Archive for December, 2009

Claimed IIS Zero-Day Update

December 30, 2009 · Filed under Configuration Management, Current Threats and Vulnerabilities, Microsoft Security and Systems Management · Tagged

A few days ago, there were reports of a zero-day exploit affecting Microsoft IIS.  Microsoft has concluded their research and found there is no vulnerability in the IIS code.  The findings published outside of Microsoft surrounding the vulnerability were due to improper IIS security configurations.  The MSRC Blog has more information regarding their findings around the claimed zero-day exploit.

Patching a system is a good start for a line of defense against attackers.  But, improperly configured systems and services should be high on your list as well.  An IIS server is typically outside facing and should be “hardened” to prevent unauthorized access.

In the past few months, there have been many claims outside of Microsoft regarding zero-day exploits in the wild.  It is very important to remember to wait for the vendor to confirm the claims that are made by security researchers.  Microsoft relies heavily on external security researchers, but Microsoft is always the best source of information regarding vulnerabilities and exploits.

- Jason Miller

Leave a comment »

Microsoft prohibited from selling Microsoft Word

December 22, 2009 · Filed under Microsoft Security and Systems Management · Tagged

The U.S. Court of Appeals just sent judgment down on Microsoft prohibiting them from selling Microsoft Word starting January 11, 2010.  Microsoft is planning to release a new version of Word that will pull the offending code that started this patent infringement lawsuit.

The good news:  Microsoft will still be able to provide support (patching) to the product.

If Microsoft was not able to support the offending version of Word, many people would have vulnerable products for future patches that affect Word.

- Jason Miller

Leave a comment »

So where are the XP Embedded patches?

December 22, 2009 · Filed under Microsoft Security and Systems Management, Patch Management · Tagged ,

A few weeks ago, we added official support for scanning and patching of Windows XP Embedded devices.  Those of you who have these devices on your network and use the Shavlik product line may have noticed no patches were applicable from December’s patch Tuesday.  This does not mean those devices do not need to be kept up to date.

Microsoft does not release support for XP Embedded patches the same day as they do for their other operating systems.  There is an approximate two week period between patch Tuesday and when the patches become available to vendors.

If you have Windows XP Embedded devices on your network, you should plan accordingly to patch these possibly later than the rest of your machines.

- Jason Miller

Leave a comment »

Adobe Update, New Firefox Available

December 16, 2009 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , , ,

Like I had suspected, Adobe is not planning on releasing a patch for the zero-day exploit for Adobe Reader and Adobe Acrobat until their next scheduled quarterly update.  Adobe announced today they will be releasing this update on January’s patch Tuesday, January 12th.  In the meantime, Adobe has posted a workaround guide to protect your computer against active exploits.

Mozilla has released a new version of their Firefox browser.

Firefox 3.5.6 addresses: 3 Critical, 1 High, 2 Moderate and 1 Low software vulnerabilities.

- Jason Miller

Leave a comment »

New Adobe Zero-Day Exploit Announced

December 15, 2009 · Filed under Current Threats and Vulnerabilities · Tagged ,

Adobe’s PSIRT team is reporting a zero day exploit for one of their products.  This software vulnerability affects Adobe Acrobat and Adobe Reader 9.2 and earlier.  PSIRT is reporting the vulnerability is actively exploited being in the wild.

The NVD Database has more information on this vulnerability:  CVE-2009-4324

Until Adobe patches this vulnerability, do not open or accept any PDF files from sources you do not know or can fully trust.  SANS is also talking about a workaround, but I have not seen Adobe confirm this workaround yet.

January’s patch Tuesday will mark Adobe’s quarterly update release.  I expect them to patch this vulnerability at that time and highly doubt they will release a patch before then.

- Jason Miller

Leave a comment »

Post Patch Tuesday Roundup

December 11, 2009 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged ,

Here are a few quick items since patch Tuesday:

  • MS09-071
    In Windows Server 2008, IAS was replaced by Network Policy Server (NPS).  Microsoft has updated their security bulletin to reflect this.

 

  • Non-security patch for Security Advisory
    Microsoft released a couple of security advisories on patch day.  One of the advisories suggested administrators install Extended Protection.  Installing this patch has caused issues on some IIS servers.  Microsoft has released a knowledge base article explaining the details around this issue and suggested work arounds: KB2009746

 

  • MS09-054 Cumalitive Update for Internet Explorer Issue
    When Microsoft released MS09-054 a few months ago, a bug was introduced that could result in Internet Explorer errors.  Microsoft had previously release a non-secuirty update to address this issue in hotfix with KB976749.  With MS09-072, Microsoft addressed this issue.  If you install the latest Cumalitive Update for Internet Explorer, this non-security patch will expire.

 

  • Adobe Flash Player Update Details
    Adobe released the details around the security bulletin released on patch Tuesday.  APSB09-19 fixes 7 Vulnerabilities that are rated critical.  SANS is reporting that Flash Player 9 is no longer supported after December 8th, 2009 in a recent blog posting.  You will need to migrate to Flash version 10 to get this security update.

- Jason Miller

Leave a comment »

December Patch Tuesday Overview

December 8, 2009 · Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management, Patch Management · Tagged , ,

Microsoft has released 6 new security bulletins for December.  They have also released two new security advisories as well as one bulletin that has been re-released.  In addition to the Microsoft releases, even though Adobe’s quarterly security update is scheduled for next month, they are planning to release a security bulletin for Adobe Flash and Adobe Air today.

A quick rundown of today’s patches:

MS09-072 is the first security bulletin administrators should address on their network.  This bulletin is a cumulative update for Internet Explorer.  Microsoft usually releases a cumulative update for Internet Explorer every other month, and typically contains multiple fixes in it.  This bulletin addresses five vulnerabilities, with one of the vulnerabilities publically known.  There is one vulnerability patched with this bulletin that administrators should pay close attention to.  Microsoft released a Security Advisory for this vulnerability late last month in Security Advisory 977981.  With this bulletin, the advisory expires if administrators patch the vulnerable versions of Internet Explorer.  The vulnerability specifically deals with malicious Active-X controls that were built with a vulnerable ATL.  The ATL vulnerability prompted an out-of-band release earlier this year from Microsoft.  All five vulnerabilities will target any user that browses to a malicious web site with an unpatched Internet Explorer.  In this scenario, this can lead to remote code execution on the target system.

MS09-070 affects Microsoft Active Directory Federation Service (ADFS).  Web servers that have ADFS enabled are at risk, clients are not at risk from this vulnerability.  The attacker needs to be an authenticated user to carry out an attack, so this reduces the risk of this vulnerability.  Companies that have implemented ADFS on their network should apply this patch as soon as possible.

MS09-071 affects Microsoft Internet Authentication Server (IAS) on servers and clients except for Windows 7 and Windows 2008 R2.  IAS is a technology from Microsoft that allows such business services as Wireless and VPN connections.  This security bulletin addresses two vulnerabilities.  One of these vulnerabilities is publically known, but the vulnerability is not being actively exploited at this time.  An attacker can send a malicious packet to a vulnerable server that can result in remote code execution. Interesting enough, Client systems do not have the vulnerable files on the system as they are not part of the base operating system, but Microsoft is providing a patch for Windows Client system.  However, third party products can be installed on client systems that can be vulnerable.

MS09-069 affects the Microsoft LSASS service on Windows 2000, XP and 2003.  An attacker can send a specially crafted packet to a target machine that will cause the system to be unresponsive.  The LSASS service can use up all system resources that will cause the machine to be unresponsive.  Users will need to reboot their systems to gain back those resources and make the system responsive once again.  This security bulletin addresses one vulnerability that is not publically known at this time.

MS09-073 affects WordPad on Windows XP and 2003 as well as Office Text Converters for Office XP and 2003.  This security bulletin fixes one software vulnerability which is not publically known at this time.  A user with a vulnerable operating system or Microsoft Office program will need to be enticed into opening a malicious Word 97 document.  Upon opening, the document will be converted to a new version of a Word document.  A successful exploit can lead to remote code execution.

MS09-074 affects Microsoft Project.  The one security vulnerability this bulletin addresses is not publically known at this time.  In an attack scenario, a user would need to be enticed into opening a malicious Project document.  This can lead to remote code execution.

Microsoft has also re-released security bulletin MS08-037.  The bulletin was updated to include the DNS client on Windows 2000 Service Pack 4.  Anyone who has previously installed this patch will need to apply this lastest patch offering.

On the Security Advisory front, Microsoft released two new security advisories.

Microsoft Security Advisory (954157)

This security advisory does not offer a patch and Microsoft is not planning on release for this product.  This advisory explains to customers how to disable the Indeo codec on their systems.  The workaround will prevent malicious websites from exploiting vulnerable systems that can lead to remote code execution on the target system.

Microsoft Security Advisory (974926)

This security advisory informs customers of a potential man in the middle attack.  In this scenario, the attacker would need valid user credentials that are passed between system.  Microsoft is offering up two non-security patches to help administrators harden their systems.  Both of these patches were offered a few months ago.

Adobe Patch

Adobe is also joining this patch Tuesday with the release of a new Adobe Flash Player and Adobe Air.  This security patch will address critical software vulnerabilities.  There is no word from Adobe yet on how many vulnerabilities are addressed and if they are publically known or exploited at this time.  Any Adobe Flash Player less than version 10.0.32.18 and any Adobe Air less than version is affected by this vulnerability(ies).

- Jason Miller

Leave a comment »

Adobe To Release Flash On Patch Tuesday

December 4, 2009 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , ,

Yesterday, Adobe announced they will be releasing a new version of Adobe Flash on Patch Tuesday with security advisory APSB09-019.  The patch will be a security patch and addresses “critical security issues”, but they did not disclose how many vulnerabilities will be addressed in it.

In addition, they will be releasing a new version of Adobe Air.

Adobe’s scheduled quarterly update is not until next month, but they did mention they would release critical updates when needed.

- Jason Miller

Comments (1) »

December Patch Tuesday Advanced Notification

December 3, 2009 · Filed under Patch Management · Tagged

Microsoft has announced their Patch Tuesday Advanced Notification for the December version of Patch Tuesday.  They are planning on releasing six security bulletins that address twelve vulnerabilities.

  • Three security bulletins are rated as Critical
  • Three security bulletins are rated as Important
  • Five software vulnerabilities can lead to Remote Code Execution
  • One software vulnerability can lead to Denial Of Service

Products affected this month:

  • Internet Explorer
  • All major operating systems except Windows 7 and Windows Server 2008 R2*
  • Microsoft Office XP (Word), Microsoft Office 2003 (Word)
  • Microsoft Project 2000, 2002, 2003
  • Microsoft Office Converter Pack
  • Note:  One security bulletin affects IE 8 that can be installed on Windows 7 and 2008 R2

The Security Advisory 977981 will expire on Tuesday as it will be addressed with the Security Bulletin for Internet Explorer.

There is no planned Adobe release this month as their schedule is planned for a release next month.

**Update:  Adobe is planning on releasing an update for Adobe Flash and Adobe Air during December’s Patch Tuesday.  More information can be found here.

Although there are only six security bulletins this month, as a whole they affect most of Microsoft’s operating systems.  This could impact your Patch Tuesday as all of the updates that apply to Windows require a reboot.

- Jason Miller

Leave a comment »