Archive for Current Threats and Vulnerabilities

March Patch Tuesday Overview

March 10, 2010 · Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management, Patch Management · Tagged ,

After a busy February with 13 security bulletins, Microsoft is easing off the patching throttle a bit this month.  Microsoft released two new security bulletins addressing 8 vulnerabilities, all not publically known at this time.  It is not uncommon for Microsoft to have a large patch month followed by a relatively light patch month.

As the bulletins affect client Windows operating systems and Microsoft Office, your servers should be spared from this month’s patching cycle unless you have SharePoint Server 2007 installed.  As expected, Microsoft is not planning to release a bulletin for their recently released security advisory (981169).  Microsoft will need time to investigate, implement and test the fix for this known vulnerability.

It is important to note that MS10-016 affects Microsoft Producer 2003.  However, Microsoft is not providing a patch for this product.  They are suggesting administrators remove the affected component on their machines.  Microsoft not providing patches for known software vulnerabilities has become more common over the past 12 months.  This is a great example of why administrators should take time each month and research the information associated with each bulletin.  Simply blindly pushing out patches does not necessarily make your network secure. 

MS10-017 should be addressed first on your network.  Microsoft Excel attachments are as common as Meryl Streep nominations at the Oscars.  Opening a malicious Excel document could lead to remote code execution.

Last month, there were issues identified with security bulletin MS10-015.  This bulletin caused blue screen on systems that were recently patched.  Microsoft researched the issue and found a rootkit was the cause of the blue screen.  This is a perfect example of why companies should have a solid patching process that includes testing each bulletin before deploying it to their network.

Microsoft also announced a new security advisory in 981374.  This security advisory affects Internet Explorer versions 6 and 7.  Microsoft has been receiving limited reports of targeted attacks on the browser.  Although there is not a patch available for this issue, administrators should keep an eye on this advisory for more information.

Lastly, Microsoft re-released MS09-033.  They added Microsoft Virtual Server 2005 to the list of affected products.  If you have already patched the previous affected products, there is no action that is needed on those.  Be on the lookout for MS09-033 missing on some systems though.

Happy Patching!

- Jason Miller

Leave a comment »

New Microsoft Security Advisory – 981169

March 3, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged

Microsoft posted a new security advisory on Monday addressing a publically reported vulnerability in VBScript with Security Advisory 981169.

This software vulnerability affects Internet Explorer on Windows 2000, XP and 2003.  This vulnerability does not affect the newer versions of the Windows operating system (Vista, 7, 2008, 2008 R2).

A vulnerability exists in the way VBScript works with help files when using IE.  If a user visits a specially crafted website, AND entices the user to press the F1 key, the attacker can gain remote code execution to the target system.

It is important to note:  Simply navigating to a malicious website will not result in remote code execution.  The user must press F1 when prompted.

Workarounds

  • Do not press F1 if prompted from a web site.
    Yes, you read that correctly.  This is a suggested workaround from Microsoft.  If you want to take it one step further, here is an action you could take.

Comical?  Yes.  Security focused?  No. 

Ok, maybe we should look at some real security measures.

  • Restrict access to the Windows Help System.
    This will prevent the help file system in Windows from working.  This is probably your safest bet for a workaround until the patch becomes available.  Typically, workarounds require restricting critical resources on your machine.  In this case, only the help system becomes unavailable.  If you do apply this workaround, remember to unapply this after the patch is released.

 

  • Harden Internet Explorer Security Settings
    Microsoft listed quite a few settings you can set to reduce the risk of exploitation.  The KB article has more information on these actions.

Patch Tuesday is next week.  Seeing how there have been no active reports and the short turn around between now and Patch Tuesday, I do not expect to see this patched in March’s Patch Tuesday.

- Jason Miller

Leave a comment »

February Patch Tuesday Overview

February 10, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged ,

Microsoft has released 13 new security bulletins for February’s patch Tuesday.  The size of this release is not uncommon.  Historically, Microsoft has had a light January followed by a large February.  This month’s patches address 23 vulnerabilities.  There have been no reports of active attacks against these vulnerabilities.  One of these vulnerabilities has been publically disclosed.

The first three bulletins administrators should address right away:

MS10-006 affects the SMB client on all supported operating systems.  This security bulletin addresses two vulnerabilities.  Both of these vulnerabilities are not known at this time and not being exploited.  Visiting a malicious site that makes a file sharing connection can result in remote code execution.  In addition, a man-in-the-middle attack can happen with this vulnerability as they would be able to respond to legitimate SMB server/client requests with malformed packets. It is important to note that MS10-006 is not related to MS10-012.  Both of these bulletins address issues for SMB but are not related.

MS10-007 affects the Windows Shell Handler in Windows 2000, XP and 2003 operating systems.  This bulletin fixes one vulnerability that is not publically known or exploited at this time.  Visiting a malicious website that contains a specially crafted webpage could lead to remote code execution.  This vulnerability exists in both the operating system and Internet Explorer.  For Internet Explorer, this vulnerability was addressed with the out of band security bulletin release in January (MS10-002).  In some cases, you will need to apply:

Only MS10-002
- or -
Both MS10-002 and MS10-007
- or -
Either MS10-002 and MS10-007

MS10-007 has a table under the “Frequently Asked Questions (FAQ) Related to This Security Update” that will help guide you through what updates will apply to your systems.

MS10-013 affects Microsoft DirectShow on all supported operating systems.  A vulnerability exists in DirectShow when opening AVI files.  This bulletin fixes one vulnerability that is not publically known at this time.  In an attack scenario, a user needs to be enticed into opening a malicious AVI file.  This can lead to remote code execution.  It is important to note that some operating systems may require multiple patches from this bulletin to fix the vulnerability.  Media files are commonly sent and downloaded, so this vulnerability could affect many users.

 

The rest:

MS10-003 affects Office XP.  This bulletin addresses one vulnerability that is not publically known and not being exploited at this time.  Opening a specially crafted Excel file on an unpatched system can lead to remote code execution.

MS10-004 affects PowerPoint in Office XP and Office 2003.  This bulletin fixes six vulnerabilities.  The vulnerabilities are not publically known at this time and not being exploited.  Opening a specially crafted PowerPoint document can lead to remote code execution on an unpatched machine.  With MS10-004, it is important to note that PowerPoint Viewer 2003 is affected by this vulnerability, but Microsoft is not releasing a patch for this version of the viewer.  Microsoft is stating the product has reached the end of its lifecycle and will not supply any future security patches.  You should identify all PowerPoint 2003 Viewers on your network and upgrade them to PowerPoint 2007.  The newer version of the viewer is not affected by this vulnerability.

MS10-005 affects Microsoft Paint on Windows 2000, XP and 2003.  This bulletin fixes one vulnerability that is not publically known at this time and not being exploited.  In order to exploit this vulnerability, an attacker would have to convince a user to open a specially crafted JPEG file in Microsoft paint.  If done on an unpatched system, this would lead to remote code execution.

MS10-008 is the cumulative update for ActiveX Kill Bits.  This bulletin is commonly released every few months for additions to the Kill Bit list for ActiveX controls.  This patch will prevent the following ActiveX controls from running on a system:  Symantec WinFax Pro 10.3, Google Desktop Gadget v5.8, Facebook Photo Update 5.5.8 and PandaActiveScan Installer 2.0.

MS10-009 affects TCP/IP on Windows Vista and 2008.  This bulletin addresses 4 vulnerabilities that are not publically known at this time or being exploited.  The vulnerability specifically affects TCP/IPv6.  If an attacker sends a specially crafted ICMPv6 packet to an unpatched system, an attacker would have remote code execution abilities.  TCP/IPv6 is enabled by default on Windows Vista and Windows 2008 machines.  Your computer can mitigate some of the vulnerability risk by turning on your firewall and blocking ICMPv6.

MS10-010 affects Hyper-V on Windows 2008.  A vulnerability exists that is not publically known or being exploited at this time.  In order to exploit this vulnerability, an attacker must have valid logon credentials to the target machine.  A successful attack would cause a denial of service on the Windows 2008 system forcing a system restart.

MS10-011 affects the Windows Client/Server Run-time Subsystem on Windows 2000, XP and 2003.  The one vulnerability addressed by this bulletin is not publically known or currently being exploited at this time.  Like MS10-010, an attacker must have valid logon credentials to exploit this vulnerability.    If successfully exploited, an attacker could gain elevated privileges on the target system.

MS10-012 affects SMB on all supported operating systems.  This bulletin addresses four more vulnerabilities in SMB, one of which is publically known.  Although, all four vulnerabilities are not being exploited at this time.  The publically known vulnerability could result in a denial of service attack.  In this scenario, an attacker could send a specially crafted SMB packet to a target system.  Domain controllers are the most at risk for this type of an attack.

MS10-014 affects Kerberos on Windows 2000, 2003 and 2008.  This bulletin addresses one vulnerability that is not publically known at this time.  An attacker could send a specially crafted ticket request to a domain controller.  In this scenario, the domain controller would not be able to assign out new tickets.  This would create a denial of service attack.  Clients who already have tickets would continue to operate normally.

MS10-015 affects the Windows Kernel on all operating systems except Windows 7 x64 and Windows 2008 R2.  This bulletin addresses 2 vulnerabilities.  One of these vulnerabilities is publically known, but not being exploited at this time.  In order to carry out an attack using this vulnerability, an attacker must logon as an authenticated user.  The attacker could run a specially crafted program that can result in elevation of privilege and install programs or take complete control of the system.  This bulletin contains the fixes for Security Advisory 979682.

Microsoft has also released a new Security Advisory in 97968977377.  In the last couple of months, Microsoft has been releasing new security advisories on Patch Tuesday.  With new Security Advisories, each should be reviews and workarounds should be applied if necessary.

It is important to watch for items other than security bulletins.  We all can get in a cadence of immediately working on the known security bulletins starting at noon CST on patch Tuesday, but there may be other items that come up on patch Tuesday.

- Jason Miller

Leave a comment »

February Patch Tuesday Advanced Notification

February 5, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , ,

Microsoft announced their February Patch Tuesday Advanced Notification yesterday.  As expected, this patch Tuesday is going to be quite large.  They are planning on releasing 13 security bulletins.

Bulletin breakdown:

  • 11 bulletins apply to the Windows operating system
  • 2 bulletins apply to Office (Office and PowerPoint)
  • 5 bulletins are rated as Critical
  • 7 bulletins are rated as Important
  • 1 bulletin is rated as moderate
  • All operating systems are affected

The sheer number of bulletins may take people by surprise.  In October 2009, Microsoft released the same number of bulletins in a single release.  Comparing this month to October, this month should not be quite as bad for administrators.  All of the bulletins this month affect common applications that can be pushed out with a blanket patching cycle.

In October, the bulletins affected a great magnitude of products.

  • Operating systems
  • .NET
  • Windows Media Player
  • SQL Server
  • Silverlight
  • Visual Studio
  • Visual FoxPro
  • Report Viewer
  • Forefront Client Security

Microsoft will be addressing one security advisory during this patch cycle.  Security Advisory 979682 will expire as one of these bulletins will patch the vulnerability.  Security Advisory 977544 and Security Advisory 980088 will remain active as Microsoft will not be providing patches for these vulnerabilities.  Administrators should review those advisories and put in safeguards where necessary.  Microsoft is stating they have not been made aware of any active exploits on those two vulnerabilities.

In this patch cycle, you should look at patching iTunes as well.  Apple released a new version of Apple iTunes earlier this week.  This version will fix security vulnerabilities in your iPhone.

As with any patch day, you should be on the lookout for any other vendors releasing patches on Tuesday.  It is not uncommon for Mozilla or other companies to release security bulletins.

More to come Tuesday when the bulletin details are released.

- Jason Miller

Leave a comment »

New Microsoft Security Advisory Announced (KB980088)

February 3, 2010 · Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management, Patch Management · Tagged

Microsoft just announced another new security advisory for Internet Explorer.  With this zero-day vulnerability, a user would need to visit a malicious website that takes advantage of this vulnerability.  The title of the advisory is stating the vulnerability could allow information disclosure.  Microsoft is reporting there are no active attacks for this vulnerability.

Microsoft has listed numerous workarounds to help mitigate the risk of attack on a system.  If you choose to apply any of these workarounds, each workaround should be tested thoroughly in your environment to ensure functionality of your applications.

Tomorrow is the February Advanced Notification for patch Tuesday.  We will have to see if this is addressed with this month’s patch Tuesday.  I highly doubt this will be addressed next patch Tuesday as the announcement and turnaround time for a patch has a very small window of opportunity.

- Jason Miller

Leave a comment »

New Microsoft Security Advisory Announced KB979682

January 21, 2010 · Filed under Current Threats and Vulnerabilities · Tagged

On the heels of the out-of-band patch announcement by Microsoft yesterday, a new security advisory (KB979682) has been posted by Microsoft.  Microsoft is currently researching reports of a vulnerability in the Window kernel.  It is important to wait for Microsoft’s research findings before jumping any conclusions on this report.  We have seen in the past few months of claimed zero-day vulnerabilities that were not software vulnerabilities.

Although, keep an eye on the security advisory to see if Microsoft acknowledges the claims and provides details and possible workarounds.

- Jason Miller

Leave a comment »

Out-of-band January Patch Day Number 2

January 21, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , , ,

Microsoft has gone out-of-band from their normal release cycle for a critical security bulletin release.  The bulletin addresses the zero-day vulnerability described in Security Advisory KB979352.

The last time Microsoft went out-of-band for a security bulletin was last July.  That bulletin addressed vulnerability in the ATL library.  Unlike the July out-of-band release, this bulletin fixes a zero-day exploit that is currently being attacked.

This bulletin, MS10-002, applies to all supported versions of Internet Explorer on all supported operating systems.

Only 1 of the vulnerabilities has been publically disclosed and is currently being used in targeted attacks.  The other 7 vulnerabilities addressed by this bulletin are not publically known and are not being used in attacks.

It is important to note that this is a cumulative update for Internet Explorer.  Multiple vulnerabilities are addressed by this bulletin.  With each patch, administrators should test the patch to ensure functionality is not broken in Internet Explorer by the fixes.  In the case of this patch, Administrators should deploy this patch immediately to all servers and workstations as the exploit code has been published for the one known vulnerability.

Microsoft typically releases a cumulative Internet Explorer update every other month.  February’s patch day would mark the usual schedule for a cumulative release.  Microsoft rolled the fix for the publically known exploit with the cumulative update.

-Jason Miller

Leave a comment »

MS Out-Of-Band Bulletin Release Date Announced

January 20, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , , , ,

Microsoft has just updated their advanced notification page for January 2010.  They will be releasing an out-of-band patch for the Internet Explorer zero day exploit tomorrow, January 21.

More information can be found here.

They have also updated the Security Advisory with more details and clarification around the vulnerability.

- Jason Miller

Leave a comment »

Out-of-band Bulletin Coming From Microsoft

January 19, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , ,

Microsoft’s MSRC just announced that Microsoft will be going out-of-band with a security bulletin release.  This release will fix the highly publicized Security Advisory KB979352.  Tomorrow, Microsoft will announce the timing of the out-of-band release.

This is the second out-of-band in a row that Microsoft will be giving administrators advanced notification on an out-of-band release.  This is extremely helpful as everyone can prepare for patching versus having to scramble with unplanned patching.

Stay tuned tomorrow for more information from Microsoft.

- Jason Miller

Leave a comment »

New Microsoft Security Advisory Published (979352)

January 14, 2010 · Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management · Tagged ,

Microsoft has just published a new security advisory.  This advisory affects Internet Explorer and can lead to remote code execution on machines.  There have been reports of limited targeted attacks which makes this a zero-day exploit as there is no patch available yet for this vulnerability.

Microsoft has posted a couple of workarounds to help mitigate this risk:

  • Set your Internet Security Zone settings to “High” for ActiveX Controls and Active Scripting
  • Set Internet Explorer to prompt or disable Active Scripting
  • Enable DEP for Internet Explorer

With a vulnerability like this, it is very important to be aware of phishing attempts through email, instant messaging or Internet sites.

Because this affects Internet Explorer and is a zero-day exploit, we can probably expect an out-of-band patch release in the coming days/weeks before February’s patch Tuesday.

This could be related to the Google breach reported a few days ago as the advisory page cites Acknowledgements to Google, Adobe and McAfee.

- Jason Miller

Leave a comment »

« Previous entries
Next Page »