Archive for Current Threats and Vulnerabilities

Microsoft Security Advisory 2269637 Released

August 24, 2010 · Filed under Current Threats and Vulnerabilities · Tagged ,

Microsoft released a new security advisory yesterday regarding the DLL hijacking issue that has been widely discussed lately.  Unlike most Microsoft Security Advisories, this advisory is providing a non-security update to help protect your systems against attack.  In the past, Microsoft has issued temporary workarounds in lieu of a security bulletin/patch.  These are known as Fix-It patches.

A vulnerability exists if software was programmed with unsecure methods.  The tool will help mitigate the risk on your systems by preventing the loading of DLLs from certain directories.

This issue is not only a Microsoft issue.  Other 3rd party software vendors could be affected by this vulnerability.  Microsoft is reaching out to third party vendors to work with them on fixing this vulnerability.  We will be seeing security bulletins from third party vendors in the near future.

In addition, Microsoft will be investigating their products.  Last year, Microsoft released a security bulletin for the ATL issue in Visual Studio.  Microsoft subsequently issued patches for their software affected by the vulnerability.  This is a similar scenario with this advisory.

Review the MSRC blog, security advisory and SRD blog posting for more information regarding this advisory.

Shavlik customers can protect their networks with the non-security tool.  We have just released new XML files with the tool.  You can find this tool in the non-security patch MSWU-435.

- Jason Miller

Leave a comment »

Adobe Reader Release Update

August 17, 2010 · Filed under Current Threats and Vulnerabilities · Tagged ,

Adobe just announced they will be releasing a critical update for Adobe Reader and Acrobat on Thursday, August 19th.  Previously, Adobe announced they will be releasing the update at some point this week.  Mark your calendars and patch your Adobe installations this Thursday.  More details can be found on their security advisory page:  APSB10-17

- Jason Miller

Leave a comment »

New Adobe Security Advisory Released

August 5, 2010 · Filed under Current Threats and Vulnerabilities · Tagged , ,

Adobe just released a new security advisory:  APSB10-17

Adobe Reader 9.3.3 and Adobe Reader 8.2.3 contain a critical vulnerability (CVE-2010-2862) that was discussed at Black Hat USA 2010.  Adobe is planning on releasing a security update for the affected software the week of August 16, 2010.  As this is an out of band release, this update should only contain the fix for the single vulnerability.

Adobe’s PSIRT group is not aware of any exploits currently in the wild for the vulnerability.  Stay tuned to their blog as this may change in the coming weeks.

- Jason Miller

Leave a comment »

Microsoft Releases Out-Of-Band With MS10-046

August 2, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , , ,

Microsoft has just released an out-of-band security bulletin as announced last Friday.  This bulletin addresses one zero day vulnerability that is currently being exploited in the wild.  The MSRC found a new, particularly nasty, virus exploiting the vulnerability.  Sality.AT has seen an uptick in infections in the past few days.  MS10-046 affects all supported operating systems.  If you have applied the workarounds suggested by Microsoft, you should remove them as soon as your systems are patched.  I am sure people will enjoy having their icon images back on their Start Menu and Desktop.

Microsoft releasing a security bulletin out-of-band is not uncommon.  The most surprising aspect of this release is how close we are to the regularly scheduled patch Tuesday.  In previous out-of-band releases, you can see the timing is typically in-between patch Tuesdays.

  • MS09-034:  July 28, 2009 – Two weeks prior to scheduled patch day
  • MS09-035:  July 28, 2009 – Two weeks prior to scheduled patch day
  • MS10-002:  January 21, 2010 – One and a half weeks prior to scheduled patch day
  • MS10-018:  March 30, 2010 – Two weeks prior to scheduled patch day

With a release this close to Patch Tuesday, it is safe to assume you should patch this security bulletin immediately.

While patching MS10-046, you should take a look at patching your Apple Safari browser installations.  Apple released a security update last Thursday addressing 15 vulnerabilities.

- Jason Miller

Leave a comment »

Notification of Upcoming Out Of Band Patch to be Released by Microsoft

July 30, 2010 · Filed under Current Threats and Vulnerabilities · Tagged , , ,

Today Microsoft announced that they plan to release an out of band update this coming Monday, August 2nd.  The update will address Security Advisory 2286198.

According to Microsoft, this vulnerability has been exploited for a few weeks, and Microsoft recently has detected an increase in the amount of exploit attempts.  Add in the fact that the workaround suggested by Microsoft is probably not appealing to many enterprise organizations as it removes shortcut icons from users’ desktops and may generate additional help desk volume.  If Microsoft releases an out of band patch just 8 days before the next Patch Tuesday, IT admins should plan accordingly. Check back with us on Monday for more information.

- Jace D. McLean

Leave a comment »

New Microsoft Security Advisory (2286198)

July 19, 2010 · Filed under Current Threats and Vulnerabilities · Tagged , ,

Microsoft released a new Security Advisory (2286198) last Friday affecting the Windows operating system.  A vulnerability exists in the way the Windows parses shortcuts that could lead to remote code execution.  The most likely attack vector is through removable drives, although network shares could also play a part.

Even though this is a zero-day exploit with limited attacks, I am not expecting Microsoft to go out-of-band and patch this before the next patch Tuesday in August.  This vulnerability affects all supported operating systems as well as the beta service packs for Windows 7 and Windows 2008.  It is important to note that Windows XP SP2 is not listed as an affected product even though the operating system / service pack level is vulnerable.  This product reached end of life support last patch day.

Microsoft’s advisory page has a few workarounds posted that can help mitigate the risk with this vulnerability.  If you choose to apply these workarounds, it is important to unapply these workarounds as soon as the patch is available.

- Jason Miller

Leave a comment »

New Windows Security Vulnerability Irresponsibly Disclosed

June 10, 2010 · Filed under Current Threats and Vulnerabilities · Tagged ,

The MSRC (Microsoft Security Response Center) just disclosed a new publically reported vulnerability for earlier versions of Windows:  XP and 2003.

This issue was reported to us on June 5th, 2010 by a Google security researcher and then made public less than four days later, on June 9th, 2010.  Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems. 

We recognize that researchers across the entire industry are a vital part of identifying issues and continually improving security, and we continue to ask researchers to work with us through responsible disclosure to help minimize the risk to customers while improving security.

Shame on you Google.  I would think that a researcher from a software giant such as Google would do the responsible thing:  privately disclose the vulnerability to the vendor instead of publically releasing the information.  I wonder how his company, Google, would appreciate a researcher at Microsoft publically disclosing vulnerabilities for Google Chrome?

The MSRC page has workarounds for this vulnerability until a patch is available.  A security advisory page is not up yet, but Microsoft should be releasing this soon.

Disclosing vulnerabilities is a touchy subject as people line up for defense on both sides.  What do you think about public vs. private vulnerability disclosure?

- Jason Miller

Leave a comment »

New Versions of Adobe Flash Available

June 10, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , ,

Adobe released new versions of Flash 9 and 10 today as expected.  Flash 10.1.53.64 and 9.0.277.0 addresses one critical security vulnerability as described in Adobe Security Advisory APSA10-01.  You will want to look at patching these as soon as possible as this vulnerability is being actively exploited in the wild.

Adobe Reader and Acrobat are scheduled to be released later this month (June 29).

**Note:  The Adobe download page and security advisory still have not been updated.  The download for Adobe Flash will download the latest.  Stay tuned to the advisory page for details on the security bulletin.

- Jason Miller

Leave a comment »

June 2010 Patch Tuesday Overview

June 8, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , , , ,

Microsoft has released 10 new security bulletins for the June 2010 edition of patch Tuesday.  These 10 bulletins address 34 vulnerabilities.

A large release by Microsoft this month was expected by us here at Shavlik.  Microsoft has shown a pattern lately of a smaller month followed by a larger release month.

 

*Note:  -OOB represents an out-of-band release by Microsoft.

Two security advisories have been closed by Microsoft as the vulnerabilities have been addressed in two new bulletins:

KB980088MS10-035:  Internet Explorer

KB983438MS10-039:  SharePoint

There are two bulletins that administrators should address first.  MS10-033 addresses two vulnerabilities in Windows that could lead to remote code execution.  This bulletin affects Windows media which is very common in the new age of social networking.  Opening a specially crafted media file or connecting to a malicious server streaming media content can lead to remote code execution.  The days of solely focusing on Internet Browsers for patching have changed.  In the past year, Microsoft has focused on fixing vulnerabilities in their media formats and players.  As we move to a media centric audience, attackers will focus more and more on media players to go along with browser attacks.  I can guarantee that someone on your network, right now, is browsing the Internet looking for a video with Tom Cruise’s Tropic Thunder character Less Grossman dance routine from the MTV Movie Awards.

MS10-035 is the bi-monthly release of the Cumulative Security Update for Internet Explorer.  This bulletin fixes 6 vulnerabilities where a successful attack can lead to remote code execution.  Internet Explorer is one of the most targeted applications for attackers, so this bulletin should be addressed immediately on your network.

There are a couple of bulletins that require special attention from administrators this month.  Patching software has made patch management easy, but administrators need to research the bulletins each month for little pieces of information that could adversely affect your network security.

First, MS10-036 has a product that is vulnerable but does not have a patch supplied from Microsoft.  Microsoft Office XP SP3 is vulnerable but there are actions you can take to mitigate this vulnerability.  If possible, you can upgrade your Office installations to Office 2003 or 2007 as Microsoft is supplying patches for those products.  If this is not possible, Microsoft is providing a workaround FixIt tool that will protect against the vulnerability (KB983235).  In addition, Microsoft Office 2003 and 2007 must be upgraded to the latest service pack level as well as having the bulletin applied to fix the vulnerability. you must install the patch for the full Office installation for Office 2003 or 2007 if you are installing the patch for the stand alone product.  For example, patching Visio 2003 will require you to patch Office 2003 as well.

Lastly, MS10-040 has a special case for Windows 2003, Vista and 2008 installations.  These systems will only be vulnerable if Extended Protection For Authentication has been previously installed.

On the non-Microsoft patching front, Apple has released two new versions of their Safari browser.  Safari 5.0 and 4.1 fix 47 vulnerabilities.  Safari 4.1 is Mac OS only where Safari 5.0 with Mac and Windows OS.  More information can be found here.

Adobe announced today they are planning on releasing new updates for Adobe Flash, Reader and Acrobat soon.  Adobe Flash 10 is planned on being released June 10.  For Adobe Reader and Acrobat, Adobe is planning on a June 29.  More information can be found here.

- Jason Miller

**Updated:  Sometimes the bulletin detail pages can be a bit confusing.  Updated the post to reflect a chage for MS10-036 when patching a standalone product.

Leave a comment »

Alureon Rootkit Still Running Rampant

May 27, 2010 · Filed under Current Threats and Vulnerabilities · Tagged

The Microsoft Malware Protection Center recently released their MSRT (Malicious Software Removal Tool) threat report for May.  This report focuses on the steps Microsoft has taken on removing Alureon rootkit on systems.

Back in February, Microsoft released security bulletin MS10-015 that addressed vulnerabilities in the Windows Kernel.  Microsoft received reports of machines that were blue screening after patching MS10-015.  The blue screen was caused by the Alureon rootkit.  The patches for bulletin MS10-015 were pulled to address the issue.  The patch was changed to include detection logic for abnormalities such as the Alureon rootkit.  If these abnormalities are found, the patch will not apply on the system.

The MSRT tool has cleaned nearly 400,000 machines infected with the Alureon rootkit in May alone.  Virus outbreaks usually make headlines when discovered, but this report shows that viruses and vulnerabilities never go away.  Many machines are still being infected with the virus.

Having an anti-virus program only on a machine is not the only solution to the problem.  It is important to identify and patch software vulnerabilities on target systems as well.

- Jason Miller

Leave a comment »

« Previous entries
Next Page »