Information Armor » Patches

Patch Tuesday for Microsoft

root — Mon, 07 Jun 2010 15:36:44 +0000

Microsoft’s June Security Advance Notification
Microsoft is planning to release ten bulletins addressing 34 vulnerabilities on Tuesday, June 8th. The bulletins are rated as follows: 3 “Critical” and 7 “Important”. The affected software includes: Windows, Microsoft Office, and Internet Explorer. Additionally, Microsoft plans to address the issues highlighted in Security Advisories 983438 and 980088. We encourage our customers to review the vendor’s Advance Notification and associated blog post.
http://www.microsoft.com/technet/security/bulletin/ms10-jun.mspx
http://blogs.technet.com/b/msrc/archive/2010/06/03/june-2010-security-bulletin-advance-notification.aspx

Mobile Malware
Reports have surfaced this week indicating that Samsung’s S8500 Wave handsets were shipped with a malware-infected microSD card. Reportedly, some German models of this device are affected. Once the device is connected to the computer, it automatically installs a Trojan using a file called “slmvsrv.exe.”

While this is an example of a mobile device being shipped with malware, there are ways that attackers can utilize different functionality to distribute their malware. For instance, the Multimedia Message Service (MMS) can be used as a vector for sending malware to unsuspecting victims. Many mobile phones and PDAs available today are capable of communicating via Bluetooth, a protocol designed for short range communication between electronic devices. Simple social engineering attacks have effectively convinced Bluetooth users to pair their devices with complete strangers, giving them unrestricted access to data on the victim’s phone. Additionally, many modern mobile phones and PDAs now run robust, feature-rich operating systems and offer the same or similar applications as PCs. Individuals increasingly use them to store personal data and conduct financial transactions which gives attackers more incentive to find and exploit vulnerabilities in the software.

Several major security vendors now provide security applications and anti-virus software for mobile users. Cellular service providers also offer some protection to their customers automatically by scanning for specific types of malicious code as data traverses the network. Bluetooth should be disabled while not in use and should never respond to unsolicited connection attempts. Although the level of mobile attacks is currently relatively low, it is still important for organizations to be aware of the potential threat.
http://www.engadget.com/2010/06/02/samsung-wave-shipping-with-infected-microsd-card/
http://www.f-secure.com/weblog/archives/00001959.html

April Patches and Updates

root — Wed, 14 Apr 2010 16:07:39 +0000

1. Denial of Service Conditions in Microsoft Exchange and Microsoft SMTP Service (MS10-024 CVE-2010-0024)
Microsoft Windows SMTP Service and Microsoft Exchange are vulnerable to a denial of service, caused by the improper handling of DNS Mail Exchanger (MX) resource records by the Simple Mail Transfer Protocol component. As SMTP services are often exposed to the Internet and email is usually considered a business critical function, the business impact of this vulnerability is more significant than for typical Denial of Service issues.

http://www.microsoft.com/technet/security/bulletin/MS10-024.mspx

2. Microsoft DirectShow Remote Code Execution (MS10-026 CVE-2010-0480)
Microsoft Windows is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the MPEG Layer-3 audio codecs when handling malicious files. The vulnerable MPEG Layer-3 audio codecs are the MPEG Layer-3 Audio Codec for Microsoft DirectShow. Successful exploitation of this issue would provide an attacker with complete control over the endpoint target. The use of malicious media files like images and movies has been prevalent in the past years.

http://www.microsoft.com/technet/security/bulletin/MS10-026.mspx

Adobe Reader and Acrobat Security Update
Adobe has addressed multiple critical vulnerabilities affecting Adobe Reader 9.3.1 (and earlier versions) for Windows, Macintosh, and UNIX, Adobe Acrobat 9.3.1 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.1 (and earlier versions) and Adobe Acrobat 8.2.1 (and earlier versions) for Windows and Macintosh. The most severe of these issues could allow a remote attacker to execute arbitrary code on a vulnerable system. Refer to the “Solution” section of the Adobe Security Bulletin for information on remediating these issues.
http://www.adobe.com/support/security/bulletins/apsb10-09.html

Microsoft April 2010 Security Release
Microsoft released eleven security bulletins today. There are five rated Critical, five rated Important and one rated Moderate. We encourage our customers to apply the patches and IBM product coverage where applicable. Please, review the break-down below.
http://www.microsoft.com/technet/security/bulletin/ms10-apr.mspx

Microsoft Maximum Severity Rating: Critical
Microsoft Security Bulletin MS10-019: Vulnerabilities in Windows Could Allow Remote Code Execution (981210)
Vulnerabilities in Windows Authenticode Verification could allow a remote attacker execute arbitrary code on a vulnerable system.
CVE-2010-0486
CVE-2010-0487
http://www.microsoft.com/technet/security/bulletin/ms10-019.mspx

Microsoft Security Bulletin MS10-020: Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)
Multiple vulnerabilities affecting Microsoft Windows could allow remote code execution. Successful exploitation can occur if an attacker can convince a user to initiate an SMB connection to a specially crafted SMB server.
CVE-2009-3676
CVE-2010-0269
CVE-2010-0270
CVE-2010-0476
CVE-2010-0477
http://www.microsoft.com/technet/security/bulletin/ms10-020.mspx

Microsoft Security Bulletin MS10-025: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)
A remote code execution vulnerability affects Windows Media Services running on Microsoft Windows 2000 Server. The Windows Media Unicast Service fails to properly handle specially crafted transport information packets. On Microsoft Windows 2000 Server Service Pack 4, Windows Media Services is an optional component and is not installed by default.
CVE-2010-0478
http://www.microsoft.com/technet/security/bulletin/ms10-025.mspx

Microsoft Security Bulletin MS10-026: Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)
2. Microsoft DirectShow Remote Code Execution (MS10-026 CVE-2010-0480)
http://www.microsoft.com/technet/security/bulletin/ms10-026.mspx

Microsoft Security Bulletin MS10-027: Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)
The Windows Media Player ActiveX control is affected by a remote code execution vulnerability.
CVE-2010-0268
http://www.microsoft.com/technet/security/bulletin/ms10-027.mspx

Microsoft Maximum Severity Rating: Important
Microsoft Security Bulletin MS10-021: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)
This bulletin addresses two vulnerabilities in Microsoft Windows, the most severe of which could allow elevation of privilege. In order to exploit these vulnerabilities, an attacker must have valid logon credentials and be able to log on locally.
CVE-2010-0236
CVE-2010-0237
http://www.microsoft.com/technet/security/bulletin/ms10-021.mspx

Microsoft Security Bulletin MS10-022: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
A vulnerability affecting VBScript on Microsoft Windows could allow remote code execution. This vulnerability requires user interaction and cannot be exploited on Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.
CVE-2010-0483
http://www.microsoft.com/technet/security/bulletin/ms10-022.mspx

Microsoft Security Bulletin MS10-023: Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160)
Microsoft Office Publisher is vulnerable to a remote code execution issue. An attacker could exploit this issue by creating a specially crafted Publisher file and sending it in an email or hosting it on a Web site.
CVE-2010-0479; IBM Product Coverage: CompoundFile_Shellcode_Detected
http://www.microsoft.com/technet/security/bulletin/ms10-023.mspx

Microsoft Security Bulletin MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
1. Denial of Service Conditions in Microsoft Exchange and Microsoft SMTP Service
http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx

Microsoft Security Bulletin MS10-028: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)
Vulnerabilities in Microsoft Office Visio could allow remote code execution if a user opens a specially crafted Visio file.
CVE-2010-0254; IBM Product Coverage: CompoundFile_Shellcode_Detected
CVE-2010-0256; IBM Product Coverage: CompoundFile_Shellcode_Detected
http://www.microsoft.com/technet/security/bulletin/ms10-028.mspx

Microsoft Maximum Severity Rating: Moderate
Microsoft Security Bulletin MS10-029: Vulnerability in Windows ISATAP Component Could Allow Spoofing (978338)
A spoofing vulnerability exists in the Microsoft Windows IPv6 stack which could allow an attacker to impersonate an address to bypass edge or host firewalls. CVE-2010-0812
http://www.microsoft.com/technet/security/bulletin/ms10-029.mspx

Microsoft

root — Tue, 09 Mar 2010 22:16:26 +0000

As a reminder, Microsoft is planning to release two security bulletins today, March 9, 2010. Both bulletins carry a maximum severity rating of important and the issues addressed could lead to remote code execution. The first bulletin applies to various versions of Windows XP, Vista and Windows 7 and is rated as important for all affected versions. The second bulletin applies to various Office releases and components for Windows and Mac and is also rated as important for all affected versions.
http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx

Microsoft MS10-015 BSOD Issue

root — Tue, 16 Feb 2010 16:19:28 +0000

Microsoft has acknowledged that there is an issue when applying the update related to advisory MS10-015 on systems that are infected with certain malware strains including one called “Tidserv”. These infected systems have a high likelihood of becoming unbootable displaying a PAGE_FAULT “Blue Screen of Death” (BSOD) error. Microsoft has issued directions on how to resolve this issue and has temporarily removed this update from the Windows Update Service until a complete investigation can be done.
http://www.symantec.com/connect/blogs/tidserv-and-ms10-015
http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1
http://blogs.zdnet.com/microsoft/?p=5250
http://blogs.technet.com/msrc/archive/2010/02/12/update-restart-issues-after-installing-ms10-015.aspx

February

root — Tue, 09 Feb 2010 20:03:17 +0000

Microsoft Advance Notification for February
The assessment was updated yesterday to note that Microsoft has released their Advance Notification for February Security Bulletins. On Tuesday, February 9, Microsoft plans on releasing a total of thirteen Security Bulletins: five “critical”, seven “important”, and one “moderate”. These bulletins will address a total of twenty-six vulnerabilities across Windows and Office. As usual, this information is subject to change until the actual release. For more details, please review the Advance Notification and associated MSRC blog post.
http://blogs.technet.com/msrc/archive/2010/02/04/february-2010-bulletin-release-advance-notification.aspx
http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx%20

Information Disclosure Vulnerability in Samba
Samba is an open source SMB/CIFS implementation. Details have been made public for a directory traversal vulnerability in Samba that allows a remote attacker to retrieve and/or modify certain files on Samba servers. It appears that symlinks can be used to allow a client to gain access to files on the server that they would not otherwise be authorized to access. The access is limited to the permissions of the process, which generally does not run as a superuser. A patch is not currently available for this vulnerability. We will provide more information as it becomes available.
http://www.youtube.com/watch?v=NN50RtZ2N74

MS10-002

root — Fri, 22 Jan 2010 15:38:00 +0000

Microsoft has released MS10-002 today. The update addresses 7 privately reported and 1 publicly reported vulnerability which is associated with the widely publicized attacks associated with Security Advisory 979352. There are four (4) Uninitialized Memory Corruption Vulnerabilities, two (2) HTML Object Memory Corruption Vulnerabilities, one (1) XSS Filter Script Handling Vulnerability, and one (1) URL Validation Vulnerability. This single patch is considered Critical by Microsoft and covers the following CVE entries:

CVE-2009-4074

CVE-2010-0027

CVE-2010-0244

CVE-2010-0245

CVE-2010-0246

CVE-2010-0247

CVE-2010-0248

CVE-2010-0249

Customers should apply this update as soon as possible. The update will also be sent through the Automatic update mechanism.

http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx