317 replies to this topic

[AplusWebMaster]

FYI...

Microsoft Security Advisory (909444)
Various Issues After Installing Microsoft Security Bulletin MS05-051 on Systems That Have Non-default File Permissions
- http://www.microsoft...ory/909444.mspx
Published: October 14, 2005
"Microsoft is aware of reports of isolated issues after deployment with Microsoft Security Bulletin MS05-051. We are working with a limited number of affected customers to help resolve these issues.
Systems that do not have the default Access Control List (ACL) settings in the %Windir%\Registration folder may experience various problems after installing MS05-051. The update helps protect against attacks seeking to exploit MS05-051, however this isolated set of issues might impact systems after installation of the update.
Based on feedback from those customers, Microsoft has published Microsoft Knowledge Base Article 909444, which addresses the issue.
We continue to urge customers to deploy MS05-051 and all recent security updates..."
- http://support.microsoft.com/kb/909444

[AplusWebMaster]

FYI...

Microsoft Security Advisory (910550)
Macromedia Security Bulletin: MPSB05-07 Flash Player 7 Improper Memory Access Vulnerability
- http://www.microsoft...ory/910550.mspx
Published: November 9, 2005
"Microsoft is aware of recent security vulnerabilities in Macromedia Flash Player, a third party software application that also was redistributed with Microsoft Windows XP Service Pack 1, Windows XP Service Pack 2, Windows 98, Windows 98 SE, and Windows Millennium Edition. The Microsoft Security Response Center is in communication with Macromedia and is aware that Macromedia has made updates that are available on their Web site.
Microsoft encourages customers who use Macromedia Flash Player to follow the guidance documented in Macromedia’s Security Bulletin. The Macromedia Security Bulletin describes the vulnerabilities and provides the download locations so that you can install the appropriate update based on the version of Macromedia Flash Player you are using..."
- http://www.macromedi.../mpsb05-07.html

[AplusWebMaster]

FYI...

Microsoft Security Advisory (911052)
Memory Allocation Denial of Service Via RPC
- http://www.microsoft...ory/911052.mspx
Published: November 16, 2005
"Microsoft is aware of public reports of proof-of-concept code that seeks to exploit a possible vulnerability in Microsoft Windows 2000 Service Pack 4 and in Microsoft Windows XP Service Pack 1. This vulnerability could allow an attacker to levy a denial of service attack of limited duration.
On Windows XP Service Pack 1, an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts. Customers who have installed Windows XP Service Pack 2 are not affected by this vulnerability. Additionally, customers running Windows Server 2003 and Windows Server 2003 Service Pack 1 are not affected by this vulnerability.
Microsoft is not aware of active attacks that use this vulnerability or of customer impact at this time. However, Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
Microsoft is concerned that this new report of a vulnerability in Windows 2000 Service Pack 4 and Windows XP Service Pack 1 was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software Customers can learn more about these steps by visiting Protect Your PC Web site.
Mitigating Factors:
• On Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts. In certain configurations, anonymous users could authenticate as the Guest account. For more information, see Microsoft Security Advisory 906574.
- http://www.microsoft...ory/906574.mspx
• Customers who are running Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1 are not affected by this vulnerability.
• Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed..."

[AplusWebMaster]

FYI...

Microsoft Security Advisory (911302)
Vulnerability in the way Internet Explorer Handles onLoad Events Could Allow Remote Code Execution
- http://www.microsoft...ory/911302.mspx
Published: November 21, 2005
"Microsoft is investigating new public reports of vulnerability in Microsoft Internet Explorer on Microsoft Windows 98, on Windows 98 Second Edition, on Windows Millennium Edition, on Windows 2000 Service Pack 4, and on Windows XP Service Pack 2. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We have also been made aware of proof of concept code targeting the reported vulnerability but are not aware of any customer impact at this time. We will continue to investigate these public reports.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible...
Mitigating Factors:
• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.
By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98, and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
• By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section for this security update for more information about Internet Explorer Enhanced Security Configuration...
Suggested Actions
Workarounds...
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
• Change your Internet Explorer settings to prompt or disable before running or disable Active Scripting in the Internet and Local intranet security zone
• Set Internet and Local intranet security zone settings to “High” to prompt before running Active Scripting in these zones
• Restrict Web sites to only your trusted Web sites..."

Edited by AplusWebMaster, 22 November 2005 - 03:41 AM.

[AplusWebMaster]

Update...

Microsoft Security Advisory (911302)
Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects Could Allow Remote Code Execution.
- http://www.microsoft...ory/911302.mspx
Revisions:
• November 22, 2005: Updated the title, clarified affected software, and updated workaround “Set Internet and Local intranet security zone settings to ‘High’ to prompt before running Active Scripting in these zones”.

[AplusWebMaster]

Update...

Microsoft Security Advisory (911302)
Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects Could Allow Remote Code Execution.
- http://www.microsoft...ory/911302.mspx
Revisions:
• November 29, 2005: Added information regarding proof of concept code, malicious software, and reference to Windows Live Safety Center."
- http://safety.live.c...-US/default.htm

(Hmmm...'due to this maybe? http://www.microsoft...r:Win32/Delf.DH )

[AplusWebMaster]

FYI...

Microsoft Security Advisory (911302)
Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects Could Allow Remote Code Execution.
- http://www.microsoft...ory/911302.mspx
• December 13, 2005: Advisory updated to reference released security bulletin.
"Microsoft has completed the investigation into a public report of a vulnerability. We have issued a security bulletin* to address this issue..."
* http://www.microsoft...n/ms05-054.mspx


.

[AplusWebMaster]

FYI...

MS Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
- http://www.microsoft...ory/912840.mspx
Published: December 28, 2005
"...Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update..."

.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
- http://www.microsoft...ory/912840.mspx
...• December 29, 2005: Advisory updated. FAQ section updated..."

- http://isc.sans.org/...php?storyid=976
Last Updated: 2005-12-30 05:41:46 UTC
"...Some noteable things that I read in it.

"** Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector?
No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we're not aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts.

** It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?
We have received reports and are investigating them thoroughly as part of our ongoing investigation. We are not aware at this time of issues around the MSN Desktop Indexer, but we are continuing to investigate.

** Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?
No, these are different and separate issues.

** Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?
While we don't know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide
information as we have it. Customers should contact their IDS provider to determine if it offers protection from this vulnerability."

[AplusWebMaster]

FYI...

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
- http://www.microsoft...ory/912840.mspx
"...Revisions:
• December 28, 2005: Advisory published
• December 29, 2005: Advisory updated. FAQ section updated.
• December 30, 2005: Advisory updated. FAQ section updated."

(Still no patch.)

[AplusWebMaster]

FYI...

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
- http://www.microsoft...ory/912840.mspx
Updated: January 3, 2006
"...> What’s Microsoft’s response to the availability of third party patches for the WMF vulnerability?
Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006.
As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously.
Microsoft cannot provide similar assurance for independent third party security updates.
> Why is it taking Microsoft so long to issue a security update?
Creating security updates that effectively fix vulnerabilities is an extensive process. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe..."

.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (912920)
Systems that are infected with Win32/Sober.Z@mm may download and run malicious files from certain Web domains beginning on January 6, 2006
- http://www.microsoft...ory/912920.mspx
Published: January 3, 2006
"Microsoft is aware of the Sober mass mailer worm variant named Win32/Sober.Z@mm. The worm tries to entice users through social engineering efforts into opening an attached file or executable in e-mail. If the recipient opens the file or executable, the worm sends itself to all the contacts that are contained in the system’s address book. Customers who are using the most recent and updated antivirus software are at a reduced risk from infection by the Win32/Sober.Z@mm worm. On systems that are infected by Win32/Sober.Z@mm, the malware is programmed to download and run malicious files from certain Web domains beginning on January 6, 2006. Beginning approximately every two weeks thereafter, the worm is set to begin downloading and running malicious files from additional sites on the same Web domains. As with all currently known variants of the Sober worm, the worm does not appear to target a security vulnerability, but rather relies on the user opening an infected attachment...
Suggested Actions
• Check for and remove the Sober infection.
Use the Microsoft Windows Malicious Software Removal Tool, Safety.live.com, or Windows OneCare to search for and remove the Sober worm and its variants from infected systems.
• Monitor outbound network connections to targeted Web sites.
• Because the Win32/Sober.Z@mm worm may download and run malicious files from certain Web domains beginning on January 6, 2006, attempted connections to the following Web sites should be monitored for signs of an infected host on local networks.
Targeted Web sites
people.freenet.de
scifi.pages.at
home.pages.at
free.pages.at
home.arcor.de ..."

.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft...ory/912840.mspx
Updated: January 5, 2006
...Reason For Update: FAQ added with information on Windows 98, Windows 98 Second Edition and Windows Millennium. FAQ concerning embedded images in Office documents updated. Workaround updated with information about re-registering the Windows Fax and Image Viewer (Shimgvw.dll)...
Frequently Asked Questions...
"...Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates...
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. After a security update has been released and deployed, you can undo this change and re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks)..."

.

[AplusWebMaster]

FYI...

MS Security Advisory (904420)
- http://www.microsoft...ory/904420.mspx
Win32/Mywife.E@mm
Published: January 30, 2006
"Microsoft wants to make customers aware of the Mywife mass mailing malware variant named Win32/Mywife.E@mm. The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.
Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection from the Win32/Mywife.E@mm malware. Customers should verify this with their antivirus vendor. Antivirus vendors have assigned different names to this malware but the Common Malware Enumeration (CME) group has assigned it ID CME-24.
On systems that are infected by Win32/Mywife@E.mm, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications..."

.

[AplusWebMaster]

Security Advisories Updated or Released Today ==============================================
* Security Advisory (904420)
- Title: Win32/Mywife.E@mm
- Reason For Update: Additional information about the blank password restriction functionality in Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003, and Windows Server 2003 Service Pack 1. Added link to Virus Information Alliance member Sophos.
- Web site: http://go.microsoft....k/?LinkId=50423

.