From alertmailinglist at skiifwrald.com Sun Apr 18 16:37:19 2010 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Sun, 18 Apr 2010 16:07:19 +0930 Subject: [Sunnet Alert] Advisory #277 - Microsoft (Multiple), Multiple News Message-ID: <6081E368-31DF-425C-A7D2-A8059637036A@beskerming.com> S?nnet Beskerming Alert List Advisory #277 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Once you've had a chance to read through this advisory, come back and answer the following question. Did you like the timeliness of the advisory? Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data. Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 5 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 New Public Vulnerability Affects Internet Explorer 6 and 7 Users 2.2 Microsoft Releases Out-of-Cycle Security Patch 2.3 Google Takes the Tiger by the Tail 2.4 SecurityFocus No Longer Publishing InfoSec News ===================================== 1. SECURITY 1.1 Microsoft Windows - Remote Hacker Automatic Control -- Products Affected -- Windows, Office, Exchange -- Technical Description -- MS10-019 - Windows. Authenticode. Remote code execution. Critical. MS10-020 - Windows. SMB Client. Remote code execution. Replaces MS10-006. Critical. MS10-021 - Windows. Kernel. Privilege elevation. Replaces MS10-015. Important. MS10-022 - Windows. VBScript Engine. Remote code execution. Important. MS10-023 - Microsoft Office Publisher. Remote code execution. Replaces MS08-027, MS09-030. Important. MS10-024 - Microsoft Exchange and SMTP Service. Denial of service. Important. MS10-025 - Windows Media Services. Remote code execution. Critical. MS10-026 - Windows. MPEG Layer 3 Codec. Remote code execution. Critical. MS10-027 - Windows Media Player. Remote code execution. Replaces MS07-047. Critical. MS10-028 - Microsoft Visio. Remote code execution. Replaces MS09-005, MS09-062. Important. MS10-029 - Microsoft Windows. Spoofing. Moderate. -- Description -- Microsoft have released two advisories as part of the March Security Bulletin release, in line with what they identified in the Advance Notification last week. Both advisories are for remote code execution vulnerabilities, one with Windows and the other with Office. Despite both being for remote code execution vulnerabilities, they are only listed as Important since they require user interaction for any exploit to work. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms10-apr.mspx http://www.beskerming.com/services/176/Patch_Briefing http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms10-019.mspx http://www.microsoft.com/technet/security/bulletin/ms10-020.mspx http://www.microsoft.com/technet/security/bulletin/ms10-021.mspx http://www.microsoft.com/technet/security/bulletin/ms10-022.mspx http://www.microsoft.com/technet/security/bulletin/ms10-023.mspx http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx http://www.microsoft.com/technet/security/bulletin/ms10-025.mspx http://www.microsoft.com/technet/security/bulletin/ms10-026.mspx http://www.microsoft.com/technet/security/bulletin/ms10-027.mspx http://www.microsoft.com/technet/security/bulletin/ms10-028.mspx http://www.microsoft.com/technet/security/bulletin/ms10-029.mspx -- External Tracking Data -- CVE-ID: CVE-2010-0486 (MS10-019) CVE-ID: CVE 2010-0487 (MS10-019) CVE-ID: CVE 2009-3676 (MS10-020) CVE-ID: CVE 2010-0269 (MS10-020) CVE-ID: CVE 2010-0270 (MS10-020) CVE-ID: CVE 2010-0476 (MS10-020) CVE-ID: CVE 2010-0477 (MS10-020) CVE-ID: CVE 2010-0234 (MS10-021) CVE-ID: CVE 2010-0235 (MS10-021) CVE-ID: CVE 2010-0236 (MS10-021) CVE-ID: CVE 2010-0237 (MS10-021) CVE-ID: CVE 2010-0238 (MS10-021) CVE-ID: CVE 2010-0481 (MS10-021) CVE-ID: CVE 2010-0482 (MS10-021) CVE-ID: CVE 2010-0810 (MS10-021) CVE-ID: CVE 2010-0483 (MS10-022) CVE-ID: CVE 2010-0479 (MS10-023) CVE-ID: CVE 2010-0024 (MS10-024) CVE-ID: CVE 2010-0025 (MS10-024) CVE-ID: CVE 2010-0478 (MS10-025) CVE-ID: CVE 2010-0480 (MS10-026) CVE-ID: CVE 2010-0268 (MS10-027) CVE-ID: CVE 2010-0254 (MS10-028) CVE-ID: CVE 2010-0256 (MS10-028) CVE-ID: CVE 2010-0812 (MS10-029) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 New Public Vulnerability Affects Internet Explorer 6 and 7 Users Last week Microsoft announced that a new threat faces Internet Explorer 6 and 7 users. This publicly disclosed vulnerability, now with readily available exploit samples, allows for remote code execution within the rights of the current user. The vulnerability lies within the iepeers.dll lbrary, and the currently recommended workarounds from Microsoft (disabling support for iepeers.dll or using ACLs to limit access) have significant usability issues for end users, including affecting printing, web folders and other MSHTML functionality. There may be an out-of-cycle patch released for this issue, at least according to the most recent update from the Microsoft Security Response Center. The other significant public issue facing Internet Explorer users at the moment, the remote code execution vulnerability linked to help files is still without a patch or an expected patch date. 2.2 Microsoft Releases Out-of-Cycle Security Patch It didn't take long for Microsoft to release an Out-of-Cycle security bulletin for the Internet Explorer 6 and 7 Critical vulnerability that was publicly disclosed in early March. With a Critical Bulletin being released, Microsoft is addressing not only the vulnerability being publicly exploited, but also a number of privately reported, non-exploited vulnerabilities. This extends the application of the bulletin to all versions of Internet Explorer, and not just 6 & 7. The ten vulnerabilities being patched were scheduled for patching on April 13, with the April Security Bulletin release, but all are being brought forward with this patch. Microsoft is to release the bulletin in the next 18 hours, with the March Advance Notification (March Bulletin summary) being replaced with pre-release information for this particular patch. As with most Internet Explorer updates, this will be a cumulative update and considered urgent for all users to apply. When it is released, more detailed information on MS10-018 can be found direct from Microsoft, here. 2.3 Google Takes the Tiger by the Tail Google's stoush with China has taken another dramatic turn, with Google redirecting Chinese search users to the Hong Kong Google page. Critically, the Hong Kong page is not censored, or at least it is not censored to the extent the Chinese search page and results were. To highlight the level of blocking of various Google services, a new Google page that will be daily updating, describes exactly what services are blocked within China and to what extent. Despite the appearances in the last few weeks that the disagreement between the two parties had at least settled to a mutual disagreement, this sudden, significant move by Google is bound to cause flow on effects across the wider Internet. Critics might argue that it is the first sign of Google pulling out of the Chinese market altogether, given the dominance of local search giant, Baidu. Google's own argument is that it is a viable compromise between their desire to provide the least level of censorship possible (preferably none, but sites get removed from all versions of Google's searches) whilst still allowing mainland Chinese users access to Google search results. Going further, Google acknowledge that this action may lead to their services being blocked by China. They also point out that the decision to do the blocking was made by Google's American executives and not by any Chinese employee - an apparent effort to avoid any repercussions for Google's Chinese workforce. Google may very well have trapped the tiger by the tail with this move. A line has been crossed and it will be a matter of waiting to see China's response, if any. 2.4 SecurityFocus No Longer Publishing InfoSec News Over time sites grow and shrink in popularity and usefulness, either the userbase moves on to something else, or the site changes what it offers. In the last couple of weeks, the news section of Information Security stalwart, SecurityFocus, was shut down as site owners, Symantec, made a move to consolidate their online news and service offerings. Most of the products that SecurityFocus is best known for (such as the BugTraq mailing list) will continue to be maintained and offered via the SecurityFocus site, what has disappeared is the analysis and news reporting that the site used to offer, or at least it is disappearing from the SecurityFocus site. With the increasing number of sites to have appeared over recent years, along with numerous Security blogs (what SecurityFocus essentially started out as), will the loss of this voice have much of an effect for the reporting and dissemination of Information Security news and analysis? It is doubtful that there will be a wide ranging effect, especially given that the same information will be available from Symantec sources, viaSymantec Connect. Rather than a complete loss of information, perhaps considering it a consolidation and rebranding would be a better point of view. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.