Chris Mosby at myITforum.com

MS10-070 Released Out-of-Band Today

MSRCTEAM

28 Sep 2010 9:12 AM

• Comments 0

Hello,

As we announced yesterday, today we released Security Bulletin MS10-070 out-of-band to address a vulnerability in ASP.NET.  The bulletin and the blog by Scott Guthrie, corporate vice president of Microsoft's .NET Developer Platform are available for more information.

This security update addresses a vulnerability affecting all versions of the .NET Framework when used on Windows Server operating system. While desktop systems are listed as affected, consumers are not vulnerable unless they are running a web server from their computer. 

The update will be made available initially only through the Microsoft Download Center and then released through Windows Update and Windows Server Update Services within the next few days. This allows customers the option to deploy it manually now without delaying for broader distribution.

For customers who use Automatic Updates, the update will be automatically applied once it is released broadly.  Once the Security Update is applied, customers are protected against known attacks related to Security Advisory 2416728.

If you can, please join me and Dustin Childs today for a live webcast where we will cover the details of this bulletin and take customer questions live. Here is the registration information:

Date: Tuesday September 28, 2010
Time: 1:00 p.m. PDT
Click Here to Register

Thanks,

Dave Forstrom

Director, Trustworthy Computing

MS10-070 OOB Patch for ASP.NET vulnerability

Published: 2010-09-28,
Last Updated: 2010-09-28 17:21:25 UTC
by Daniel Wesemann (Version: 2)

3 comment(s)

Microsoft Bulletin MS10-070 has been released. An update is now available that addresses the ASP.NET "information disclosure" vulnerability (CVE-2010-3332) that we reported on earlier

The core pieces in the advisory are probably in the sections that read

"In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config"   and  "This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server."

Translated, this means that the vulnerability undermines basic web application security. I suspect that online shops and such might rate the risk that "an attacker can read any file" on their web application server a bit higher than just "important".

According to the bulletin, MSFT are aware of "active attacks".

In combination, this sure sounds like PATCH NOW! to me.

Update:  Please note:

Why are the updates only available from the Microsoft Download Center? 
Due to the active attacks currently exploiting this vulnerability and the severity of potential loss of data, we are releasing these updates to the Microsoft Download Center so that customers can begin updating their systems as soon as possible. These updates will also be provided through our other standard distribution methods once testing has been completed to ensure distribution will be successful through these channels.

Meaning that this is only currently available for install after you download it manually, it is not currently available on Windows Update or through deployment with ConfigMgr. 

Update 1800UTC: If you're wondering what a "Padding Oracle" is, the original attack is described very well in this research paper .

Update 1830UTC: Changing InfoCon to YELLOW, to raise awareness for this problem and patch. We'll go back to GREEN in 24hrs unless significant new information develops.

MS OOB patch tomorrow for Security Advisory 2416728

Share |

Published: 2010-09-27,
Last Updated: 2010-09-27 23:51:06 UTC
by Adrien de Beaupre (Version: 1)

0 comment(s)

Microsoft is going to release an Out-of-Band Security bulletin tomorrow, 28 September 2010, which will address a security vulnerability in ASP.Net affecting all current versions of Windows.

References:

http://www.microsoft.com/technet/security/advisory/2416728.mspx

http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx

Keep an eye on this one folks! More information is surely to follow.

Cheers,
Adrien de Beaupré
EWA-Canada.com

Microsoft Security Advisory for ASP.NET

Share |

Published: 2010-09-18,
Last Updated: 2010-09-18 23:52:41 UTC
by Rick Wanner (Version: 2)

0 comment(s)

Microsoft has released a security advisory for ASP.NET (CVE-2010-3332).  It looks like there are no known attacks for this vulnerability at this time, and no update has been released.

To quote the release...

"Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."

More details are available at Scott Guthrie's Blog. As reader Jacob pointed out, Scott also details a configuration change that can be used for a workaround until the update is released.

-- Rick Wanner - rwanner at isc dot sans dot org - http://rwanner.blogspot.com/

Keywords: aspnet Microsoft security advisory

--Zero-Day Flaw in Adobe Flash Player

(September 13, 2010)

Adobe is warning of a second zero-day vulnerability (see story below), this one in Adobe Flash Player. The critical flaw affects Flash Player

10.1.82.76 for Windows, Mac OS X, Linux, Solaris and Android, and is being actively exploited in Windows. As with the previously disclosed flaw in Reader, this vulnerability can be exploited to crash systems and possibly take control of them. Users can protect themselves from attacks by using Firefox with the NoScript add-on, which blocks Flash content but lets users provide a list of trusted websites that will be allowed to run Flash. Adobe plans to release a patch for the Flash vulnerability in two weeks, and to issue a fix for the zero-day flaw in Reader in three weeks.

Internet Storm Center: https://isc.sans.edu/diary.html?storyid=9544

http://www.theregister.co.uk/2010/09/13/adobe_flash_0day_vuln/

http://www.computerworld.com/s/article/9185218/Adobe_sounds_alarm_on_Flash_zero_day_attacks?taxonomyId=17

http://www.adobe.com/support/security/advisories/apsa10-03.html

Adobe Flash v10.1.82.76 and earlier vulnerability in-the-wild

Share |

Published: 2010-09-14,
Last Updated: 2010-09-14 00:59:32 UTC
by Adrien de Beaupre (Version: 1)

3 comment(s)

Adobe has released an advisory for Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android, as well as Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. CVE-2010-2884 has been assigned to the issue, which has an impact of crashing Flash or arbitrary code execution on some affected platforms. There is currently no patch, Adobe has indicated that it should be released in late September and/or early October. There are indications that this previously unknown vulnerability is currently being exploited in the wild by malicious web sites attacking browsers. YYAAAV Yes, Yet Again Another Adobe Vulnerability. Sigh.

Keep an eye out for this one folks. It will take a bit for the anti-virus, IDS/IPS and other vendors to catch up and detect the malware that exploits the vulnerability. Although by that point the box affected may well be compromised as most detect after the exploit has already taken place. Since the vendor has released the advisory after being notified that exploits are already occurring against Windows boxes it is recommended to explore workarounds for mitigation, detection of already compromised hosts, and cleanup.

Adobe PSIRT blog: http://blogs.adobe.com/psirt/2010/09/security-advisory-for-adobe-flash-player-apsa10-03.html

Adobe advisory: http://www.adobe.com/support/security/advisories/apsa10-03.html

Cheers,
Adrien de Beaupré
EWA-Canada.com

'Here You Have' Email

Share |

Published: 2010-09-09,
Last Updated: 2010-09-09 21:49:06 UTC
by Marcus Sachs (Version: 2)

7 comment(s)

We are aware of the "Here you have" malware that is spreading via email.  As we find out more, we'll update this diary.

Update: 2010-09-09 21:28 UTC (JAC) There are several good writeups on the behavior of this malware see some of the references below.  The spam contains a link to a document, the link looks like it is to a PDF, but is, in fact, to a .SCR file and served from a different domain from what the link appears to point to.  The original file seems to have been removed, so further infections from the initial variant should not occur, but new variants may well follow.  The .SCR when executed downloads a number of additional tools, one of which appears to attempt to check in with a potential controller.  The name associated the controller has been sink-holed.  The malware attempts to deactivate most anti-virus packages and uses the infected user's Outlook to send out its spam.

References:
http://www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284058335#
http://www.threatexpert.com/report.aspx?md5=2bde56d8fb2df4438192fb46cd0cc9c9
http://www.threatexpert.com/report.aspx?md5=bd9208edf44d0ee32b974a2d9da7bc61
http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/

---------------
Marcus H. Sachs
Director, SANS Internet Storm Center

Jim Clausing
FOR408 coming to central OH in Sept, see http://www.sans.org/mentor/details.php?nid=22353

TechNet Blogs > The Microsoft Security Response Center (MSRC) > September 2010 Bulletin Release Advance Notification

September 2010 Bulletin Release Advance Notification

MSRCTEAM

9 Sep 2010 9:45 AM

• Comments 0

Hello - Today we're releasing our Advance Notification Service (ANS) for the September Security Bulletins, which are scheduled for release Tuesday, September 14, 2010. This is a service we provide to help enterprises plan and prepare for the upcoming security bulletin release.

This month we will be releasing 9 bulletins addressing 13 vulnerabilities affecting Windows, Internet Information Services (IIS), and Microsoft Office. Four of those bulletins carry a Critical rating, with the rest rated Important.

We recommend as always that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Next Wednesday, September 15th, Adrian Stone and Jerry Bryant will host a public webcast during which they'll go into details about the bulletins, and answer questions live on the air. To register for this webcast in advance:

Date: Wednesday, September 15, 2010
Time: 11:00 a.m. PDT (UTC -7)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032454433

We highly recommend that customers register for our comprehensive alerts if you have not done so already. Sign up here: http://technet.microsoft.com/en-us/security/dd252948.aspx

Thanks,

Carlene Chmaj

Security Response Communications Manager

Adobe Reader 0-day vulnerability (CVE-2010-2883)

Posted: 09 Sep 2010 02:07 PM

A new critical vulnerability has been discovered in Adobe Reader that can be exploited by malicious content. The vulnerability could crash the reader due to a stack buffer overflow bug, which then potentially allows an attacker to run malicious code on the user's computer. This vulnerability is reported to be widely exploited and the exploit has been added to MetaSploit, therefore the severity is critical:

http://twitter.com/hdmoore/status/23982529312

All 9.3.4 and earlier versions of Adobe Reader are affected including Windows, Macintosh and Unix ones. The vulnerability is relying on a buffer boundary checking issue in the font parsing code in the cooltype.dll file. Adobe is currently evaluating the schedule for an update.

The sample has been detected by many antivirus products:

http://www.virustotal.com/file-scan/report.html?id=d55aa45223606db795d29ab9e341c1c703e5a2e26bd98402779f52b6c2e9da2b-1284031469

This sample checks the version of Adobe Reader and sprays different shellcodes for different versions. If it is not satisfied with the version number then it displays an alert: “Please update your PDF viewer software.”.

The exploit code in the vulnerable PDF file:

The shellcode then downloads a fake antivirus onto the user's computer:

http://www.virustotal.com/file-scan/report.html?id=d6d089fcbd886363cfbc23c237cab8d99d5033eff9f6a4a3eeb95e32f5b80113-1283836305

The security advisory from Adobe:

http://www.adobe.com/support/security/advisories/apsa10-02.html

We have proved that ACE is protecting against the samples we have seen so far.

Adobe PDF Zero-Day Exploit Discovered in the Wild

Wednesday September 8, 2010 at 1:55 pm CST
Posted by Xiao Chen

No Comments
Trackback

Just after Adobe released their Out of Band patch for CVE-2010-2862, We discovered a malware exploiting a new 0-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this 0day vulnerability also occurs while Adobe Reader is parsing TrueType Fonts. We’ve analyzed and confirmed that the vulnerability affects the latest Adobe Reader (v9.3.4).

This 0day vulnerability is a typical stack buffer overflow vulnerability and exploitation of this issue is expected to be relatively easy. Although the latest version of Adobe Reader has been compiled with stack protection (/GS), the exploit uses an Return Oriented Exploitation (ROP) technique to bypass /GS protection and DEP.

We saw a similar technique used to exploit an older Adobe TIFF parsing vulnerability. All this seems to point to the fact that ROP is gaining wider acceptance by malware writers to bypass DEP and existing stack protections.

McAfee Labs is coordinating with Adobe PSIRT currently and we’ve provided them with additional details on the bug. The Adobe team is actively working on this issue. There is no patch available at the time of writing this blog. Adobe Acrobat users are urged to update their security definitions for the various products.

McAfee protection to date:

• McAfee Network Security Platform: Coverage provided under the signature 0×40293c00, UDS-HTTP: Adobe Reader Unspecified Buffer Overflow
• DAT files: Coverage for known exploits provided in the 6099 DAT release under the signature Exploit-PDF.ps.gen
• Host IPS: Generic Buffer Overflow protection provides partial coverage
• FoundStone: The FSL package of September 8 includes a vulnerability check to assess if your systems are at risk

Sep9

New Zero-Day Adobe Acrobat Vulnerability Exploited

1:43 am (UTC-7)   |   by Jonathan Leopando (Technical Communications)

Adobe has issued a new security advisory concerning Adobe Acrobat, its line of PDF software. All current versions of Reader and Acrobat are known to be vulnerable, across all supported platforms–Windows and Mac for Acrobat, and Windows, Mac, and Unix for Reader. According to the advisory, an attacker could use the vulnerability to “to take control of the affected system”, meaning random code could be executed on user systems.

Trend Micro has already found malicious files that exploit this vulnerability. These are detected as TROJ_PIDIEF.WM. In turn, this file drops a downloader (TROJ_DLOADR.WM) which leads to another downloader, TROJ_CHIFRAX.BU. More PIDIEF variants that exploit this vulnerability are sure to be spotted in the next few days.

The URLs where TROJ_CHIFRAX.BU is located and downloads malware from are currently unavailable. Curiously, even if the website was registered on the .US top-level domain, WHOIS records indicate the registrant is in Hong Kong. In addition, the servers that actually host the site are located in Germany and the United States. This indicates that some effort was placed into hiding the actual persons responsible for this attack.

In addition, the dropped malicious file is signed, much like the earlier Stuxnet malware. This time, the certificate of a legitimate American credit union was used:

Adobe has not stated when security updates will be made available, saying only that they are “evaluating the schedule” for a potential fix. They have advised their users to keep their anti-virus software updated to protect themselves until a fix is made available.

This is the second major zero-day vulnerability that Adobe has had to deal with in 2010. The first one, which affected both Acrobat and Flash, was discussed in the Malware Blog in the post Zero-Day Flash/Acrobat Exploit Seen in the Wild. The timeline of that particular incident–where a flaw revealed early in the month was fixed by the end of the month–suggests a fix will come in the next few weeks.

Trend Micro protects users from this attack via its Trend Micro Smart Protection Network^TM that detects the malicious files currently exploiting this vulnerability, as well as blocking the URLs related to this threat.

Read more: http://blog.trendmicro.com/new-zero-day-adobe-acrobat-vulnerability-exploited/#ixzz0z2nStpZK

Adobe Acrobat/Reader 0-day in Wild, Adobe Issues Advisory

Share |

Published: 2010-09-08,
Last Updated: 2010-09-08 18:03:06 UTC
by John Bambenek (Version: 1)

1 comment(s)

We just received word that there is a report of a 0-day exploit for Adobe Acrobat/Reader being exploited in the wild. Secunia has a brief write up and here is the link to the original advisory.  The exploit was discovered in a phishing attempt with the subject of "David Leadbetter's One Point Lesson".  Adobe has issued an advisory and references CVE-2010-2883 (which just shows as reserved at this point with no details).  It does effect the latest version of Acrobat/Reader and Adobe is investigation a patch. More to come on that.

The exploit in the wild I'm aware of causes a crash in Acrobat/Reader and then tries to open a decoy file.  So the good news is that, as of right now, it's a "loud exploit".  Early VirusTotal scans also had partial coverage under various forms of "Suspicious PDF" categories.  At this point, standard precautions apply (don't open PDFs from strangers) and this can probably only really be used in a phishing style scenario.  Will update this dairy as needed with developments.

--
John Bambenek
bambenek at gmail /dot/ com

Microsoft EMETv2 released

Share |

Published: 2010-09-02,
Last Updated: 2010-09-02 19:00:45 UTC
by Daniel Wesemann (Version: 1)

0 comment(s)

Today, Microsoft released a new version of their "Enhanced Mitigation Experience Toolkit".  A rather unwieldy name, but quite interesting technology - with EMET, legacy applications on OS versions as far back as WindowsXP can now also be protected with Data Execution Prevention (DEP), Exception Handler Overwrite Protection (SEHOP) and more, and the application doesn't even have to be DEP-aware.  If you have vulnerable legacy apps on Windows that you need to keep alive for a little while longer, I suggest to take a look at EMETv2.

Keywords: Microsoft

0 comment(s)