317 replies to this topic

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2641690)
Fraudulent Digital Certificates Could Allow Spoofing
- https://technet.micr...dvisory/2641690
• V2.0 (November 16, 2011): Revised to announce the re-release of the KB261690 update. See the Update FAQ in this advisory for more information. Also, added link to Microsoft Knowledge Base Article 2641690* under Known Issues in the Executive Summary.
* http://support.micro....com/kb/2641690
November 16, 2011 - Revision: 5.1
"... Before November 16, 2011, Microsoft Windows Server Update Services (WSUS) server customers experienced problems with the versions of update 2641690 for Windows XP x64 and for Windows Server 2003. On November 16, 2011, we re-released update 2641690 to address this issue for Windows XP x64 and for all editions of Windows Server 2003. Most systems have automatic updating enabled. If you do have automatic updating enabled, you do not have to take any action because update 2641690 will be installed automatically. All releases of Windows Vista, of Windows 7, of Windows Server 2008, and of Windows Server 2008 R2 are not affected by this issue..."

[AplusWebMaster]

FYI... http://windowssecret...ry/patch-watch/

... Regularly updated problem-patch chart
>> http://windowssecret...atching/#patch5
2011-11-23 - "... table provides the status of problem Windows patches reported in previous Patch Watch columns. Patches listed... as safe to install will be removed from the next updated table...
[ i.e.] Microsoft Security Bulletin MS11-069 - Moderate
Vulnerability in .NET Framework Could Allow Information Disclosure (2567951)
* https://technet.micr...lletin/ms11-069
'Published: Tuesday, August 09, 2011 | Updated: Wednesday, October 26, 2011 ...
Revisions:
• V1.0 (August 9, 2011): Bulletin published.
• V1.1 (August 23, 2011): Added an update FAQ to announce a detection change for KB2539636 that corrects an installation issue. This is a detection change only. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
• V1.2 (October 26, 2011): Corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems...'

Status recommendations: Skip* — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply..."

Edited by AplusWebMaster, 26 November 2011 - 08:50 PM.

[AplusWebMaster]

FYI... Duqu TrueType 0-day exploit - notes ..

No Microsoft patch is available (yet)
> http://windowssecret...-pack-4/#inthe3
2011-12-01 - "... The workaround** denies access to t2embed.dll, causing the Duqu exploit to fail. But the Duqu Fix it also has an odd characteristic: it prompts Windows XP users to download two older Microsoft patches, MS10-001 (KB 972270) and MS10-076 (KB 982132) — patches most XP users have presumably already installed..."
** http://support.micro...9658#FixItForMe

Free Duqu detector from CrySyS
> http://windowssecret...-pack-4/#inthe2
2011-12-01 - "... To see whether your system is vulnerable to Duqu, you can obtain a free Duqu detector from CrySyS*..."
* http://www.crysys.hu/duqudetector.html

[AplusWebMaster]

MS Security Advisory updates:

Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
- https://technet.micr...dvisory/2639658
V2.0 (December 13, 2011): Advisory updated to reflect publication of security bulletin. MS11-087.
- https://technet.micr...lletin/ms11-087

Insecure Library Loading Could Allow Remote Code Execution
- https://technet.micr...dvisory/2269637
V13.0 (December 13, 2011): Added the following Microsoft Security Bulletins to the Updates relating to Insecure Library Loading section: MS11-099, "Cumulative Security Update for Internet Explorer;" and MS11-094, "Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution."
- https://technet.micr...lletin/ms11-099
- https://technet.micr...lletin/ms11-094
___

Insecure library loading - verified Secunia List
- https://secunia.com/...ibrary_loading/
Number of products affected: 293
Number of vendors affected: 113
Number of Secunia Advisories issued: 215
Solution Status ...

.

Edited by AplusWebMaster, 26 January 2012 - 05:45 AM.

[AplusWebMaster]

FYI...

- http://forums.whatth...=...st&p=765592
Dec 29, 2011
- https://technet.micr...dvisory/2659883
Updated: December 29, 2011 - "... We have issued MS11-100* to address this issue..."
* https://technet.micr...n/ms11-100.mspx
• V1.1 (December 30, 2011): Added entry to the Update FAQ to address security-rated changes to functionality contained in this update and added mitigation for CVE-2011-3414.

- https://www.us-cert....nerable_to_hash
Dec. 29, 2011

- http://h-online.com/-1401863
Dec. 29, 2011
___

Microsoft Security Advisory (2659883)
Vulnerability in ASP.NET Could Allow Denial of Service
- https://technet.micr...dvisory/2659883
December 28, 2011 - "Microsoft is aware of detailed information that has been published describing a new method to exploit hash tables. Attacks targeting this type of vulnerability are generically known as hash collision attacks. Attacks such as these are not specific to Microsoft technologies and affect other web service software providers. This vulnerability affects all versions of Microsoft .NET Framework and could allow for an unauthenticated denial of service attack on servers that serve ASP.NET pages. Sites that only serve static content or disallow dynamic content types listed in the mitigation factors below are not vulnerable.
The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision. It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition. Microsoft is aware of detailed information available publicly that could be used to exploit this vulnerability but is not aware of any active attacks.
Details of a workaround to help protect sites against this vulnerability are provided in this article. Individual implementations for sites using ASP.NET will vary and Microsoft strongly suggests customers evaluate the impact of the workaround for applicability to their implementations...
Workarounds - Configuration-based workaround
The following workaround configures the limit of the maximum request size that ASP.NET will accept from a client. Decreasing the maximum request size will decrease the susceptibility of the ASP.NET server to a denial of service attack..."
- http://support.micro....com/kb/2659883
December 28, 2011 - Revision: 2.0

- http://www.kb.cert.org/vuls/id/903934
2011-12-28

- https://isc.sans.edu...l?storyid=12286
Last Updated: 2011-12-28 23:02:14 UTC ...(Version: 2)
___

- https://blogs.techne...Redirected=true
27 Dec 2011 10:29 PM - "...if your website does need to accept user uploads, this workaround is likely to block legitimate requests. In that case, you should not use this workaround and instead wait for the comprehensive security update*..."
* Advanced Notification for out-of-band release to address Security Advisory 2659883
- https://blogs.techne...Redirected=true
28 Dec 2011 7:51 PM - "... The release is scheduled for December 29... The bulletin has a severity rating of Critical..."
___

- http://www.securityt....com/id/1026469
CVE Reference: CVE-2011-3414
Date: Dec 28 2011
Impact: Denial of service via network...

- http://www.ocert.org...t-2011-003.html
2011-12-28

- https://secunia.com/advisories/47323/ | https://secunia.com/advisories/47404/
- https://secunia.com/advisories/47405/ | https://secunia.com/advisories/47406/
- https://secunia.com/advisories/47407/ | https://secunia.com/advisories/47408/
- https://secunia.com/advisories/47411/ | https://secunia.com/advisories/47413/
- https://secunia.com/advisories/47414/ | https://secunia.com/advisories/47415/
Release Date: 2011-12-29

Edited by AplusWebMaster, 30 December 2011 - 09:55 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2588513)
Vulnerability in SSL/TLS Could Allow Information Disclosure
- https://technet.micr...dvisory/2588513
Published: Monday, September 26, 2011 | Updated: Tuesday, January 10, 2012 - "We have issued MS12-006* to address this issue..."
* https://technet.micr...lletin/ms12-006

- http://web.nvd.nist....d=CVE-2011-3389

* http://forums.whatth...howtopic=121946

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2641690)
Fraudulent Digital Certificates Could Allow Spoofing
- https://technet.micr...dvisory/2641690
• V3.0 (January 19, 2012): Revised to announce the release of an update for Windows Mobile 6.x, Windows Phone 7, and Windows Phone 7.5 devices.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2647518)
Update Rollup for ActiveX Kill Bits
- https://technet.micr...dvisory/2647518
March 13, 2012

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- https://technet.micr...dvisory/2269637
• V15.0 (March 13, 2012): Added the following Microsoft Security Bulletin to the Updates relating to Insecure Library Loading section: MS12-022*, "Vulnerability in Expression Design Could Allow Remote Code Execution."
* https://technet.micr...lletin/ms12-022

.

[AplusWebMaster]

FYI...

MS12-020 - MS RDP ...
- https://isc.sans.edu...l?storyid=12805
Last Updated: 2012-03-16 15:26:16 UTC - "... proof-of-concept is out..."

- https://isc.sans.edu...l?storyid=12808
Last Updated: 2012-03-17 00:18:07 UTC

- http://atlas.arbor.n...ndex#-700023003
Severity: Extreme Severity
March 16, 2012 01:36

- http://web.nvd.nist....d=CVE-2012-0002
Last revised: 03/15/2012
CVSS v2 Base Score: 9.3 (HIGH)

> http://forums.whatth...howtopic=122620

Edited by AplusWebMaster, 17 March 2012 - 01:14 AM.

[AplusWebMaster]

FYI...

RDP exploit watch: 5M RDP endpoints found on the Web
- http://atlas.arbor.n...dex#-1324643596
Elevated Severity
March 19, 2012 22:10
"Research suggests that approximately five million remote desktop endpoints exist on the Internet.
Analysis: Every Internet connected organization should carefully assess the need for Remote Desktop and evaluate exposure to include patch status and strength of credentials. While convenient for users, remote access tools increase the attack surface and additional layers of security such as requiring VPN access, robust network ACL's, requiring stronger authentication and extensive host hardening should be considered. Additionally, it is important to institute proper monitoring to detect attacks and unauthorized access."
Source: https://www.zdnet.co...-internet/10937
"... Dan Kaminsky has identified approximately five million internet-accessible RDP endpoints that are potentially sitting ducks for a network worm exploiting the MS12-020 vulnerability..."

- http://dankaminsky.com/2012/03/18/rdp/
March 18, 2012
___

- http://www.kb.cert.org/vuls/id/624051
Last Updated: 2012-03-19

Edited by AplusWebMaster, 21 March 2012 - 08:23 AM.

[AplusWebMaster]

FYI...

Exploit for MS12-020 RDP bug moves to Metasploit
- http://atlas.arbor.n...ndex#1373529066
Elevated Severity
March 21, 2012
"A Denial of Service exploit for the Microsoft Remote Desktop security hole is now included in the Metasploit Framework, a popular penetration testing toolkit. This DoS exploit was already in the wild.
Analysis: Hopefully the increased press on this issue has encouraged robust patching and system hardening which will reduce the impact of this issue when a remote code execution exploit does become public. istherdpexploitoutyet.com is a website tracking the progress on this issue and offering links to research information. Be aware that this site does not offer any guarantees, and dangerous fake exploits for this bug have already appeared that will cause harm to those attempting to run them. Organizations that are exploited by this Denial of Service condition will see a "blue screen of death" involving RDPWD.SYS, as seen in the blog: http://community.web...n-the-wild.aspx
Source: http://threatpost.co...tasploit-032012 "

Edited by AplusWebMaster, 22 March 2012 - 06:52 AM.

[AplusWebMaster]

FYI...

MS12-020 exploit in-the-wild ...
- https://www.f-secure...s/00002338.html
March 27, 2012 - "Since the public release of Microsoft's MS12-020 bulletin, there have been plenty of attempts to exploit vulnerabilities in the Remote Desktop Protocol (RDP). Last week, we received a related sample, which turned out to be a tool called "RDPKill by: Mark DePalma" that was designed to kill targeted RDP service. The tool was written with Visual Basic 6.0, and has a simple user interface. We tested it on machines running on Windows XP 32-bit and Windows 7 64-bit... Both the Windows XP 32-bit and the Windows 7 64-bit computers were affected by the Denial of Service (DoS) attack. The service crashed and triggered a "Blue Screen of Death" (BSoD) condition*...
* https://www.f-secure...dpkill_bsod.png
We detect this tool as Hack-Tool:W32/RDPKill.A. (SHA-1: 1d131a5f17d86c712988a2d146dc73367f5e5917). Besides RDPKill.A, other similar tools and Metasploit module can also be found online. Due to their availability, an unpatched RDP server would be an easy target of DoS attack by attackers who might be experimenting with these tools. For those who still haven't patched their system, especially those running RDP service on their machines, we strongly advise that you to do so as soon as possible..."

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2695962)
Update Rollup for ActiveX Kill Bits
- https://technet.micr...dvisory/2695962
May 08, 2012
> http://support.micro....com/kb/2695962

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2718704)
Unauthorized Digital Certificates Could Allow Spoofing
- https://technet.micr...dvisory/2718704
June 03, 2012 - "Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows. Microsoft is providing an update for all supported releases of Microsoft Windows. The update revokes the trust of the following intermediate CA certificates:
• Microsoft Enforced Licensing Intermediate PCA (2 certificates)
• Microsoft Enforced Licensing Registration Authority CA (SHA1)
Recommendation. For supported releases of Microsoft Windows, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service..."
* http://support.micro....com/kb/2718704

- https://blogs.techne...Redirected=true
3 Jun 2012 - "We recently became aware of a complex piece of targeted malware known as 'Flame' and immediately began examining the issue. As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks..."

- https://blogs.techne...Redirected=true
3 Jun 2012 - "... we released Security Advisory 2718704*, notifying customers that unauthorized digital certificates have been found that chain up to a Microsoft sub-certification authority issued under the Microsoft Root Authority... we encourage all customers to apply the officially tested update to add the proper certificates to the Untrusted Certificate Store... Components of the Flame malware were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.
Conclusion: We recommend that all customers apply this update."

- http://support.microsoft.com/kb/894199
Last Review: June 4, 2012 - Revision: 129.0
___

- http://www.securityt....com/id/1027114
Jun 4 2012
... Unauthorized digital certificates derived from these certificate authorities are being actively used in attacks.
Windows Mobile 6.x and Windows Phone 7 and 7.5 are also affected.
Impact: A remote user may be able to spoof code signing signatures.
Solution: The vendor has issued a fix (KB2718704), available via automatic update...

>> https://www.f-secure...s/00002377.html
June 4, 2012
___

Microsoft Security Advisory (2718704)
- http://atlas.arbor.n...dex#-2141289419
Severity: Extreme Severity
Published: Monday, June 04, 2012 20:39
This security vulnerability is high risk and should be looked at ASAP by security teams.
Analysis: Due to the risks involved, multiple sources suggest that this issue be mitigated as soon as possible. The vulnerability has already been used in the Flame malware, which has been around for a few years. How many other potential adversaries have found and are leveraging the same security hole for their purposes is an open question.
Source: http://technet.micro...dvisory/2718704

Source: https://isc.sans.edu...l?storyid=13366
Last Updated: 2012-06-05 ...(Version: 4)

Source: http://www.wired.com...-security-fail/
June 1, 2012 Mikko Hypponen, Chief Research Officer - F-Secure

Edited by AplusWebMaster, 07 June 2012 - 12:34 PM.

[AplusWebMaster]

FYI...

WSUS and Windows update hardening

- http://blogs.technet...-available.aspx
8 Jun 2012
- http://blogs.technet...-this-week.aspx
June 8, 2012 - Revision: 2.2
- http://blogs.technet...-available.aspx
8 Jun 2012

... and:

- http://support.micro....com/kb/2720211
Last Review: June 8, 2012 - Revision: 2.2
- http://support.microsoft.com/kb/894199
Last Review: June 8, 2012 - Revision: 131.0
___

An update for Windows Server Update Services 3.0 Service Pack 2 is available
- http://support.micro....com/kb/2720211
Last Review: June 11, 2012 - Revision: 5.0

Edited by AplusWebMaster, 11 June 2012 - 09:22 AM.