Προς το περιεχόμενο

0 day Ενημερωσεις ασφαλειας για τα δικτυα και τους υπολογιστες

Predatorkill

Από τον Predatorkill
στο Powerlines, Access Points και Δίκτυα

Προτεινόμενες αναρτήσεις

Predatorkill Grand Master

Predatorkill

Δημοσ.
Δημοσ.

Οντως κατοχος ενος Firewall της Watchguard μου δινεται η δυνατοτητα να λαμβανω 0(zero) day emails οπου αναλυονται ακριβως τρυπες ασφαλειας λειτουργικων συστηματων και του διαδικτυου γενικοτερα. Αποφασισα σημερα να ποσταρω εδω το email ακριβως οπως μου ερχεται, δινει πολλες πληροφοριες για τις προδιαγραφες των προβληματων ασφαλειας καθως και τροπο αντιμετωπισης.

 

Οποτε λαμβανω τετοια emails θα τα ποσταρω κατευθειαν εδω με τη πρωτη ευκαιρια.

 

Ξεκιναμε λοιπον:

 

 

 

Fourteen Office Vulnerabilities; Most Critical

Severity: High

 

12 August, 2008

 

Summary:

 

* These vulnerabilities affect: Most current versions of Microsoft Office for Windows, and in some cases for Mac (and some other Office-related programs)

* How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening maliciously crafted Office documents, or visiting a malicious web site

* Impact: An attacker can execute code, potentially gaining complete control of your computer

* What to do: Install the appropriate Office or Office-related patches immediately

 

Exposure:

 

Today, Microsoft released five security bulletins describing a fourteen vulnerabilities found in components or programs that ship with Microsoft Office for Windows, and in some cases Office for Mac. Some of the vulnerabilities also affect Microsoft Works, Project, and SharePoint Server. Each vulnerability affects different versions of Office to a different extent.

 

The flaws affect different components and applications within Office, but the result is always the same. Either by enticing one of your users to download and view a specially crafted Office document, or by luring one of your users to a malicious web page, an attacker can exploit these vulnerabilities to execute code on the victim's computer, usually inheriting that user's level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the victim's machine.

 

An attacker can exploit many of these flaws using just about any kind of Office document. While three of Microsoft's bulletins specifically mention Excel (.xls and xlsx), Word (.doc), and PowerPoint (.ppt) files, another bulletin mentions malicious image files that an attacker could embed into many types of Office documents, as well as emails and web sites. So, beware of all unexpected Office documents.

 

If you'd like to learn more about each individual flaw, drill into the "Vulnerability Details" section of the security bulletins listed below:

 

* MS08-041: Access Snapshot Viewer ActiveX control vulnerability. The Snapshot Viewer ActiveX control is an Access component that ships with Office and allows you to view Access report snapshots without having the main Access program installed. The control suffers from an unspecified vulnerability having to do with a synchronization issue when saving files. By enticing one of your users to a malicious web site that leverages the flawed ActiveX control, an attacker could exploit this vulnerability to execute code on that user's machine, and possibly gain control of it. -- Microsoft rating: Critical.

 

* MS08-042: Word record parsing vulnerability. This bulletin describes a vulnerability in how Word parses maliciously crafted documents. By luring one of your users into downloading and opening a malicious Word document, an attacker could exploit this flaw to execute code, potentially gaining complete control of that user's computer. -- Microsoft rating: Important.

 

* MS08-043: Multiple Excel vulnerabilities. This bulletin describes four vulnerabilities involving how Excel handles maliciously crafted Excel documents. By tricking one of your users into downloading and opening an Excel document, an attacker could exploit most of these flaws to execute code, potentially gaining complete control of that user's computer. -- Microsoft rating: Critical.

 

* MS08-044: Multiple Office filter vulnerabilities. This bulletin describes five vulnerabilities involving how the Office filter handles various image files, including BMPs, WPGs, PICTs, and EPS files. By tricking one of your users into downloading a maliciously crafted image and opening it in Office, an attacker could exploit any of these flaws to execute code, potentially gaining complete control of that user's computer. The attacker could also host this sort of malicious image on a web site, or even embed it into an Office document. -- Microsoft rating: Critical.

 

* MS08-051: Multiple PowerPoint vulnerabilities. This bulletin describes three vulnerabilities involving how PowerPoint handles maliciously crafted PowerPoint documents. By enticing one of your users into downloading and opening such a PowerPoint presentation, an attacker could exploit these flaws to execute code, potentially gaining complete control of that user's computer. -- Microsoft rating: Critical.

Predatorkill Grand Master

Predatorkill

Δημοσ.
  • Μέλος
Δημοσ.

Bad Memory Gives Internet Explorer Security Trouble

Severity: High

 

12 August, 2008

 

Summary:

 

* This vulnerability affects: Internet Explorer 7 and earlier versions

* How an attacker exploits it: By enticing one of your users to visit a malicious Web page

* Impact: In the worst case, the attacker can execute code on your user's computer, gaining complete control of it

* What to do: Deploy the appropriate Internet Explorer patches immediately

 

Exposure:

 

In a security bulletin released today as part of its monthly patch update, Microsoft describes five vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7.0. Though they differ technically, all five vulnerabilities share the same general characteristics: IE doesn't properly handle certain HTML objects or components, which causes memory corruption. By luring one of your users into visiting a maliciously crafted Web page, an attacker can exploit one of these memory corruption vulnerabilities to execute code on that user's computer, inheriting that user's privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could gain complete control of the victim's computer.

 

In addition to fixing these five newly announced flaws, today's Internet Explorer patch also fixes all previously known flaws.

Predatorkill Grand Master

Predatorkill

Δημοσ.
  • Μέλος
Δημοσ.

Five Windows Updates, Only One Critical

Severity: High

 

12 August, 2008

 

Summary:

 

* These vulnerabilities affect: All current versions of Windows

* How an attacker exploits them: Multiple vectors of attack, including enticing your users into downloading and viewing malicious images or sending specially crafted packets

* Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer

* What to do: Install the appropriate Microsoft patches immediately

 

Exposure:

 

Today, Microsoft released five security bulletins describing vulnerabilities that affect Windows and components shipping with it. Each vulnerability affects different versions of Windows to a different extent. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities in order from highest to lowest severity.

 

MS08-046: Microsoft Image Color Management (ICM) Buffer Overflow vulnerability

 

Image Color Management (ICM) is a Windows component that uses data in ICC profiles to perform color translation operations. ICM suffers from a buffer overflow vulnerability. By tricking one of your users into opening a maliciously crafted image file, which he could host on a web site, an attacker might exploit this vulnerability to execute code on that user's computer, inheriting that user's privileges. Typically, Windows users have local administrative privileges, in which case the attacker could gain complete control of the victim's computer.

Microsoft rating: Critical.

 

MS08-049: Two Event System Code Execution Vulnerabilities

 

Event System is a Windows service that manages the event logs which different applications send to the Windows operating system (you can view these logs with Event Viewer). The Event System suffers from two vulnerabilities involving its inability to properly parse specially malformed event requests or subscriptions. By creating an application that sends such event requests to the Event System, an attacker could exploit either flaw to gain complete control of Windows PCs. However, the attacker would need valid login credentials and access to a victim's machine in order to run his malicious program.

Microsoft rating: Important.

 

MS08-048: Outlook Express and Windows Mail Cross-Domain Information Disclosure Vulnerability

 

Outlook Express (OE) and Windows Mail are the email clients that ship with different versions of Windows. Both clients suffer from a Cross-Domain information disclosure vulnerability (similar to a Cross-Site Scripting attack) due to the way their protocol handlers interpret MHTML URL redirections. While the vulnerability lies within OE and Mail, an attacker triggers it via Internet Explorer (IE). By luring one of your users to a malicious web page, an attacker could exploit this vulnerability to read data from another Internet Explorer security domain, or even the local computer.

Microsoft rating: Important.

 

MS08-050: Windows Messenger Information Disclosure Vulnerability

 

Windows Messenger is the instant messaging (IM) client that ships with Windows. According to Microsoft, Messenger ships with an ActiveX control that is marked safe for scripting, which means web sites can runs scripts using this control. Unfortunately, this leads to an information disclosure vulnerability. By enticing one of your users into visiting a malicious web page, an attacker could exploit this vulnerability to gain control of that user's Messenger chat client. The attacker could capture your user's Messenger login ID, gain access to all of his or her contacts, and even launch new audio and video chat sessions without your user's knowledge. However, security features in both IE and Windows 2003 mitigate the risk of this sort of attack to some degree.

Microsoft rating: Important.

 

MS08-047: IPSec Information Disclosure Vulnerability

 

IPsec is a security encryption protocol that allows you to make Virtual Private Network tunnels (VPN) to security your communications over a network. Windows ships with IPsec services. If an attacker could sniff your local network traffic, he might be able to modify an IPsec policy when it's transmitted over your local network to other computers. For instance, he could modify the policy so that it doesn't encrypt VPN traffic. However, the IPsec policy in question is typically transmitted over the network with encryption. The attacker could only exploit this issue if he had administrative access to your domain controller, or you unknowingly misconfigured your IPsec rule set to cause information to be transmitted in the clear. In short, many mitigating circumstances around this vulnerability significantly lower its risk.

Microsoft rating: Important.

  • 4 εβδομάδες αργότερα...
Predatorkill Grand Master

Predatorkill

Δημοσ.
  • Μέλος
Δημοσ.

Windows GDI+ Vulnerability Affects Many MS Products

Severity: High

 

9 September, 2008

 

Summary:

 

* These vulnerabilities affect: Recent versions of Windows and many other Microsoft products (see "Exposure" section for full details)

* How an attacker exploits them: By enticing your users into viewing malicious images or graphical content, including content hosted on a malicious Web site

* Impact: Remote attacker can execute code, potentially gaining complete control of your computers

* What to do: Install the appropriate Microsoft patches immediately

 

Exposure:

 

Today, Microsoft released a security bulletin describing five vulnerabilities that affect the Graphical Device Interface (GDI+), one of the core Windows subsystems responsible for outputting graphical objects to your monitor or printer. Since it's such an essential subsystem, the GDI+ component resides in many other Microsoft products as well. For that reason, these vulnerabilities also affect the following products to some extent:

 

* Internet Explorer

* Office

* Visio

* Works

* .NET Framework

* Digital Image Suite

* SQL Server

* Visual Studio

* Report Viewer

* Visual FoxPro

* Forefront Client Security

 

While the five vulnerabilities differ technically, they all involve flaws in the way GDI+ handles different types of images or graphic objects, and all have the same result. By tricking one of your users into viewing a specially crafted image, or malicious web site containing booby-trapped graphical content, an attacker could exploit any of these flaws to execute code on that user's computer, with the user's privileges. If your users have local administrator privileges, an attacker could leverage these flaws to gain complete control of their Windows machines.

 

The primary difference of note between these flaws has to do with which graphic files the attacker can use to exploit them. The potentially dangerous images and graphic objects that could trigger these flaws include:

 

* BMP images (.bmp)

* GIF images (.gif)

* EMF images (.emf)

* WMF images (.wmf)

* VML graphical objects

 

These flaws pose a very serious risk and affect quite a menagerie of Microsoft software. You should apply the patches immediately.

 

Στο επισυναπτομενο αρχειο αφου το αποσυμπιεσετε θα βρειτε το αρχειο links.html και περιλαμβανει απευθειας links για τα patches. Ειναι παρα πολλα για να τα βαλω με το χερι.

links.zip

Predatorkill Grand Master

Predatorkill

Δημοσ.
  • Μέλος
Δημοσ.

Apple's Nine QuickTime Flaws Affect OS X and Windows

Severity: Medium

 

9 September, 2008

 

Summary:

 

* These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), Windows XP, and Windows Vista

* How an attacker exploits them: By getting your user to view a maliciously-crafted movie, PICT, or QuickTime Virtual Reality (QTVR) file

* Impact: Various results; in the worst case, an attacker could execute code on your user's computer, potentially gaining control of it

* What to do: Download, test and deploy QuickTime 7.5.5 for Windows or OS X

 

Exposure:

 

Today, Apple released a security update to fix vulnerabilities in QuickTime, their popular media player for both Windows and Macintosh OS X. The update fixes nine security issues (number based on CVE-IDs) present in how QuickTime processes certain file types. Only some of these nine vulnerabilities exploit file types that are in wide use by typical users, and we are not aware of exploits currently active in the wild, so we rate the severity of this update Medium. Apply it at your earliest convenience. The fixed vulnerabilities include:

 

* Security flaws in how QuickTime handles movie files. By luring one of your users into viewing a maliciously crafted movie file, an attacker can exploit either of two QuickTime flaws to execute code on that user's computer (or, less worrisome, crash QuickTime). Some of the files susceptible to this attack would be formatted as H.264 (typically arrives as a .MOV file), MPEG-4 Part 10 (the format used on Blu-Ray and HD-DVD files), or MPEG-4 AVC files (the format used by many consumer-grade camcorders and on iPod and PlayStation3). These vulnerabilities can be exploited on Windows and OS X computers.

 

* Flaws in how QuickTime handles PICT images. PICT is a graphical image file format that still enjoys some use, but has largely been replaced by PDFs. An attacker can craft a malicious PICT file that is designed to exploit any of three different errors in how QuickTime opens PICT. If a user opened the booby-trapped file, the results could either crash QuickTime or execute the attacker's code on the victim's computer. These flaws affect both Windows and OS X.

 

Apple's alert also describes flaws in handling QuickTime Virtual Reality (QTVR) files. QTVR essentially stitches photos together to give the impression of a 360-degree view. You might see it in use, for example, on a web site that shows what the inside of a hotel room looks like. It is not used by the vast majority of our subscribers, so we'll spare you the details (although you can get them in Apple's advisory). Apple also mentions flaws in QuickTime's handling of a codec called Indeo. Indeo is just another way of creating .MOV files.

 

Solution Path:

 

Apple has released QuickTime 7.5.5 to fix these security issues. Windows and OS X administrators should download, test, and deploy the appropriate update at their earliest convenience. By default, the download bundles iTunes with QuickTime; because iTunes often has security issues of its own, we recommend that you select the option of downloading QuickTime alone.

Predatorkill Grand Master

Predatorkill

Δημοσ.
  • Μέλος
Δημοσ.

Microsoft Office OneNote Vulnerability Allows Code Execution

Severity: High

 

9 September, 2008

 

Summary:

 

* These vulnerabilities affect: Current versions of Microsoft Office for Windows (not for Mac)

* How an attacker exploits them: By enticing one of your users to click a malicious link

* Impact: An attacker can execute code, potentially gaining complete control of your computer

* What to do: Install the appropriate Office patches immediately

 

Exposure:

 

Today, Microsoft released a security bulletin describing a vulnerability in the Office OneNote component that ships with current versions of Microsoft Office. OneNote is a digital notebook that allows you to gather all your notes in one place for easy management, searchability, and corroboration. According to Microsoft, OneNote suffers from an unspecified "validation error" involving the way it handles specially crafted links containing the "onefile://" URI. By enticing one of your users to click on such a link, an attacker can exploit this flaw to execute code on that user's computer, with that user's privileges. Like most Windows flaws, if your user has administrative rights, the attacker can leverage this attack to totally take over that user's machine.

 

Solution Path

 

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

 

Κατεβαστε το αρχειο για να παρετε τα απ'ευθειας links για τα patches

links2.zip

  • 11 μήνες μετά...
Predatorkill Grand Master

Predatorkill

Δημοσ.
  • Μέλος
Δημοσ.

ΔΕν γραφω γκρικλις, ετσι ειναι το κειμενο :-)

 

Five Critical Windows Bulletins Fix Serious Security Risks

Flaws Affect TCP/IP, Wireless LAN AutoConfig, DHTML, and More

Severity: High

 

8 September, 2009

Summary:

 

  • These vulnerabilities affect: Components that ship with all current versions of Windows
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets, or enticing your users to a malicious website
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately

Exposure:

Today, Microsoft released five security bulletins describing eight vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. Microsoft rates all five vulnerabilities as Critical. The summary below lists the bulletins in numerical order:

 

  • MS09-045: JScript Scripting Engine Memory Corruption Vulnerability

The JScript Scripting Engine allows Windows to handle the
. Unfortunately, this scripting engine suffers from a vulnerability involving the way it parses maliciously crafted JScripts. By enticing one of your users to a web page containing such a script, an attacker could exploit this flaw to execute code on that user's computer, with that user's privileges. If your user has local administrative privileges, the attacker would gain complete control of the user's computer.

Microsoft rating:
Critical.

  • MS09-046: DHTML Editing Component ActiveX Control Code Execution Vulnerability

According to Microsoft, the
"is an
control designed for
HTML editing in Web pages and Windows applications." This ActiveX control ships with all current versions of Windows. The DHTML Editing ActiveX Control suffers from something called an instantiation vulnerability, which could corrupt system memory. By luring one of your users to a web page that uses this ActiveX control, an attacker could exploit this memory corruption flaw to execute code on that user's computer, with that user's privileges. As is typical with Windows vulnerabilities, if your user has local administrative privileges, the attacker gains complete control of that user's computer.

Microsoft rating:
Critical.

  • MS09-047: Two Windows Media Format Code Execution Vulnerabilities

The Windows Media Format Runtime helps Windows handle media files. This Runtime suffers from two vulnerabilities involving the way it handles certain types of media files -- specifically
and .
files. Though the flaws differ technically, both share the same scope and impact. If an attacker can convince one of your users to play a specially crafted media file, he can leverage either flaw to execute code on your user's computer, with that user's privileges. As with most Windows vulnerabilities, if your user has local administrator privileges the attacker gains complete control of their machines.

Microsoft rating:
Critical

  • MS09-048: TCP/IP Code Execution and DoS Vulnerabilities.

The Windows
stack suffers from three security vulnerabilities.The worst of the three flaws has to do with the TCP/IP stack's inability to properly clean up
associated with TCP connections. By sending specially crafted TCP packets to any listening network service, an attacker can leverage this vulnerability to gain complete control of your Windows computers. Since this attack doesn't require user-interaction to succeed, it poses a very serious security risk to Windows users. That said, your firewall prevents unauthorized connections to your computers. Only the computers you allow access to are vulnerable to an Internet-based attack of this nature.

The remaining two flaws are
vulnerabilities, which attackers can trigger by sending an excessive number of specially crafted TCP connections. These DoS vulnerabilities pose less risk than the code execution flaw above. However, attackers could still leverage them to knock out your important servers, like your email or web server. One of these DoS vulnerabilities has to do with the "
" attack researchers at Outpost24 described over a year ago. These "SockStress" attacks could potentially affect many network devices, so expect to hear more about them in the future.

Microsoft rating:
Critical.

  • MS09-049: Wireless LAN AutoConfig Service (wlansvc) Buffer Overflow Vulnerability

is a Windows service that configures wireless security and connectivity settings. Many versions of Windows require this service for wireless networking. However, this vulnerability only affects the service running on Vista and Server 2008 computers. The Wlansvc service suffers from a heap
. By transmitting a maliciously crafted wireless frame, an attacker can leverage this overflow flaw to gain complete control of vulnerable Windows computers. Of course, attackers must be in wireless range for this attack to succeed. That said, hackers have proven they can extend wifi range quite a bit. Since a remote attacker can exploit this flaw over the air, and without any user-interaction, we consider it a very serious risk to any Windows Vista or Server 2008 computers with a wireless networking card. You should patch as soon as possible.

Microsoft rating:
Critical

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

MS09-045:

Note: The version of JScript needed depends on your Windows Service Pack level and the version of Internet Explorer you use. See
for details, or use auto-update.

 

MS09-046:

 

* This flaw does not affect Windows Vista or Server 2008

MS09-047:

Windows Media Format Runtime updates:

 

Windows Media Services updates:

 

MS09-048:

 

Note: These TCP/IP flaws do not affect Windows XP or Windows 7

MS09-049:

 

Note: These vulnerabilities do not affect any other versions of Windows

 

  • 1 μήνα μετά...
Predatorkill Grand Master

Predatorkill

Δημοσ.
  • Μέλος
Δημοσ.

δεν γραφω greeklish, ετσι ειναι το κειμενο

 

October's Critical IE Cumulative Update Corrects Four Code Execution Flaws

 

Severity: High

 

13 October, 2009

Summary:

 

  • This vulnerability affects: Internet Explorer 8 and earlier versions, running on all current version of Windows
  • How an attacker exploits it: By enticing one of your users to visit a web page or link containing malicious code
  • Impact: In the worst case, the attacker can execute code on your user's computer, gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately

Exposure:

In a security bulletin released today as part of its monthly patch update, Microsoft describes four new vulnerabilities in Internet Explorer (IE) 8.0 and earlier versions, running on all current versions of Windows (including Windows 7 and Windows Server 2008).

Although the four vulnerabilities differ technically, they share the same general scope and impact. Most of them involve memory corruption flaws having to do with how IE handles various HTML objects or data streams. If an attacker can lure one of your users to a web page containing malicious web code, he can exploit these vulnerabilities to execute code on that user's computer, inheriting that user's privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim's computer.

Keep in mind, today's attackers commonly hijack legitimate web pages and booby-trap them with malicious code. They do this via hosted web ads or through SQL injection attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way.

If you'd like to know more about the technical differences between these flaws, see the "Vulnerability Information" section of Microsoft's bulletin. Technical differences aside, all of these IE flaws pose significant risk, you should download and install the IE cumulative patch as soon as possible.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches as soon as possible.

 

 

 

---------- Το μήνυμα προστέθηκε στις 08:18 ----------

 

δεν γραφω greeklish, ετσι ειναι το κειμενο

 

Three Vulnerable ActiveX Controls Plague Microsoft Office and Visio

Severity: High

 

13 October, 2009

Summary:

 

  • This vulnerability affects: All current versions of Microsoft Office (also affects Visio)
  • How an attacker exploits it: By luring your users to a malicious web page
  • Impact: An attacker can execute code on your user's computer, potentially gaining control of it
  • What to do: Install the appropriate Microsoft Patch as soon as possible, or let Windows Update download your patches automatically

Exposure:

Today, Microsoft released a security bulletin describing three vulnerable ActiveX controls that ship with most versions of Microsoft Office. The flawed controls also come with Visio.

In previous LiveSecurity alerts [ 1 / 2 ], we've described Microsoft's Active Template Library (ATL), which is a collection of programmatic templates that help developers create ActiveX controls. Many Microsoft products, including Office and Visio, ship with ActiveX controls created with the ATL library. Unfortunately, a previous version of ATL suffered from security vulnerabilities that led to the creation of many vulnerable ActiveX controls. Since then, Microsoft has continued to find legacy ActiveX controls that suffer from these vulnerabilities.

Today's Office bulletin essentially fixes three more vulnerabilities associated with ATL issues. The three flaws differ technically, but share the same scope and impact. By enticing one of you users to a specially crafted website, an attacker could exploit any of these vulnerabilities to execute code on that user's computer, with that user's privileges. If your users have local administrative privileges, attackers could leverage this type of flaw to gain full control of their computers.

Solution Path

Microsoft has released patches that correct these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

 

 

 

---------- Το μήνυμα προστέθηκε στις 08:19 ----------

 

δεν γραφω greeklish, ετσι ειναι το κειμενο

 

Six of Eleven Windows Vulnerabilities Rated Critical

Bulletins Affect SMB2, Windows Media Player, IIS FTP, and More

Severity: High

 

13 October, 2009

Summary:

 

  • These vulnerabilities affect: All current versions of Windows and components that ship with it - also the .NET Framework and Silverlight
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted packets or enticing your users to view malicious media
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or use Windows' automatic update features to download these patches automatically

Exposure:

Today, Microsoft released eleven security bulletins describing 27 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. Some of the flaws also affect other Microsoft products, such as Silverlight, SQL Server, Office, and Microsoft's Developer Tools. A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

 

  • MS09-050: SMBv2 Code Execution Vulnerabilities

The
is a newer version of Microsoft's Server Message Block (SMB) protocol service that Windows uses to share files, printers, and other resources. SMBv2 only ships with Windows Vista, Windows 7, and Server 2008. Last Month, a researcher discovered a zero day vulnerability in the SMBv2 service. Other researchers confirmed this flaw, and verified that attackers could exploit it to execute code on Windows machines. By sending specially crafted SMBv2 requests, an attacker could exploit this flaw to gain complete control of your Windows users' computers. That said, most administrators do not allow SMB traffic through their firewall. So this flaw primarily poses an internal threat. Microsoft's bulletin finally fixes this SMBv2 flaw and two others like it. You can read our earlier Wire posts about this zero day SMBv2 flaw
and
. Finally, while SMBv2 does ship with Windows 7, this vulnerability only affects the
version of Windows 7; not the
build that is sold to the public. Windows 7 RTM users are not vulnerable to these SMBv2 flaws.

Microsoft rating:
Critical.

  • MS09-051: Two Windows Media Runtime Code Execution Vulnerabilities

Windows Media Runtime is a component that provides information and tools Windows and other applications need to play or view media content. This component suffers from two vulnerabilities: a memory corruption vulnerability involving how it handles certain compressed audio files, and a code execution vulnerability that has to do with how it handles
files that make use of Window's Media Speech codec. Both vulnerabilities share the same scope and impact. By enticing one of you users to view or play a specially crafted media file, an attacker could leverage either of these vulnerabilities to execute code on that user's computer, with that user's privileges. If you users have local administrator privileges, the attacker gains complete control of their computers.

Microsoft rating:
Critical.

  • MS09-052: Windows Media Player Buffer Overflow Vulnerability

Windows Media Player is the digital media player program that ships with Windows, and plays various audio and video files. It suffers from a
that has to do with how it processes
. If an attacker can convince one of your users to play a specially crafted ASF file, he can leverage this flaw to execute code on your user's computer, with that user's privileges. As with most Windows vulnerabilities, if your user has local administrator privileges the attacker gains complete control of their machines.

Microsoft rating:
Critical

  • MS09-062: Multiple GDI+ Code Execution Vulnerabilities

Windows'
(
) is the core operating system component used to render graphical objects to output devices like your monitor or printer. GDI+ contains eight buffer overflow or memory corruption vulnerabilities that attackers could exploit to execute malicious code. The flaws all differ technically, but share the same scope and impact. If an attacker can entice one of you users to view a malicious image, open a malicious document, or visit a malicious web page, he could exploit one of these vulnerabilities to gain control of that user's computer. Microsoft's bulletin makes it difficult to know whether or not the attacker immediately gains
complete
control of the user's system, or only the victim user's level of control. In some parts of their bulletin they say, "complete control." Yet, in other parts they mention the attacker's level of privilege depends on the victim user. That said, since most Windows users have local administrative privileges anyway, we suspect most attacks leveraging these vulnerabilities would give attackers complete control of your Windows computers.
Note:
Besides affecting Windows, these flaws also affect:

 

  • .NET Framework

  • Internet Explorer

  • Microsoft Office and other Office software

  • SQL Server

  • Developer Tools

  • and Forefront Client Security.

Be sure to patch all the affected Microsoft products.

Microsoft rating:
Critical.

  • MS09-055: Cumulative ActiveX Killbit Update

Microsoft's
is a collection of programmatic templates that help developers create
controls. Windows ships with many different components that have ActiveX controls created with the ATL library. Unfortunately, Microsoft has found another vulnerability in one of the ActiveX controls created with the ATL library. If an attacker can entice one of your users to a malicious web page, he could exploit this vulnerability to execute code on that user's computer, with that user's privileges. As is the case with most Windows flaws, if your user has local administrative privileges, the attacker gains complete control of his machine. This bulletin sets the killbit for this vulnerable ActiveX control, and all past vulnerable ActiveX controls. This new ActiveX vulnerability is very similar to the ones we described in a past, out-of-cycle Microsoft
. While some of these ATL vulnerabilities only affect Windows components, others could also affect third party ActiveX controls created with the vulnerable Microsoft ATLs.

Microsoft rating:
Critical.

  • MS09-061: Three .NET Framework Code Execution Flaws.

The
is
developers can use to create new Windows applications. Unfortunately, the .NET Framework suffers from three complicated remote code execution vulnerabilities that allow attackers to gain inappropriate privileges on your Windows systems. Though the flaws differ technically, they share the same scope and impact. If an attacker can get you to run a maliciously crafted .NET application, he can exploit any of these flaws to execute code on that user's computer, with that user's privileges. If your users have local administrative access, the attacker gains full control of their PCs. The .NET application can run both locally, and over the web, so simply visiting a malicious website could trigger this vulnerability.

Microsoft rating:
Critical

  • MS09-053: IIS FTP Service Remote Code Execution and DoS Vulnerability.

Microsoft's
is one of the most popular web server services used on the Internet. IIS also provides an FTP service as well. All server versions of Windows come with IIS, though some of its services may not start by default. In a previous
, we described a zero day IIS FTP service vulnerability that attackers could leverage to either crash your IIS server, or gain complete control of it. The attacker only had to connect to your FTP server, and send it a specially crafted command to leverage this flaw. Today's IIS FTP bulletin fixes that previously unpatched flaw.

Microsoft rating:
Important.

  • MS09-058: Three Windows Kernel Elevation of Privilege Vulnerabilities
    The Windows kernel suffers from three elevation of privilege (EoP) vulnerabilities. All three of the EoP flaws differ technically, but share a similar scope. By running a specially crafted program on one of your Windows computers, an attacker can gain complete control of that system, regardless of his original user privileges. However, the attacker needs to have local access to one of your computers in order to run his malicious program. So these vulnerabilities primarily pose an internal risk. Microsoft rating: Important.
  • MS09-057: Indexing Service Memory Corruption Vulnerability

The Windows Indexing services catalogs content within your files and directories to speed up the searching process. An ActiveX control that ships with the Indexing services suffers from an unspecified memory corruption vulnerability involving the way it handles specially crafted web content. By luring one of your users to a web page with malicious code, an attacker can exploit this vulnerability to execute code on that user's computer, with that user's privileges. As is the case with most Windows flaws, if your user has local administrative privileges, the attacker gains complete control of his machine.

Microsoft rating:
Important

  • MS09-059: LSASS Denial of Service (DoS) Vulnerability

The
is a Windows component that handles authentication and enforces security policies. LSASS suffers from an integer underflow flaw that results in a Denial of Service (DoS) vulnerability. By sending maliciously crafted packets during the authentication process, an attacker could exploit this flaw to cause your Windows computer to reboot. However, most administrators don't allow authentication traffic to pass beyond their local network. This flaw only poses a marginal internal risk.

Microsoft rating:
Important.

  • MS09-056: CryptoAPI Spoofing Vulnerabilities

CryptoAPI is the component that provides basic
services to Windows, such as
,
, and digital
handling. CryptoAPI suffers from two vulnerabilities which could allow an attacker to create a digital certificate that impersonates another user or system. For instance, the attacker could leverage this flaw to create a certificate that appeared to belong to
, when in reality it belongs to the attacker. By either enticing you to his malicious website, or leveraging some other DNS vulnerability that forwards you to his website, an attacker could leverage this certificate spoofing vulnerability to convince you that his malicious site really belongs to some trusted entity.

Microsoft rating:
Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

MS09-050:

 

MS09-051:

 

MS09-052:

 

Note: These vulnerabilities do not affect any other versions of Windows.

MS09-062:

 

* As mentioned in the Exposure section above, these GDI+ vulnerabilities affect many other Microsoft products, including Office and SQL Server. We highly recommend you visit the "Affected and Non-Affected Software" section of
to find and download any other relevant patches for your organization.

MS09-055:

 

MS09-061:

We recommend you see the "Affected Software" section of this Microsoft bulletin to find all the potential .NET framework patches. With all the different versions of .NET Framework, combined with the different Windows and Framework Service Pack variants, there are actually many confusing possibilities for which patches to apply. If it fits your organization's policy, we highly recommend you use Windows' automatic update feature to download the right patch.

MS09-053:

 

MS09-058:

 

MS09-057:

 

MS09-059:

 

MS09-056:

 

Exposure:

Today, Microsoft released eleven security bulletins describing 27 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. Some of the flaws also affect other Microsoft products, such as Silverlight, SQL Server, Office, and Microsoft's Developer Tools. A remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

 

  • MS09-050: SMBv2 Code Execution Vulnerabilities

The
is a newer version of Microsoft's Server Message Block (SMB) protocol service that Windows uses to share files, printers, and other resources. SMBv2 only ships with Windows Vista, Windows 7, and Server 2008. Last Month, a researcher discovered a zero day vulnerability in the SMBv2 service. Other researchers confirmed this flaw, and verified that attackers could exploit it to execute code on Windows machines. By sending specially crafted SMBv2 requests, an attacker could exploit this flaw to gain complete control of your Windows users' computers. That said, most administrators do not allow SMB traffic through their firewall. So this flaw primarily poses an internal threat. Microsoft's bulletin finally fixes this SMBv2 flaw and two others like it. You can read our earlier Wire posts about this zero day SMBv2 flaw
and
. Finally, while SMBv2 does ship with Windows 7, this vulnerability only affects the
version of Windows 7; not the
build that is sold to the public. Windows 7 RTM users are not vulnerable to these SMBv2 flaws.

Microsoft rating:
Critical.

  • MS09-051: Two Windows Media Runtime Code Execution Vulnerabilities

Windows Media Runtime is a component that provides information and tools Windows and other applications need to play or view media content. This component suffers from two vulnerabilities: a memory corruption vulnerability involving how it handles certain compressed audio files, and a code execution vulnerability that has to do with how it handles
files that make use of Window's Media Speech codec. Both vulnerabilities share the same scope and impact. By enticing one of you users to view or play a specially crafted media file, an attacker could leverage either of these vulnerabilities to execute code on that user's computer, with that user's privileges. If you users have local administrator privileges, the attacker gains complete control of their computers.

Microsoft rating:
Critical.

  • MS09-052: Windows Media Player Buffer Overflow Vulnerability

Windows Media Player is the digital media player program that ships with Windows, and plays various audio and video files. It suffers from a
that has to do with how it processes
. If an attacker can convince one of your users to play a specially crafted ASF file, he can leverage this flaw to execute code on your user's computer, with that user's privileges. As with most Windows vulnerabilities, if your user has local administrator privileges the attacker gains complete control of their machines.

Microsoft rating:
Critical

  • MS09-062: Multiple GDI+ Code Execution Vulnerabilities

Windows'
(
) is the core operating system component used to render graphical objects to output devices like your monitor or printer. GDI+ contains eight buffer overflow or memory corruption vulnerabilities that attackers could exploit to execute malicious code. The flaws all differ technically, but share the same scope and impact. If an attacker can entice one of you users to view a malicious image, open a malicious document, or visit a malicious web page, he could exploit one of these vulnerabilities to gain control of that user's computer. Microsoft's bulletin makes it difficult to know whether or not the attacker immediately gains
complete
control of the user's system, or only the victim user's level of control. In some parts of their bulletin they say, "complete control." Yet, in other parts they mention the attacker's level of privilege depends on the victim user. That said, since most Windows users have local administrative privileges anyway, we suspect most attacks leveraging these vulnerabilities would give attackers complete control of your Windows computers.
Note:
Besides affecting Windows, these flaws also affect:

 

  • .NET Framework

  • Internet Explorer

  • Microsoft Office and other Office software

  • SQL Server

  • Developer Tools

  • and Forefront Client Security.

Be sure to patch all the affected Microsoft products.

Microsoft rating:
Critical.

  • MS09-055: Cumulative ActiveX Killbit Update

Microsoft's
is a collection of programmatic templates that help developers create
controls. Windows ships with many different components that have ActiveX controls created with the ATL library. Unfortunately, Microsoft has found another vulnerability in one of the ActiveX controls created with the ATL library. If an attacker can entice one of your users to a malicious web page, he could exploit this vulnerability to execute code on that user's computer, with that user's privileges. As is the case with most Windows flaws, if your user has local administrative privileges, the attacker gains complete control of his machine. This bulletin sets the killbit for this vulnerable ActiveX control, and all past vulnerable ActiveX controls. This new ActiveX vulnerability is very similar to the ones we described in a past, out-of-cycle Microsoft
. While some of these ATL vulnerabilities only affect Windows components, others could also affect third party ActiveX controls created with the vulnerable Microsoft ATLs.

Microsoft rating:
Critical.

  • MS09-061: Three .NET Framework Code Execution Flaws.

The
is
developers can use to create new Windows applications. Unfortunately, the .NET Framework suffers from three complicated remote code execution vulnerabilities that allow attackers to gain inappropriate privileges on your Windows systems. Though the flaws differ technically, they share the same scope and impact. If an attacker can get you to run a maliciously crafted .NET application, he can exploit any of these flaws to execute code on that user's computer, with that user's privileges. If your users have local administrative access, the attacker gains full control of their PCs. The .NET application can run both locally, and over the web, so simply visiting a malicious website could trigger this vulnerability.

Microsoft rating:
Critical

  • MS09-053: IIS FTP Service Remote Code Execution and DoS Vulnerability.

Microsoft's
is one of the most popular web server services used on the Internet. IIS also provides an FTP service as well. All server versions of Windows come with IIS, though some of its services may not start by default. In a previous
, we described a zero day IIS FTP service vulnerability that attackers could leverage to either crash your IIS server, or gain complete control of it. The attacker only had to connect to your FTP server, and send it a specially crafted command to leverage this flaw. Today's IIS FTP bulletin fixes that previously unpatched flaw.

Microsoft rating:
Important.

  • MS09-058: Three Windows Kernel Elevation of Privilege Vulnerabilities
    The Windows kernel suffers from three elevation of privilege (EoP) vulnerabilities. All three of the EoP flaws differ technically, but share a similar scope. By running a specially crafted program on one of your Windows computers, an attacker can gain complete control of that system, regardless of his original user privileges. However, the attacker needs to have local access to one of your computers in order to run his malicious program. So these vulnerabilities primarily pose an internal risk. Microsoft rating: Important.
  • MS09-057: Indexing Service Memory Corruption Vulnerability

The Windows Indexing services catalogs content within your files and directories to speed up the searching process. An ActiveX control that ships with the Indexing services suffers from an unspecified memory corruption vulnerability involving the way it handles specially crafted web content. By luring one of your users to a web page with malicious code, an attacker can exploit this vulnerability to execute code on that user's computer, with that user's privileges. As is the case with most Windows flaws, if your user has local administrative privileges, the attacker gains complete control of his machine.

Microsoft rating:
Important

  • MS09-059: LSASS Denial of Service (DoS) Vulnerability

The
is a Windows component that handles authentication and enforces security policies. LSASS suffers from an integer underflow flaw that results in a Denial of Service (DoS) vulnerability. By sending maliciously crafted packets during the authentication process, an attacker could exploit this flaw to cause your Windows computer to reboot. However, most administrators don't allow authentication traffic to pass beyond their local network. This flaw only poses a marginal internal risk.

Microsoft rating:
Important.

  • MS09-056: CryptoAPI Spoofing Vulnerabilities

CryptoAPI is the component that provides basic
services to Windows, such as
,
, and digital
handling. CryptoAPI suffers from two vulnerabilities which could allow an attacker to create a digital certificate that impersonates another user or system. For instance, the attacker could leverage this flaw to create a certificate that appeared to belong to
, when in reality it belongs to the attacker. By either enticing you to his malicious website, or leveraging some other DNS vulnerability that forwards you to his website, an attacker could leverage this certificate spoofing vulnerability to convince you that his malicious site really belongs to some trusted entity.

Microsoft rating:
Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

MS09-050:

 

MS09-051:

 

MS09-052:

 

Note: These vulnerabilities do not affect any other versions of Windows.

MS09-062:

 

* As mentioned in the Exposure section above, these GDI+ vulnerabilities affect many other Microsoft products, including Office and SQL Server. We highly recommend you visit the "Affected and Non-Affected Software" section of
to find and download any other relevant patches for your organization.

MS09-055:

 

MS09-061:

We recommend you see the "Affected Software" section of this Microsoft bulletin to find all the potential .NET framework patches. With all the different versions of .NET Framework, combined with the different Windows and Framework Service Pack variants, there are actually many confusing possibilities for which patches to apply. If it fits your organization's policy, we highly recommend you use Windows' automatic update feature to download the right patch.

MS09-053:

 

MS09-058:

 

MS09-057:

 

MS09-059:

 

MS09-056:

 

cabdik Crazy Insomniac

cabdik

Δημοσ.
Δημοσ.
Οντως κατοχος ενος Firewall της Watchguard μου δινεται η δυνατοτητα να λαμβανω 0(zero) day emails οπου αναλυονται ακριβως τρυπες ασφαλειας λειτουργικων συστηματων και του διαδικτυου γενικοτερα.

 

sorry, αλλα δε καταλαβα το point του θεματος. τι εννοεις με το παραπανω? τι ειναι ο firewall της watchguard? τι σημαινει 0 day emails? για λιανισε το λιγο.....!

nske Mentor

nske

Δημοσ.
Δημοσ.

Απλά ότι η Watchguard (μια εταιρία της οποίας είναι πελάτης για ένα firewall), του στέλνει ενημερωτικά emails με τις πρόσφατες ("0 day") αδυναμίες που βγήκαν για προϊόντα της Microsoft. Το point του θέματος είναι ότι κάποιος που χρησιμοποιεί τα συγκεκριμένα προϊόντα (π.χ. Windows) μπορεί να ενημερώνεται γρήγορα για αδυναμίες και να φροντίζει να τις αντιμετωπίζει. Δεν είναι πάντα πράγματα τα οποία διορθώνονται με κάποιο Patch το οποίο ο διαχειριστής μπορεί να είναι ήσυχος ότι θα κατέβει αυτόματα σαν update, πολλές φορές, έστω και προσωρινά, θα πρέπει να εφαρμόσει κάποιο Workαround αν δε θέλει να είναι ευάλωτος, ή να προσέξει κάτι στην εφαρμογή του patch.

 

Ο χαρακτηρισμός "0 day" από τη Watchguard είναι μάλλον καταχρηστικός: κανονικά το 0-day ορίζεται είτε σε σχέση με την εύρεση κάποιας αδυναμίας και την ανακοίνωσή της σε κάποια "private" κανάλια, είτε έστω σε σχέση με τη δημοσιοποίησή της στο ευρύ κοινό, με οποιοδήποτε τρόπο. Η Watchguard απλά στέλνει ένα summary με τις αδυναμίες που έχουν αναγνωριστεί και ανακοινωθεί από την Microsoft.

Predatorkill Grand Master

Predatorkill

Δημοσ.
  • Μέλος
Δημοσ.

nske ευχαριστω που καλυψες πληρως την ερωτηση του φιλου, το 0 day ειναι οντως καταχρηστικο, μερικες φορες εχει τυχει να λαβω emails ομως που να λεει για προβληματα που λυνονται με workarounds χωρις να εχει βγαλει ακομα το patch η MS.

 

Περα απο την ενημερωση ομως αναλυει και πως γινονται Exploit οι διαφορες τρυπες, πιστευω ειναι αρκετα ενδιαφερον και αρκετα αναλυτικο.

 

Περα απο MS products δεχομαι και αλλα emails για Cisco, Linux, παλι απο την WG αλλα ποσταρω μονο τα Windows καθως ειναι και το πιο διαδεδομενο/ευαλωτο λογισμικο.

nske Mentor

nske

Δημοσ.
Δημοσ.
Περα απο την ενημερωση ομως αναλυει και πως γινονται Exploit οι διαφορες τρυπες, πιστευω ειναι αρκετα ενδιαφερον και αρκετα αναλυτικο.

Σίγουρα, είναι χρήσιμο και ενδιαφέρον, thanks για τα ευανάγνωστα updates :-)

Αρχειοθετημένο

Αυτό το θέμα έχει αρχειοθετηθεί και είναι κλειστό για περαιτέρω απαντήσεις.

Προς την λίστα θεμάτων
  • Δημιουργία νέου...