August 2010 - Posts - Chris Mosby at myITforum.com

DLL hijacking vulnerabilities – SANS Internet Storm Center

Share |

Published: 2010-08-23,
Last Updated: 2010-08-24 08:22:58 UTC
by Bojan Zdrnja (Version: 2)

For the last couple of days there have been a lot of discussions about a vulnerability published by a Slovenian security company ACROS. HD Moore (of Metasploit fame) also independently found hundreds of vulnerable applications and, as he said, the cat is now really out of the bag.

In order to see what is going here we first have to understand how modern applications are built. Modern applications come modularized with multiple DLLs (Dynamic Link Libraries). This allows the programmer to use functions available in other DLLs on the system – Windows has hundreds of them. Now, if a DLL is not available on the system, the developer can decide to pack it with the main application’s executable and store it, for example, in the applications directory.

The most important DLLs are specified in the KnownDLLs registry key (HKLM/System/CurrentControlSet/Control/Session Manager/KnownDLLs). These are easy – if an application needs to load it, the system knows that they have to be in the directory specified by the DllDirectory registry key, which is usually %SystemRoot%/system32.

However, when another DLL is being loaded, the system dynamically tries to find the DLL. Historically, Microsoft made a mistake by putting the current directory in the first place (some of you Unix oldies might remember when “.” was at the first place in the PATH variable). This has been fixed by Microsoft by introducing the SafeDllSearchMode setting (registry value). This setting specifies the order in which a DLL will be searched for. For example, as specified in http://msdn.microsoft.com/en-us/library/ms682586%28v=VS.85%29.aspx this is the search order with the SafeDllSearchMode setting enabled:

   1. The directory from which the application loaded.
   2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
   3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
   4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
   5. The current directory.
   6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

If multiple directories hold a DLL with the same name, the first match wins. This setting is enabled by default on Windows XP SP2.

Now, the problem happens when, for example, the application tries to load a DLL that does not exist on the system. You can see one such example in the picture below, where I found out that one of my favorite applications is very much vulnerable. See how it tries to find the DLL in all those directories before if gets to the one on the share? Both names of the application and DLL have been blacked out – no point in serving this on a silver plated dish :(

DLL hijacking

Ok, so what about attack vectors. Any place where the attacker can put both the file to be opened by an application and a malicious DLL can be used as the attack vector. Obviously, as in the example above, the most obvious attack place are Windows shares so I guess we are looking at another vulnerability that uses similar attack vectors such as the LNK vulnerability last month – the difference here is that by just browsing to the directory nothing will happen since the user has to open the file.

In order to protect your networks/system be sure to audit permissions on shares to prevent unauthorized users from putting files where they shouldn’t be. Of course, I expect that by now you already blocked SMB and WebDAV on the perimeter so an external share cannot be used.

What about a fix? This will be a difficult one, especially since we can look at SafeDllSearchMode as a fix. So in most cases, developers of vulnerable applications will have to fix them and judging by the numbers I’ve seen around we are looking at a very difficult period. Hopefully those popular applications (such as the one I successfully exploited above) will get patched quickly so the final risk will be reduced.

We will keep an eye on this and update the diary as we get more information.

UPDATE

Microsoft released several articles describing details about this vulnerability as well as offering some workarounds. The main security advisory is available here (2269637). Recommendations are basically similar to those I wrote above, however, Microsoft also released a tool that allows blacklisting certain directories (locations) from being used for library loading. You can find more information about the tool here, and the tool itself here. The tool adds a new registry setting called CWDIllegailInDllSearch. This allows you to block loading of DLLs from shared network disks or through WebDAV clients. Of course, if you plan on deploying it, I recommend thoroughly testing it before push it somewhere as it might break loads of things - that is probably why Microsoft doesn't push this as a security update. To be fair, this is not Microsoft's fault, but bad programming since this vulnerability has been known for years and years (although some new attack vectors have been published recently). Microsoft also released a nice document about searching DLLs that you can find on the second link above (I especially like how they used Process Monitor to demonstrate the vulnerability and removed the vulnerable application's name and the DLL it's loading - same as I did in the picture above :).

Finally, I would like to say thanks to readers who wrote in, especially to Stefan Kanthak who shared a whole list of possible attack vectors. After spending some time going through this and locating even more, this looks extremely bad, but it is questionable if we will see wide exploitation of this vulnerability.

Let us know about your experiences with this and especially if you see someone/something exploiting this.

Posted Tuesday, August 24, 2010 8:58 AM by cmosby | with no comments

Filed under: Patch Management, Microsoft Windows, Security, Software Vulnerabilites

Microsoft Security Advisory Notification - Issued: August 23, 2010 - Title: Insecure Library Loading Could Allow Remote Code Execution

Read up, this looks important

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: August 23, 2010

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (2269637)

- Title: Insecure Library Loading Could Allow Remote

Code Execution

- http://www.microsoft.com/technet/security/advisory/2269637.mspx

- Revision Note: V1.0 (August 23, 2010) Advisory published.

Posted Tuesday, August 24, 2010 8:24 AM by cmosby | with no comments

Filed under: SMS, Patch Management, Microsoft Windows, Security, Configuration Management, ConfigMgr, Software Vulnerabilites

Intel to buy McAfee for $7.68 billion – MSNBC.com

This should be interesting….

Intel to buy McAfee for $7.68 billion

Chip maker: Security now a fundamental component of online computing

updated 2 hours 7 minutes ago

The per-share price represents a 60 percent premium over McAfee's Wednesday close of $29.93. McAfee shares surged 58 percent after the deal was announced Thursday to hit $47.42 in premarket trading. Intel shares slipped 2.5 percent to $19.11.

Intel, which is based in Santa Clara, Calif., said the deal highlights "that security is now a fundamental component of online computing."

Intel said the deal with hurt earnings slightly in the first year the companies are combined. Excluding costs and other one-time items related to the acquisition, Intel predicts the deal will slightly boost earnings next year and improve after that.

Both boards of directors have unanimously approved the deal. The deal still requires McAfee shareholder approval and regulatory clearances.

McAfee, also based in Santa Clara, is one of the world
Intel has made a series of recent software acquisitions including companies that specialize in gaming, visual computing, embedded device and machine software.

Last month, Intel Corp. reported its largest quarterly net income in a decade as the chipmaker benefited from a stronger computer market and more sophisticated factories.

Posted Thursday, August 19, 2010 8:10 AM by cmosby | with no comments

Filed under: Security and Anti-Virus, Internet News, AntiVirus Information

August 2010 Microsoft Black Tuesday Summary – SANS Internet Storm Center

August 2010 Micrsoft Black Tuesday Summary

Share |

Published: 2010-08-10,
Last Updated: 2010-08-10 21:03:44 UTC
by Jim Clausing (Version: 4)

1 comment(s)

Overview of the Aug 2010 Microsoft Patches and their status.

Update: Microsoft also released an advisory for an unpatched privilege escalation vulnerability

Update 2: Exploit code apparently exists for MS10-048, but it is not being seen in the wild at present.

#	Affected	Contra Indications	Known Exploits	Microsoft rating	ISC rating(*)
clients	servers
MS10-047	Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (Replaces MS10-021 )
Windows Kernel CVE-2010-1888 CVE-2010-1889 CVE-2010-1890	KB 981852	no known exploits.	Severity:Important Exploitability: 1,2,?	Important	Important
MS10-048	Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (Replaces MS10-032 )
Windows Kernel CVE-2010-1887 CVE-2010-1894 CVE-2010-1895 CVE-2010-1896 CVE-2010-1897	KB 2160329	PoC code apparently exists	Severity:Important Exploitability: ?,1,1,1,1	Important	Impoortant
MS10-049	Vulnerabilities in SChannel could allow Remote Code Execution
IIS and SChannel CVE-2009-3555 CVE-2010-2566	KB 980436	no known exploits.	Severity:Important Exploitability: 3,2	Important	Critical
MS10-050	Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (Replaces MS10-016 )
Windows Movie Maker CVE-2010-2564	KB 981997	no known exploits.	Severity:Important Exploitability: 1	Critical	Important
MS10-051	Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (Replaces MS08-069 )
Microsoft XML core services CVE-2010-2561	KB 2079403	no known exploits.	Severity:Critical Exploitability: 2	Critical	Critical
MS10-052	Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution
Microsoft MPEG Layer-3 Codecs CVE-2010-1882	KB 2115168	no known exploits.	Severity:Critical Exploitability: 1	Critical	Important
MS10-053	Cumulative Security Update for Internet Explorer (Replaces MS10-035 )
Internet Explorer CVE-2010-1258 CVE-2010-2556 CVE-2010-2557 CVE-2010-2558 CVE-2010-2559 CVE-2010-2560	KB 2183461	no known exploits.	Severity:Critical Exploitability: 3,2,1,2,2,1	Critical	Important
MS10-054	Vulnerabilities in SMB Server Could Allow Remote Code Execution
SMB server CVE-2010-2550 CVE-2010-2551 CVE-2010-2552	KB 982214	no known exploits.	Severity:Critical Exploitability: 2,3,3	Critical	Critical
MS10-055	Vulnerability in Cinepak Codec Could Allow Remote Code Execution
Cinepak codec CVE-2010-2553	KB 982665	no known exploits.	Severity:Critical Exploitability: 1	Critical	Important
MS10-056	Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (Replaces MS09-068 M009-027 MS10-036 )
Word CVE-2010-1900 CVE-2010-1901 CVE-2010-1902 CVE-2010-1903	KB 2269707	no known exploits.	Severity:Important Exploitability: 1,1,2,2	Critical	Important
MS10-057	Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (Replaces MS10-036 MS10-038 )
Excel CVE-2010-2562	KB 2269707	no known exploits.	Severity:Important Exploitability: 1	Critical	Important
MS10-058	Vulnerabilities in TCP/IP Could Allow Elevation of Privilege
Windows Networking (TCP/IP) CVE-2010-1892 CVE-2010-1893	KB 978886	no known exploits.	Severity:Important Exploitability: 3,1	Important	Important
MS10-059	Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege
Tracing Facility for Services CVE-2010-2554 CVE-2010-2555	KB 982799	no known exploits.	Severity:Important Exploitability: ?,1	Important	Important
MS10-060	Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (Replaces MS09-061 )
.NET and Silverlight CVE-2010-0019 CVE-2010-1898	KB 2265906	no known exploits.	Severity:Critical Exploitability: 1,1	Critical	Critical

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

Posted Tuesday, August 10, 2010 1:35 PM by cmosby | with no comments

Filed under: Patch Management, Microsoft Windows, Internet Explorer, Microsoft Office, Security, Configuration Management, ConfigMgr, Software Vulnerabilites, Spyware\Malware, WSUS

Microsoft Security Bulletin Advance Notification for August 2010

Well here is a new record, 14 patches out next week. With the emergency one that was released Monday, that makes 15 total out for the month of August 2010.

Job security my friends, job security…

********************************************************************

Microsoft Security Bulletin Advance Notification for August 2010

Issued: August 5, 2010

********************************************************************

This is an advance notification of security bulletins that Microsoft is intending to release on August 10, 2010.

The full version of the Microsoft Security Bulletin Advance Notification for August 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx.

This bulletin advance notification will be replaced with the August bulletin summary on August 10, 2010. For more information about the bulletin advance notification service, see http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications on http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on these bulletins on August 11, 2010, at 11:00 AM Pacific Time (US & Canada). Register for the Security Bulletin Webcast at http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

This advance notification provides a number as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier. The security bulletins for this month are as follows, in order of severity:

Critical Security Bulletins

===========================

Bulletin 1

- Affected Software:

- Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Windows Vista Service Pack 1

- Windows Vista Service Pack 2

- Windows Vista x64 Edition Service Pack 1

- Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 2

- Affected Software:

- Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Windows Vista Service Pack 1

- Windows Vista Service Pack 2

- Windows Vista x64 Edition Service Pack 1

- Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 3

- Affected Software:

- Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 4

- Affected Software:

- Internet Explorer 6 for

Windows XP Service Pack 3

- Internet Explorer 6 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 with SP2 for Itanium-based Systems

- Internet Explorer 7 for

Windows XP Service Pack 3

- Internet Explorer 7 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 with SP2 for Itanium-based Systems

- Internet Explorer 7 in

Windows Vista Service Pack 1 and

Windows Vista Service Pack 2

- Internet Explorer 7 in

Windows Vista x64 Edition Service Pack 1 and

Windows Vista x64 Edition Service Pack 2

- Internet Explorer 7 in

Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 7 in

Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 7 in

Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Internet Explorer 8 for

Windows XP Service Pack 3

- Internet Explorer 8 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 8 for

Windows Server 2003 Service Pack 2

- Internet Explorer 8 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 8 in

Windows Vista Service Pack 1 and

Windows Vista Service Pack 2

- Internet Explorer 8 in

Windows Vista x64 Edition Service Pack 1 and

Windows Vista x64 Edition Service Pack 2

- Internet Explorer 8 in

Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows 7 for 32-bit Systems

- Internet Explorer 8 in

Windows 7 for x64-based Systems

- Internet Explorer 8 in

Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows Server 2008 R2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 5

- Affected Software:

- Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Windows Vista Service Pack 1

- Windows Vista Service Pack 2

- Windows Vista x64 Edition Service Pack 1

- Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 6

- Affected Software:

- Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Vista Service Pack 1

- Windows Vista Service Pack 2

- Windows Vista x64 Edition Service Pack 1

- Windows Vista x64 Edition Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 7

- Affected Software:

- Microsoft Office Word 2002 Service Pack 3

- Microsoft Office Word 2003 Service Pack 3

- Microsoft Office Word 2007 Service Pack 2

- Microsoft Office 2004 for Mac

- Microsoft Office 2008 for Mac

- Open XML File Format Converter for Mac

- Microsoft Office Word Viewer

- Microsoft Office Compatibility Pack for Word, Excel, and

PowerPoint 2007 File Formats Service Pack 2

- Microsoft Works 9

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 8

- Affected Software:

- Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Windows Vista Service Pack 1

- Windows Vista Service Pack 2

- Windows Vista x64 Edition Service Pack 1

- Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Microsoft Silverlight 2

- Microsoft Silverlight 3

- Impact: Remote Code Execution

- Version Number: 1.0

Important Security Bulletins

============================

Bulletin 9

- Affected Software:

- Windows XP Service Pack 3

- Windows Vista Service Pack 1

- Windows Vista Service Pack 2

- Windows Vista x64 Edition Service Pack 1

- Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Impact: Elevation of Privilege

- Version Number: 1.0

Bulletin 10

- Affected Software:

- Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP2 for Itanium-based Systems

- Windows Vista Service Pack 1

- Windows Vista Service Pack 2

- Windows Vista x64 Edition Service Pack 1

- Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Impact: Elevation of Privilege

- Version Number: 1.0

Bulletin 11

- Affected Software:

- Windows XP Service Pack 3

- Windows XP Professional x64 Edition Service Pack 2

- Windows Vista Service Pack 1

- Windows Vista Service Pack 2

- Windows Vista x64 Edition Service Pack 1

- Windows Vista x64 Edition Service Pack 2

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 12

- Affected Software:

- Microsoft Office Excel 2002 Service Pack 3

- Microsoft Office Excel 2003 Service Pack 3

- Microsoft Office 2004 for Mac

- Microsoft Office 2008 for Mac

- Open XML File Format Converter for Mac

- Impact: Remote Code Execution

- Version Number: 1.0

Bulletin 13

- Affected Software:

- Windows Vista Service Pack 1

- Windows Vista Service Pack 2

- Windows Vista x64 Edition Service Pack 1

- Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Impact: Elevation of Privilege

- Version Number: 1.0

Bulletin 14

- Affected Software:

- Windows Vista Service Pack 1

- Windows Vista Service Pack 2

- Windows Vista x64 Edition Service Pack 1

- Windows Vista x64 Edition Service Pack 2

- Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Windows 7 for 32-bit Systems

- Windows 7 for x64-based Systems

- Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 R2 Server Core installation affected)

- Windows Server 2008 R2 for Itanium-based Systems

- Impact: Elevation of Privilege

- Version Number: 1.0

Other Information

=================

Follow us on Twitter for the latest information and updates:

http://twitter.com/msftsecresponse

Microsoft Windows Malicious Software Removal Tool:

==================================================

Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS:

========================================================

For information about non-security releases on Windows Update and Microsoft update, please see:

* http://support.microsoft.com/kb/894199: Microsoft Knowledge Base

Article 894199, Description of Software Update Services and

Windows Server Update Services changes in content.

Includes all Windows content.

* http://technet.microsoft.com/en-us/wsus/bb456965.aspx: Updates

from Past Months for Windows Server Update Services. Displays all

new, revised, and rereleased updates for Microsoft products other

than Microsoft Windows.

Posted Thursday, August 05, 2010 12:46 PM by cmosby | with no comments

Filed under: Patch Management, Microsoft Windows, Internet Explorer, Microsoft Office, Security, Configuration Management, ConfigMgr, Software Vulnerabilites

Microsoft Out-of-Band bulletin addresses LNK/Shortcut vulnerability - SANS Internet Storm Center

Microsoft Out-of-Band bulletin addresses LNK/Shortcut vulnerability

Share |

Published: 2010-08-02,
Last Updated: 2010-08-02 17:22:33 UTC
by Johannes Ullrich (Version: 1)

2 comment(s)

As announced on Friday, Microsoft released an out-of-band bulletin to address the recent Shortcut/LNK exploits. As confirmed in Microsoft's announcement, various malware is now attempting to exploit this vulnerability. The vulnerability is rather easy to exploit in particular given the tools available to craft necessary shortcuts.

Clients are the main target but servers are as vulnerable and should be patched as soon as possible. Please report any issues you have with the patch !

#	Affected	Contra Indications	Known Exploits	Microsoft rating	ISC rating(*)
clients	servers
MS10-046	Vulnerability in Windows Shell (LNK/Shortcut)
Windows Shell CVE-2010-2568	KB 2286198	actively exploited.	Severity:Critical Exploitability: 1	PATCH NOW!	PATCH NOW!

-----
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Posted Monday, August 02, 2010 1:02 PM by cmosby | with no comments

Filed under: Security and Anti-Virus, Patch Management, Microsoft Windows, Microsoft Office, Configuration Management, ConfigMgr, Software Vulnerabilites

Chris Mosby at myITforum.com

Search

Tags

News

Unique Visitors

Navigation

Archives

Microsoft Links

SMS Links

Great Blogs

My Links

Security Links

Anti-Virus Links

Things I Have Done or I Am Involved In

Published Works