317 replies to this topic

[AplusWebMaster]

FYI...

Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling
- http://www.microsoft...ory/935423.mspx
March 29, 2007 ~ "Microsoft is investigating new public reports of targeted attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker. As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources... ."

- http://isc.sans.org/...ml?storyid=2534
Last Updated: 2007-03-29 19:35:05 UTC
"...Mitigation:
- Microsoft is reporting that users of Internet Explorer 7 with Protected Mode* are protected from active exploitation. Note that this does not apply to Outlook !;
- Anti-virus detection is very spotty. We've tested some of the exploits and they were detected by Windows Live OneCare 1.2306 and McAfee 4995. One specific file was also discovered by a product triggering on a signature written for MS05-002, a similar vulnerability from 2005. This will not apply to most exploits in the wild..."
* http://www.microsoft...ware.mspx#EZPAC
"...This setting only works in Internet Explorer 7 with Windows Vista..."

> http://www.avertlabs...rch/blog/?p=230
"...Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0..."

> http://preview.tinyurl.com/26y4f8
(TrendMicro)

> http://nvd.nist.gov/...e=CVE-2007-1765

- http://isc.sans.org/...ml?storyid=2539
Last Updated: 2007-03-30 10:40:08 UTC ~ "A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability depending on the actions and settings of the email client. The surprising element is that read in plain text mode makes some of the clients more vulnerable and actually only offers real added value for Outlook 2003..."
(Chart available at the URL above.)

> http://www.us-cert.gov/current/#WINANI

.

Edited by AplusWebMaster, 31 March 2007 - 05:36 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling
- http://www.microsoft...ory/935423.mspx
... • March 31, 2007: Advisory revised to add additional information regarding Windows 2003 Service Pack 2, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition Service Pack 2 in the “Related Software” section."

[AplusWebMaster]

FYI...

Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling
- http://www.microsoft...ory/935423.mspx
Updated: April 3, 2007 ~ "Microsoft has completed the investigation into a public report of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. We have issued MS07-017 to address this issue..."
* http://www.microsoft...n/MS07-017.mspx

.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.
- http://www.microsoft...ory/935964.mspx
April 12, 2007 ~ "Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code. Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM.
Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers..."

> http://isc.sans.org/...ml?storyid=2627
Last Updated: 2007-04-13 04:42:08 UTC ...(Version: 2)
"...Microsoft has a few suggested actions that can mitigate the risk with the caveat that some tools may break.
1. Disable remote management over RPC for the DNS server via a registry key setting.
2. Block unsolicited inbound traffic on ports 1024-5000 using IPsec or other firewall.
3. Enable the advanced TCP/IP Filtering options on the appropriate interfaces of the server..."

> http://www.us-cert.gov/current/#winrpc

> http://nvd.nist.gov/...e=CVE-2007-1748

.

Edited by AplusWebMaster, 14 April 2007 - 07:31 AM.

[AplusWebMaster]

More info...

- http://isc.sans.org/...ml?storyid=2633
Last Updated: 2007-04-13 21:06:53 UTC ~ "...We have knowledge of a successful attack that occurred on April 4, 2007. This appears to be an opportunistic attack (instead of a targeted attack). So it's likely that others have been compromised as well. If you have a vulnerable MS DNS server (Win2K SP4 or Win2003 SP1 or SP2) accessible to the Internet and don't have ports above 1024 blocked, then you may have already been targeted in an attack. At this point, there seems to be a very small number of known compromises...
Update: If you have a large number of domain controllers and want to automate the disabling of RPC, check out this blog entry: http://preview.tinyurl.com/2ymwsv "

[AplusWebMaster]

Updated...

- http://isc.sans.org/...ml?storyid=2633
Last Updated: 2007-04-14 14:30:08 UTC ...(Version: 2)
"Update 2: We have two confirmed sources that were attacked on April 4th and 5th. Both were universities in the US. The initial report was from the Information Security Office at Carnegie Mellon University. Nice catch guys! The attacking source IP was the same in both cases: 61.63.227.125
Here is the attack details from the Carnegie Mellon folks. First, a TCP port scan to ports 1024-2048. Then a TCP connection to the right TCP port running the vulnerable RPC service. Shellcode binds to TCP port 1100. Attacker uploads a VBscript on this port and then runs it. VBscript downloads an executable DUP.EXE (MD5: a5ae220fec052a1f2cd22b4eb89a442e) from 203.66.151.92/images/. Executable is self-extracting and contains PWDUMP v5 and an associated DLL.
Update 3: There is now a publicly available exploit for this
vulnerability in Metasploit 3"

[AplusWebMaster]

Updates...

Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.
- http://www.microsoft...ory/935964.mspx
Revisions:
• April 12, 2007: Advisory published.
• April 13, 2007: Advisory updated to include additional details about Windows Small Business Server. Mitigations also updated to include additional information regarding the affected network port range and firewall configuration. Additional details also provided for registry key mitigation values. .
• April 15, 2007: Advisory “Suggested Actions” section updated to include additional information regarding TCP and UDP port 445 and the 15 character computer name known issue.
• April 16, 2007: Advisory updated: Ongoing monitoring indicates that we are seeing a new attack that is attempting to exploit this vulnerability.

.

[AplusWebMaster]

FYI...

New KB article to help deploy DNS remote RPC block workaround throughout enterprise
- http://preview.tinyurl.com/2a65ba
April 20, 2007 7:06 PM ~ "...You can find the KB at
http://support.microsoft.com/kb/936263 ..."
Last Review: April 21, 2007
Revision: 1.0

.

[AplusWebMaster]

FYI...

- http://blogs.technet...tification.aspx
May 03, 2007 ~ "...MS Advisory 935964... The listing of updates slated for Tuesday (May 8, 2007) -does- include the update we’ve been working on for this issue..."

> http://forums.tomcoy...007_t79043.html


.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
- http://www.microsoft...ory/935964.mspx
Updated: May 8, 2007 ~ "...We have issued MS07-029* to address this issue..."

* http://www.microsoft...n/MS07-029.mspx


.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (937696)
MS Office Isolated Conversion Environment (MOICE) and File Block Functionality for MS Office
- http://www.microsoft...ory/937696.mspx
Published: May 21, 2007 ~ "...Both features are designed to make it easier for customers to protect themselves from Office files that may contain malicious software, such as unsolicited Office files received from unknown or known sources. MOICE makes it easier by providing new security mitigation technologies designed to convert specific Microsoft Office files types, while File Block provides a mechanism that can control and block the opening of specific Microsoft Office file types. The Microsoft Office Isolated Conversion Environment (MOICE) uses the 2007 Microsoft Office system converters to convert Office 2003 binary documents to the newer Office open XML format. The Conversion process helps protect customers by converting the Office 2003 binary file format to the Office open XML format in an isolated environment. In summary, MOICE provides a mechanism for customers to pre-process potentially unsafe Office 2003 binary documents, by virtue of the conversions process it provides customers with a greater degree of certainty that the document can be considered safe. We encourage Microsoft Office customers to review the related Knowledge base article and consider whether MOICE can help protect users in your IT environment. For more information about this release, see Microsoft Knowledge Base Article 935865*... for MS Office 2003 and the 2007 MS Office..."
* http://support.microsoft.com/kb/935865

.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (927891)
Fix for Windows Installer (MSI)
- http://www.microsoft...ory/927891.mspx
Published: May 22, 2007
"Today we are announcing the availability of an update that does not address a security vulnerability, but is a high priority for customers in keeping their systems updated. The update addresses the following issue:

Your system may appear to become unresponsive when Windows Update or Microsoft Update is scanning for updates that use Windows installer, and you may notice that the CPU usage for the svchost process is showing 100%.
When you try to install an update from Windows Update or from Microsoft Update, you experience the following symptoms:
• Your system may appear to become unresponsive when Windows Update or Microsoft Update is scanning for updates that use Windows Installer.
• You receive an access violation error in svchost.exe. This access violation stops the Server service and the Workstation service.
• A memory leak occurs when Windows Update or Microsoft Update is scanning for updates that use Windows Installer.
• Windows Update or Microsoft Update scans take a very long time, sometimes hours, to complete.

We encourage Windows customers to review and install this update. This update will be offered automatically through Automatic Updates. For more information about this issue, including download links for the available non-security update, please review Microsoft Knowledge Base Article 927891*.
Please note that this update is the first part of a two-part fix that is the comprehensive solution to the problem. In June, another update will involve the Windows Update client. The update for the Windows Update client will also be automatically offered through Automatic Updates."

* http://support.microsoft.com/kb/927891

- http://blogs.technet...ty-updates.aspx
May 22, 2007 ~ "...the issue may prevent you from installing other updates (including security updates) until you apply this new update, so we encourage customers to apply this right away."

Edited by AplusWebMaster, 23 May 2007 - 04:21 AM.

[LDTate]

Microsoft Knowledge Base Article 927891.
Service Unavailable

[AplusWebMaster]

FYI...

Microsoft Security Advisory (932596)
Update to Improve Kernel Patch Protection
- http://www.microsoft...ory/932596.mspx
August 14, 2007 - "An update is available for Kernel Patch Protection included with x64-based Windows operating systems. Kernel Patch Protection protects code and critical structures in the Windows kernel from modification by unknown code or data. This update adds additional checks to this protection for increased reliability, performance, and resiliency of Windows. For more information about this release, see Microsoft Knowledge Base Article 932596*..."

* http://support.microsoft.com/kb/932596

.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (943521)
URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution
- http://www.microsoft...ory/943521.mspx
Published: October 10, 2007
"Microsoft is investigating public reports of a remote code execution vulnerability in supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. Microsoft is investigating the public reports.
• This vulnerability does not affect Windows Vista or any supported editions of Windows where Internet Explorer 7 is not installed..."

MSRC blog
> http://preview.tinyurl.com/yoadp8
October 10, 2007

Edited by AplusWebMaster, 12 October 2007 - 06:12 AM.