06 September 2011 - 11:31 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.micr...dvisory/2269637
• V10.0 (September 13, 2011): Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-071, "Vulnerability in Windows Components Could Allow Remote Code Execution;" and MS11-073, "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution."
- https://technet.micr...lletin/ms11-071
- https://technet.micr...lletin/ms11-073

Microsoft Security Advisory (2607712)
Fraudulent Digital Certificates Could Allow Spoofing
- https://technet.micr...dvisory/2607712
• V4.0 (September 13, 2011): Revised to announce the release of the KB2616676 update that addresses the issue described in this advisory.
• V4.1 (September 13, 2011): Revised to announce the availability of the KB2616676 update for the Windows Developer Preview
• V5.0 (September 19, 2011): Revised to announce the re-release of the KB2616676 update. See the Update FAQ in this advisory for more information.
- http://support.micro....com/kb/2616676
September 19, 2011 - Revision: 4.0

- https://blogs.techne...rtificates.aspx
19 Sep 2011
___

- https://www.computer..._switch_blooper
September 19, 2011 - "... the update (MS) shipped to Windows XP and Server 2003 users last Tuesday was flawed..."

Edited by AplusWebMaster, 20 September 2011 - 08:39 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2588513)
Vulnerability in SSL/TLS Could Allow Information Disclosure
- https://technet.micr...dvisory/2588513
September 26, 2011 - "Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected. We are not aware of a way to exploit this vulnerability in other protocols or components and we are not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Mitigating Factors:
The attack must make several hundred HTTPS requests before the attack could be successful.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected..."
(More detail at the URL above.)

- http://blogs.technet...ry-2588513.aspx
26 Sep 2011
___

- http://www.securewor...t-and-ssl-cert/
Sep 9, 2011
___

- http://web.nvd.nist....d=CVE-2011-3389
Last revised: 10/03/2011
CVSS v2 Base Score: 4.3 (MEDIUM)

- https://www.kb.cert.org/vuls/id/864643
Date Last Updated: 2011-09-29

Edited by AplusWebMaster, 03 October 2011 - 05:28 PM.

[AplusWebMaster]

FYI...

MS SIRv11 available
- https://blogs.techne...-available.aspx
11 Oct 2011
> http://www.microsoft...ir/default.aspx

Malware detected by MSRT H1-2011
> http://www.microsoft...SIR11_chart.png
___

- http://h-online.com/-1360430
13 October 2011

Edited by AplusWebMaster, 13 October 2011 - 08:37 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.micr...dvisory/2269637
Updated: Tuesday, October 11, 2011
• V11.0: Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-075, "Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution;" and MS11-076, "Vulnerability in Windows Media Center Could Allow Remote Code Execution."

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
- https://technet.micr...dvisory/2639658
• V1.0 (November 3, 2011): Advisory published.
• V1.1 (November 3, 2011): Added localization notation to the Workarounds section.
• V1.2 (November 4, 2011): Revised the workaround, Deny access to T2EMBED.DLL, to improve support for non-English versions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Customers with non-English versions of Microsoft Windows should reevaluate the applicability of the revised workaround for their environment.
V1.3 (November 8, 2011): Added link to MAPP Partners with Updated Protections in the Executive Summary.

November 03, 2011 - "Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs...
Workarounds: Deny access to T2EMBED.DLL
Note: See Microsoft Knowledge Base Article 2639658* to use the automated Microsoft Fix it solution to enable or disable this workaround to deny access to t2embed.dll..."
- http://support.micro...9658#FixItForMe
November 3, 2011 - Revision: 1.0
Impact of Workaround. Applications that rely on embedded font technology will fail to display properly.

- http://web.nvd.nist....d=CVE-2011-3402
Last revised: 11/07/2011
CVSS v2 Base Score: 9.3 (HIGH)
___

- https://www.computer...rosoft_confirms
November 4, 2011 - "... the Windows kernel vulnerability exploited by the Duqu Trojan is within the TrueType parsing engine, the same component it last patched just last month... So far during 2011, Microsoft has patched 56 different kernel vulnerabilities with updates issued in February, April, June, July, August and October. In April alone, the company fixed 30 bugs, then quashed 15 more in July..."
___

- https://secunia.com/advisories/46724/
Last Update: 2011-11-07
Criticality level: Extremely critical
Impact: System access
Where: From remote...
CVE Reference: http://web.nvd.nist....d=CVE-2011-3402
... Reported as a 0-day.
Solution: Apply the Microsoft Fix it*...
* http://support.micro...9658#FixItForMe

- http://www.securityt....com/id/1026271
Updated: Nov 4 2011
Impact: Execution of arbitrary code via network, User access via network
Vendor Confirmed: Yes
Version(s): XP SP3, 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1; and prior service packs...
... A remote user can create a specially crafted document that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with kernel level privileges. The vulnerability resides in the Win32k.sys kernel driver in the parsing of TrueType fonts...

NOTE: "... The vulnerability cannot be exploited automatically via email unless the user opens an attachment sent in an email message..."
Per: https://isc.sans.edu...l?storyid=11950

U.S.CERT: Critical alert
- https://www.us-cert....-11-291-01E.pdf
November 1, 2011

Edited by AplusWebMaster, 09 November 2011 - 11:37 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.micr...dvisory/2269637
• V12.0 (November 8, 2011): Added the following Microsoft Security Bulletin to the Updates relating to Insecure Library Loading section: MS11-085*, "Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution."
* https://technet.micr...lletin/ms11-085

Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
- https://technet.micr...dvisory/2639658
• V1.4 (November 11, 2011): Revised impact statement for the workaround, Deny access to T2EMBED.DLL, to address applications that rely on T2EMBED.DLL for functionality.
"... vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability..."
> http://support.micro...9658#FixItForMe

- http://web.nvd.nist....d=CVE-2011-3402
Last revised: 11/07/2011
CVSS v2 Base Score: 9.3 (HIGH)

- http://labs.m86secur...zero-day-event/
November 8th, 2011
___

A simple test of the Duqu workaround...
- http://blogs.compute...ound_is_working
November 12, 2011

Edited by AplusWebMaster, 15 November 2011 - 06:09 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2641690)
Fraudulent Digital Certificates Could Allow Spoofing
* http://technet.micro...dvisory/2641690
November 10, 2011 - "... The majority of customers have automatic updating enabled and will not need to take any action because the KB2641690 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually..."

- http://support.micro....com/kb/2641690
November 10, 2011 Rev 1.0 - "Microsoft has released a Microsoft security advisory about this issue for IT professionals. This update is released for all supported versions of Microsoft Windows. This update revokes the trust of the following DigiCert Sdn. Bhd intermediate certificates by putting them in the Microsoft Untrusted Certificate Store:
Digisign Server ID – (Enrich) issued by Entrust.net Certification Authority (2048)
Digisign Server ID (Enrich) issued by GTE CyberTrust Global Root
The security advisory* contains additional security-related information..."

- https://blogs.techne...e...&GroupKeys=
10 Nov 2011
___

- https://www.us-cert....tes_could_allow
November 10, 2011

Edited by AplusWebMaster, 11 November 2011 - 06:09 AM.