Search results matching tags 'Internet Explorer' and 'Enterprise Applications'

Microsoft Security Bulletin Advance Notification for January 2010 - Issued: January 20, 2010

cmosby — Wed, 20 Jan 2010 05:00:00 GMT

********************************************************************

Microsoft Security Bulletin Advance Notification for January 2010

Issued: January 20, 2010

********************************************************************

This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010.

The full version of the Microsoft Security Bulletin Advance Notification for January 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx.

This bulletin advance notification will be replaced with the January bulletin summary on January 21, 2010. The revised bulletin summary will include the out-of-band security bulletin, as well as the security bulletins already released on January 12, 2010.

For more information about the bulletin advance notification service, see http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications on http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on the out-of-band bulletin on January 21, 2010, at 1:00 PM Pacific Time (US & Canada). Register for the Security Bulletin Webcast at http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

This advance notification provides a number as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier. The security bulletins for this month are as follows, in order of severity:

Critical Security Bulletins

===========================

IE Bulletin

- Affected Software:

- Internet Explorer 5.01 Service Pack 4 when installed on

Microsoft Windows 2000 Service Pack 4

- Internet Explorer 6 Service Pack 1 when installed on

Microsoft Windows 2000 Service Pack 4

- Internet Explorer 6 for

Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Internet Explorer 6 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 with SP2 for Itanium-based Systems

- Internet Explorer 7 for

Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Internet Explorer 7 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 with SP2 for Itanium-based Systems

- Internet Explorer 7 in

Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Internet Explorer 7 in

Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Internet Explorer 7 in

Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 7 in

Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 7 in

Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Internet Explorer 8 for

Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Internet Explorer 8 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 8 for

Windows Server 2003 Service Pack 2

- Internet Explorer 8 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 8 in

Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Internet Explorer 8 in

Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Internet Explorer 8 in

Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Internet Explorer 8 in

Windows 7 for 32-bit Systems

- Internet Explorer 8 in

Windows 7 for x64-based Systems

- Internet Explorer 8 in

Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows Server 2008 R2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Microsoft Announces Out-of-Band Security Bulletin for the IE Vulnerability – SANS Internet Storm Center

cmosby — Wed, 20 Jan 2010 05:00:00 GMT

Microsoft Announces Out-of-Band Security Bulletin for the IE Vulnerability

Share |

Published: 2010-01-20,
Last Updated: 2010-01-20 22:03:06 UTC
by Lenny Zeltser (Version: 2)

0 comment(s)

Microsoft posted "an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010. The bulletin will be for Internet Explorer to address limited attacks against customers of Internet Explorer 6, as well as fixes for vulnerabilities rated Critical that are not currently under active attack."

For details, see:

http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx

Update:

Microsoft also posted a comprehensive overview of the exploits that target this vulnerability. See:

http://blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being-bypassed.aspx

-- Lenny

Lenny Zeltser - Security Consulting

Reports of DEP being bypassed – Microsoft Security Research & Defense

cmosby — Wed, 20 Jan 2010 05:00:00 GMT

Reports of DEP being bypassed

Yesterday we heard reports of a commercially available exploit that bypasses DEP. This exploit was made available to a limited number of major security vendors (Antivirus, IDS, and IPS vendors) and government CERT agencies. We wanted to use this opportunity to give an overview of current customer risk related to this DEP bypass.

Real-world attacks so far still only effective against Internet Explorer 6

We have seen an increase in attacks attempting to exploit the vulnerability detailed in Security Advisory 979352. However, all attacks we have seen so far still target Internet Explorer 6 - this is also confirmed by the attack samples our Microsoft Active Protections Program (MAPP) partners have sent in.

While we have not seen real-world attacks for any other platform, we have seen researchers poking at other platforms and have seen the following:

Private proof-of-concept code exploiting IE7 on Windows XP for arbitrary code execution
Private proof-of-concept code exploiting IE7 on Windows Vista without DEP enabled for code execution within the Protected Mode sandbox. We are not aware of any proof-of-concept code exploiting Windows Vista with DEP enabled.
Commercial, limited distribution proof-of-concept code exploiting IE8 on Windows XP with DEP enabled for arbitrary code execution.

State-of-the-art of attacker research on various platforms

Here’s the current state-of-the-art on each platform:

	Windows XP	Windows Vista	Windows 7
IE 6	Public exploit code consistently reliable for arbitrary code execution	N/A	N/A
IE 7	Private proof-of-concept is likely consistently reliable for arbitrary code execution	Private proof-of-concept is likely consistently reliable for limited code execution within the Protected Mode sandbox.	N/A
IE 8	In our testing, the commercially-available, limited distribution exploit results in code execution about one in three attempts. For two in three attempts, it results in an Internet Explorer crash.	No known proof-of-concept code. Current exploits modified for use on Windows Vista would likely be effective for limited code execution within the Protected Mode sandbox on less than 1% (1/256 + 1/255 + 1/254) of exploit attempts. It would result in an Internet Explorer crash for 99% of exploit attempts. Exploits are substantially less reliable due to the presence of ASLR on Windows Vista.	No known proof-of-concept code. Current exploits modified for use on Windows 7 would likely be effectively for limited code execution within the Protected Mode sandbox on less than 1% (1/256 + 1/255 + 1/254) of exploit attempts. It would result in an Internet Explorer crash for 99% of exploit attempts. Exploits are substantially less reliable due to the presence of ASLR on Windows 7.

Other mitigations (besides DEP)

We have discussed DEP at length in this blog. As you can see in the table above, two other mitigations help prevent or limit the impact of attacks on later platforms.

Internet Explorer Protected Mode limits the impact of Windows Vista and Windows 7 exploits. Attackers who are able to successfully exploit Internet Explorer on those platforms are stuck in a “sandbox”, potentially able to read data but unable to install programs or change system configuration.
Address Space Layout Randomization (ASLR) makes exploiting vulnerabilities more difficult by relocating normally-predictable code locations pseudo-randomly in memory. ASLR re-bases DLL’s to random locations in memory, making ret2libc type attacks unreliable. Due to ASLR we believe exploits for Internet Explorer 8 on Windows Vista or Windows 7 could result in limited code execution for less than 1% of attempts.

Out-of-band update coming tomorrow

We’ll be releasing a comprehensive, well-tested security update tomorrow morning PST to address this vulnerability. In the meantime, we hope this information helps you assess risk and protect your environment.

Acknowledgements

Thanks Matt Miller and John Lambert for help with the ASLR arithmetic and other feedback.

- Jonathan Ness, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*

Reports of DEP being bypassed – Microsoft Security Research & Defense

cmosby — Wed, 20 Jan 2010 05:00:00 GMT

Reports of DEP being bypassed

Real-world attacks so far still only effective against Internet Explorer 6

While we have not seen real-world attacks for any other platform, we have seen researchers poking at other platforms and have seen the following:

Private proof-of-concept code exploiting IE7 on Windows XP for arbitrary code execution
Private proof-of-concept code exploiting IE7 on Windows Vista without DEP enabled for code execution within the Protected Mode sandbox. We are not aware of any proof-of-concept code exploiting Windows Vista with DEP enabled.
Commercial, limited distribution proof-of-concept code exploiting IE8 on Windows XP with DEP enabled for arbitrary code execution.

State-of-the-art of attacker research on various platforms

Here’s the current state-of-the-art on each platform:

	Windows XP	Windows Vista	Windows 7
IE 6	Public exploit code consistently reliable for arbitrary code execution	N/A	N/A
IE 7	Private proof-of-concept is likely consistently reliable for arbitrary code execution	Private proof-of-concept is likely consistently reliable for limited code execution within the Protected Mode sandbox.	N/A
IE 8	In our testing, the commercially-available, limited distribution exploit results in code execution about one in three attempts. For two in three attempts, it results in an Internet Explorer crash.	No known proof-of-concept code. Current exploits modified for use on Windows Vista would likely be effective for limited code execution within the Protected Mode sandbox on less than 1% (1/256 + 1/255 + 1/254) of exploit attempts. It would result in an Internet Explorer crash for 99% of exploit attempts. Exploits are substantially less reliable due to the presence of ASLR on Windows Vista.	No known proof-of-concept code. Current exploits modified for use on Windows 7 would likely be effectively for limited code execution within the Protected Mode sandbox on less than 1% (1/256 + 1/255 + 1/254) of exploit attempts. It would result in an Internet Explorer crash for 99% of exploit attempts. Exploits are substantially less reliable due to the presence of ASLR on Windows 7.

Other mitigations (besides DEP)

We have discussed DEP at length in this blog. As you can see in the table above, two other mitigations help prevent or limit the impact of attacks on later platforms.

Internet Explorer Protected Mode limits the impact of Windows Vista and Windows 7 exploits. Attackers who are able to successfully exploit Internet Explorer on those platforms are stuck in a “sandbox”, potentially able to read data but unable to install programs or change system configuration.
Address Space Layout Randomization (ASLR) makes exploiting vulnerabilities more difficult by relocating normally-predictable code locations pseudo-randomly in memory. ASLR re-bases DLL’s to random locations in memory, making ret2libc type attacks unreliable. Due to ASLR we believe exploits for Internet Explorer 8 on Windows Vista or Windows 7 could result in limited code execution for less than 1% of attempts.

Out-of-band update coming tomorrow

Acknowledgements

Thanks Matt Miller and John Lambert for help with the ASLR arithmetic and other feedback.

- Jonathan Ness, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*

Microsoft Announces Out-of-Band Security Bulletin for the IE Vulnerability – SANS Internet Storm Center

cmosby — Wed, 20 Jan 2010 05:00:00 GMT

Microsoft Announces Out-of-Band Security Bulletin for the IE Vulnerability

Share |

Published: 2010-01-20,
Last Updated: 2010-01-20 22:03:06 UTC
by Lenny Zeltser (Version: 2)

0 comment(s)

For details, see:

http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx

Update:

Microsoft also posted a comprehensive overview of the exploits that target this vulnerability. See:

http://blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being-bypassed.aspx

-- Lenny

Lenny Zeltser - Security Consulting

Microsoft Security Bulletin Advance Notification for January 2010 - Issued: January 20, 2010

cmosby — Wed, 20 Jan 2010 05:00:00 GMT

********************************************************************

Microsoft Security Bulletin Advance Notification for January 2010

Issued: January 20, 2010

********************************************************************

This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010.

The full version of the Microsoft Security Bulletin Advance Notification for January 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx.

For more information about the bulletin advance notification service, see http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

Critical Security Bulletins

===========================

IE Bulletin

- Affected Software:

- Internet Explorer 5.01 Service Pack 4 when installed on

Microsoft Windows 2000 Service Pack 4

- Internet Explorer 6 Service Pack 1 when installed on

Microsoft Windows 2000 Service Pack 4

- Internet Explorer 6 for

Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Internet Explorer 6 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 with SP2 for Itanium-based Systems

- Internet Explorer 7 for

Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Internet Explorer 7 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 with SP2 for Itanium-based Systems

- Internet Explorer 7 in

Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Internet Explorer 7 in

Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Internet Explorer 7 in

Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 7 in

Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 7 in

Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Internet Explorer 8 for

Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Internet Explorer 8 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 8 for

Windows Server 2003 Service Pack 2

- Internet Explorer 8 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 8 in

Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Internet Explorer 8 in

Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Internet Explorer 8 in

Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Internet Explorer 8 in

Windows 7 for 32-bit Systems

- Internet Explorer 8 in

Windows 7 for x64-based Systems

- Internet Explorer 8 in

Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows Server 2008 R2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Microsoft Security Advisory Notification - Issued: January 14, 2010

cmosby — Fri, 15 Jan 2010 05:00:00 GMT

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: January 14, 2010

********************************************************************

Security Advisory Released Today

==============================================

* Microsoft Security Advisory (979352)

- Title: Vulnerability in Internet Explorer Could

Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/979352.mspx

- Revision Note: Advisory published.

0-day vulnerability in Internet Explorer 6, 7 and 8 - SANS Internet Storm Center

cmosby — Fri, 15 Jan 2010 05:00:00 GMT

0-day vulnerability in Internet Explorer 6, 7 and 8

Published: 2010-01-14,
Last Updated: 2010-01-14 22:19:56 UTC
by Bojan Zdrnja (Version: 1)

1 comment(s)

Microsoft just published an advisory about a critical security vulnerability in all versions of Internet Explorer (apart from 5 – but no one has that around anymore, right?).

While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default. DEP makes exploitation of this vulnerability more difficult so as a temporary workaround you might want to enable it for older IEs (keep in mind that it might break some add-ons).

Microsoft says that so far they only saw exploits against Internet Explorer 6. In a related post (here) McAfee said that this vulnerability was (one of those) used to compromise Google. So, it appears that it was maybe even a cocktail of 0-day exploits used (IE + Adobe).

0-day vulnerability in Internet Explorer 6, 7 and 8 - SANS Internet Storm Center

cmosby — Fri, 15 Jan 2010 05:00:00 GMT

0-day vulnerability in Internet Explorer 6, 7 and 8

Published: 2010-01-14,
Last Updated: 2010-01-14 22:19:56 UTC
by Bojan Zdrnja (Version: 1)

1 comment(s)

Microsoft Security Advisory Notification - Issued: January 14, 2010

cmosby — Fri, 15 Jan 2010 05:00:00 GMT

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: January 14, 2010

********************************************************************

Security Advisory Released Today

==============================================

* Microsoft Security Advisory (979352)

- Title: Vulnerability in Internet Explorer Could

Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/979352.mspx

- Revision Note: Advisory published.