5 replies to this topic

[AplusWebMaster]

FYI...

- http://www.microsoft...n/MS10-feb.mspx
February 09, 2010 - "This bulletin summary lists security bulletins released for February 2010... (Total of -13-)

Critical -5-

Microsoft Security Bulletin MS10-006 - Critical
Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
- http://www.microsoft...n/MS10-006.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-007 - Critical
Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
- http://www.microsoft...n/MS10-007.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-008 - Critical
Cumulative Security Update of ActiveX Kill Bits (978262)
- http://www.microsoft...n/ms10-008.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-009 - Critical
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)
- http://www.microsoft...n/MS10-009.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-013 - Critical
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
- http://www.microsoft...n/MS10-013.mspx
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Important -7-

Microsoft Security Bulletin MS10-003 - Important
Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214)
- http://www.microsoft...n/MS10-003.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS10-004 - Important
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416)
- http://www.microsoft...n/MS10-004.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office

Microsoft Security Bulletin MS10-010 - Important
Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894)
- http://www.microsoft...n/MS10-010.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-011 - Important
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037)
- http://www.microsoft...n/MS10-011.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-012 - Important
Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)
- http://www.microsoft...n/MS10-012.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-014 - Important
Vulnerability in Kerberos Could Allow Denial of Service (977290)
- http://www.microsoft...n/MS10-014.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Denial of Service
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Microsoft Security Bulletin MS10-015 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
- http://www.microsoft...n/MS10-015.mspx
Maximum Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows

Moderate -1-

Microsoft Security Bulletin MS10-005 - Moderate
Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706)
- http://www.microsoft...n/ms10-005.mspx
Maximum Severity Rating: Moderate
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows
___

Severity and Exploitability Index
- http://blogs.technet...5/original.aspx

Deployment Priority
- http://blogs.technet...3/original.aspx
___

ISC Analysis
- http://isc.sans.org/...ml?storyid=8197
Last Updated: 2010-02-09 19:28:42 UTC
___

MSRT
- http://support.micro...om/?kbid=890830
February 9, 2010 - Revision: 69.0
(Recent additions)
- http://www.microsoft...e/families.aspx
Win32/Hamweq - December 2009 (V 3.2) Moderate
Win32/Rimecud - January 2010 (V 3.3) Moderate
Win32/Pushbot - February 2010 (V 3.4) Severe
- http://go.microsoft....k/?LinkId=40587
File Name: windows-kb890830-v3.4.exe
Version: 3.4
___

Secunia advisory references - MS Security Bulletins - Feb. 2010
MS10-003 - http://secunia.com/advisories/38481/2/
MS10-004 - http://secunia.com/advisories/38493/2/
MS10-004 - http://secunia.com/advisories/35115/2/
MS10-005 - http://secunia.com/advisories/36634/2/
MS10-006 - http://secunia.com/advisories/38500/2/
MS10-007 - http://secunia.com/advisories/38501/2/
MS10-008 - http://secunia.com/advisories/38485/2/
MS10-009 - http://secunia.com/advisories/38506/2/
MS10-010 - http://secunia.com/advisories/38508/2/
MS10-011 - http://secunia.com/advisories/38509/2/
MS10-012 - http://secunia.com/advisories/38510/2/
MS10-013 - http://secunia.com/advisories/38511/2/
MS10-014 - http://secunia.com/advisories/38512/2/
MS10-015 - http://secunia.com/advisories/38265/2/

.

Edited by AplusWebMaster, 10 February 2010 - 12:09 PM.

[AplusWebMaster]

FYI...

- http://isc.sans.org/...ml?storyid=8215
Last Updated: 2010-02-11 20:24:17 UTC - "UPDATE: I have been in contact with Microsoft and they have insured me that there were no updates done outside of their normal updates. They said that if the Auto Update was turned off - then NO updates were done. So the plot thickens. How is it that NO updates were done either by the software vendor or by Microsoft and yet the machines Blue Screened. Just what is it that happened to our Windows XP -and- Windows Vista machines that rendered them blue. I will update again as soon as more information becomes available from either Microsoft or the Vendor..."
Last Updated: 2010-02-11 19:12:54 UTC - Deborah Hale - "... I did finally get a call back from the company as well as a couple of emails indicating that the problem -was- a result of the Microsoft updates. This really puzzles me because most of our machines are setup to NOT download and install the updates for this very reason. We prefer to wait a few days after the update is released before we actually install. We prefer to wait to see if there are problems and give Microsoft an opportunity to fix it before it breaks computers. So my question is: "Did Microsoft force an update despite our auto updates being turned off?" I have verified that the majority of the computers APPEAR to have not had the patches applied. I have present(ed) this question to Microsoft and have no answer back yet. As soon as I do I will update..."

MS10-015 may cause Windows XP to blue screen
- http://isc.sans.org/...ml?storyid=8209
Last Updated: 2010-02-11 14:56:42 UTC - "We have heard about reports that MS10-015* causes some Windows XP machines to blue screen. If you are seeing this issue, please let us know. (I am filling in for Deborah on this diary as she is ironically busy dealing with lots of blue screens in her organization, which may be related). See for example:
- http://www.krebsonse...ndows-xp-users/
-and-
- http://social.answer...bc-e292b69f2fd1 "

Microsoft Security Bulletin MS10-015 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
* http://www.microsoft...n/MS10-015.mspx
• V1.1 (February 10, 2010): Corrected the verification registry key for all supported x64-based editions of Windows XP. This is an informational change only.

Edited by AplusWebMaster, 11 February 2010 - 03:18 PM.

[AplusWebMaster]

FYI...

MSRC: Restart issues after installing MS10-015
- http://blogs.technet...g-ms10-015.aspx
February 11, 2010 - "... we are aware that after installing the February security updates a limited number of users are experiencing issues restarting their computers. Our initial analysis suggests that the issue occurs after installing MS10-015 (KB977165). However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software. Our teams are working to resolve this as quickly as possible. We also stopped offering this update through Windows Update as soon as we discovered the restart issues. However, those using enterprise deployment systems such as SMS or WSUS will still see and be able to deploy these packages... While we work to address this issue, customers who choose not to install the update can implement the workaround outlined in the bulletin. CVE-2010-0232 was publicly disclosed and we previously issued Security Advisory 979682 in response. Customers can disable the NTVDM subsystem as a workaround and we have provided an automated method of doing that with a Microsoft Fix It that you can find here:
http://support.microsoft.com/kb/979682 ..."

[AplusWebMaster]

FYI...

MSRC - Update - Restart Issues After Installing MS10-015
- http://blogs.technet...g-ms10-015.aspx
February 12, 2010 - "In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating... This can be a difficult issue to solve once a computer is in an un-bootable state so we encourage customers who feel they have been impacted by this to contact our Customer Service and Support group... Keep an eye on this blog for more updates as we have them."

- http://www.krebsonse...indows-crashes/
February 12, 2010

Edited by AplusWebMaster, 14 February 2010 - 02:42 PM.

[AplusWebMaster]

FYI...

MS10-015 and the Alureon Rootkit
- http://blogs.technet...on-rootkit.aspx
February 17, 2010 6:29 PM - "...Our investigation has concluded that the reboot occurs because the system is infected with malware, specifically the Alureon rootkit*. We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software. The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state. In every investigated incident, we have not found quality issues with security update MS10-015... While this issue could impact any 32bit Windows system that was infected with the malware, since reports are predominately on 32bit versions of Windows XP this test process is described at a high level focusing on that version in the... table (shown at the URL above)... the presence of Alureon does -not- allow for a successful boot of the compromised system. The Windows Engineering team continued testing different configurations, as well as retesting several third party applications, leading to our firm conclusion that the blue screen issue is the result of the Alureon rootkit. A malware compromise of this type is serious, and if customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk..."
* http://www.microsoft...Win32/Alureon.A

[ > Of course, it never occurred to their marketing "genius" that they might think to use their own product to lay the groundwork for a clean install. Maybe this should be their blueprint/template for future MS Update rollouts - force the MSRT -first-. :- ( ]
- http://isc.sans.org/...ml?storyid=8266
Last Updated: 2010-02-19 01:39:31 UTC
> http://www.prevx.com...-apologize.html
2/16/2010

MS MMPC blog - February 17, 2010:
http://blogs.technet...is-applied.aspx
"...For the most common system configuration (for machines using ATA hard disk drives), the ATA miniport driver ‘atapi.sys’ is the file which is targeted... ‘atapi.sys’ resides at the following location:
%windir%\system32\drivers\atapi.sys "

(Was) Cleaned by the MSRT ( ... probably not now, since the malware authors have changed their footprint.)
- http://www.microsoft...e/families.aspx
• Alureon...
> http://go.microsoft....k/?LinkId=40587
Date Published: 2/9/2010
File Name: windows-kb890830-v3.4.exe
Version: 3.4

Edited by AplusWebMaster, 19 February 2010 - 03:57 PM.

[AplusWebMaster]

FYI...

MS10-015 re-released with new detection logic
- http://blogs.technet...tion-logic.aspx
March 02, 2010 - "... we have revised the installation packages for MS10-015 with new logic that prevents the security update from being installed on systems if certain abnormal conditions exist. Such conditions could be the result of an infection with a computer virus such as the Alureon rootkit. If these conditions are detected, the update will not be installed and the result will be a standard Windows Update error. If a user receives this error, they should go to the following landing page for additional help:
http://www.microsoft...ity/updates/015
At this time, we have resumed offering the update to all affected systems via Automatic Updates. We have also released a Microsoft Fix It* as a standalone scanning tool that reports on the compatibility of a system with the MS10-015 update. The scanning tool can also be deployed through enterprise deployment systems allowing administrators to detect compatibility with the update before deploying broadly. The Fix It and deployment information are available at Microsoft Knowledge Base Article 980966..."
* http://support.microsoft.com/kb/980966
"... This Fix it solution does not resolve the issue. Instead, this Fix it solution only notifies you of a possible issue and suggests next steps..."

- http://www.microsoft...Date=2010-03-02
• V1.2 (March 2, 2010): Added an item to the Frequently Asked Questions (FAQ) About this Security Update to announce the offering of revised packages on Windows Update. Customers who have already successfully updated their systems do not need to take any action. [ KB 977165 ]

- http://web.nvd.nist....d=CVE-2010-0232
Last revised: 02/23/2010
CVSS v2 Base Score: 7.2 (HIGH)

- http://web.nvd.nist....d=CVE-2010-0233
Last revised: 02/16/2010
CVSS v2 Base Score: 7.2 (HIGH)

Edited by AplusWebMaster, 04 March 2010 - 08:51 AM.