Microsoft Announces out of cycle Security Update schedule
Microsoft issued their Advanced Notification Service (ANS) notification to inform customers of the impending release of MS10-002 on January 21st, 2010. The update will be cumulative, in advance of the normal February release Cycle, and is intended to protect customers from the known, widely publicized attacks associated with Security Advisory 979352. Customers should apply this update as soon as possible. The update will also be sent through the Automatic update mechanism.
http://blogs.technet.com/msrc/archive/2010/01/20/advance-notification-for-out-of-band-bulletin-release.aspx
http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-979352-going-out-of-band.aspx
Additional Technical Detail
Data Execution Prevention (DEP) Bypass
There is a report of a new exploit that bypasses Data Execution Prevention (DEP). We have analyzed the Proof-of-Concept (POC) exploit code and have found that Windows Vista and later versions of Windows offer more effective protections in blocking the exploit due to the improved security protection offered by Address Space Layout Randomization (ASLR). Windows XP does not currently benefit from ASLR and will be more susceptible.
Additional details on the DEP bypass exploit are provided in a Security Research and Defense Blog published today.
http://blogs.technet.com/srd/archive/2010/01/20/reports-of-dep-being-bypassed.aspx
Microsoft E-Mail Products That Render using mshtml.dll Protected by Default
There have been reports that supported versions of Outlook, Outlook Express and Windows Live Mail are affected by the vulnerability in Security Advisory 979352.
For customers using the default configuration of all supported versions of Outlook, Outlook Express and Windows Live Mail the risk of exploit using Outlook as an attack vector is low. We are unaware of active exploit against supported versions of Outlook, Outlook Express or Windows Live. If customers have modified their default configuration to not run in Restricted sites zone, their environments will be in a less secure, more vulnerable, state.
Please review the announcement described above for more detail.
Office Applications with Active Scripting Enabled Potentially Vulnerable
Microsoft indicates that an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file is a potentially exploitable vulnerability. Customers would have to open a malicious file to be at risk of exploitation, and Microsoft recommends disabling ActiveX Controls in Microsoft Office.
Live Briefing
On Thursday, January 21 at 1:00 p.m. PST (UTC – 8) Microsoft will host a public webcast where information on the bulletin will be presented.
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032440627
Original . . .
Yesterday we updated the assessment to reflect an impending out of cycle security update from Microsoft which will address the 0-day Microsoft Internet Explorer vulnerability highlighted in recent assessments. The update is announced in an MSRC blog posting, and timing for the release is expected to be explained today. The threat level remains at AlertCon 2 while we continue to encurage review of Microsoft Security Advisory for workaround information and X-Force Protection Alert for associated IBM product coverage.
http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-979352-going-out-of-band.aspx
https://portal.mss.iss.net/mss/xftas/alertAdvisory/details.mss?alertAdvisoryId=3382
http://www.microsoft.com/technet/security/advisory/979352.mspx
Shortly after the blog posting from MSRC appeared, a new posting on Neohapsis [Full Disclosure] began to be discussed. The posting explains how a restricted Windows user can exploit the Virtual DOS Machine (VDM) to gain command access in the system context (Ring 0). Microsoft was notified of the flaw in June 2009, but there currently is no patch. Exploit code that functions under Windows XP, 2003 Server, 2008 Server, Vista, and Windows 7 has been made available, and has been confirmed to function as described.
Mitigation steps requiring the Group Policy Editor for Windows 2003 Server systems are included in the Neohapsis article. For those systems that do not include the GPE the heise security team has provided instructions for a registry hack that should work until a patch is available.
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
http://www.h-online.com/security/news/item/Windows-hole-discovered-after-17-years-Update-908917.html
Apple Computer released their Security Update 2010-001 yesterday. The update addresses several multi-media applications, as well as printer handling, and a patch to suppress renegotiation in OpenSSL while the IETF works out final changes to the renegotiation protocol. The multi-media flaws relate to MP4, TIFF, and RAW(DNG) files, as well as multiple patches to the Adobe Flash player plug-in.
http://support.apple.com/kb/HT4004
Adobe has released an update for critical vulnerabilities in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version.
http://www.adobe.com/support/security/bulletins/apsb10-03.html
Additionally, the Internet Systems Consortium (ISC) announced the release of the BIND 9.6.1-P3 security patch to address two cache poisoning vulnerabilities, both of which could allow a validating recursive nameserver to cache data which had not been authenticated or was invalid. This patch targets nameservers that have DNSSEC validation enabled, which could potentially provide responses from unauthenticated records within the cache.
http://isc.sans.org/diary.html?storyid=8029
0 Comments.