[Sunnet Alert] Advisory #275 - Microsoft (Multiple), Multiple News

Sun Feb 14 14:23:09 EST 2010

Sûnnet Beskerming Alert List Advisory #275

You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error.

Why not upgrade to get same day notification on security threats?  Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Once you've had a chance to read through this advisory, come back and answer the following question.
Did you like the timeliness of the advisory?
Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data.

Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	Microsoft (Multiple)
	- Remote Hacker Automatic Control
	- Time Since Discovery - 5 Days
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	All Good Things Come to an End for Windows Versions
2.2	Google Taking on China is One Giant Taking on Another
2.3	Microsoft Takes Four Months to Patch Critical Exploit
=====================================

1.	SECURITY

1.1	Microsoft Windows - Remote Hacker Automatic Control

	-- Products Affected --
	Windows, Office

	-- Technical Description --
	MS10-003 - Office. Remote code execution. Replaces MS09-062. Important
	MS10-004 - Office. Remote code execution. Replaces MS09-017. Important
	MS10-005 - Paint. Remote code execution. Critical
	MS10-006 - SMB Client. Remote code execution. Replaces MS06-030, MS08-068. Moderate
	MS10-007 - Windows Shell. Remote code execution. Critical
	MS10-008 - ActiveX. Remote code execution. Replaces MS09-055. Critical
	MS10-009 - TCP/IP. Remote code execution. Critical
	MS10-010 - Hyper-V. Information disclosure. Important
	MS10-011 - Windows. Elevation of Privilege. Important
	MS10-012 - SMB Server. Remote code execution. Replaces MS09-001. Important
	MS10-013 - DirectShow. Remote code execution. Replaces MS09-038, MS09-028. Critical
	MS10-014 - Kerberos. Denial of Service. Important
	MS10-015 - Windows. Elevation of Privilege. Important.

	-- Description --
	Following the single security Bulletin released in January, Microsoft have released thirteen Bulletins for February, addressing a broad range of vulnerabilities within Windows and Office.  Windows XP users are advised to delay installing MS10-015 as it can cause their systems to Blue-Screen on restart.  Unfortunately, this is the only Bulletin for which there was public exploit code and vulnerability data available ahead of the patch release.

	-- Recommended Action --
	All users and administrators should apply the updates at the earliest opportunity.

	-- Source --
	http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx
	http://www.beskerming.com/services/176/Patch_Briefing
	http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

	-- Updates Available --
	http://www.microsoft.com/technet/security/bulletin/ms10-003.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-004.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-005.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-006.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-007.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-008.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-009.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-010.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-011.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-012.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-013.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-014.mspx
	http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx

	-- External Tracking Data --
	CVE-ID: CVE-2010-0243 (MS10-003)
	CVE-ID: CVE 2010-0029 (MS10-004)
	CVE-ID: CVE 2010-0030 (MS10-004)
	CVE-ID: CVE 2010-0031 (MS10-004)
	CVE-ID: CVE 2010-0032 (MS10-004)
	CVE-ID: CVE 2010-0033 (MS10-004)
	CVE-ID: CVE 2010-0034 (MS10-004)
	CVE-ID: CVE 2010-0028 (MS10-005)
	CVE-ID: CVE 2010-0016 (MS10-006)
	CVE-ID: CVE 2010-0017 (MS10-006)
	CVE-ID: CVE 2010-0027 (MS10-007)
	CVE-ID: CVE 2010-0252 (MS10-008)
	CVE-ID: CVE 2010-0239 (MS10-009)
	CVE-ID: CVE 2010-0240 (MS10-009)
	CVE-ID: CVE 2010-0241 (MS10-009)
	CVE-ID: CVE 2010-0242 (MS10-009)
	CVE-ID: CVE 2010-0026 (MS10-010)
	CVE-ID: CVE 2010-0023 (MS10-011)
	CVE-ID: CVE 2010-0020 (MS10-012)
	CVE-ID: CVE 2010-0021 (MS10-012)
	CVE-ID: CVE 2010-0022 (MS10-012)
	CVE-ID: CVE 2010-0231 (MS10-012)
	CVE-ID: CVE 2010-0250 (MS10-013)
	CVE-ID: CVE 2010-0035 (MS10-014)
	CVE-ID: CVE 2010-0232 (MS10-015)
	CVE-ID: CVE 2010-0233 (MS10-015)

	-- Threat Matrix --
			U	O
	Home User	10	10 (Highly Critical)
	Corporate	10	10 (Highly Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	All Good Things Come to an End for Windows Versions

It was a footnote to a short bulletin release last month, but Microsoft's Security Response Center hasreminded readers that support for some of the still commonly used versions of Windows will be ceasing in the next few months.

The venerable Windows 2000, regarded by many as the first real modern Windows verion and the real move away from the Windows 9x line of code (barring the short-lived Windows Me), will have extended support ceased from July 13 of this year. This means that there will no longer be any Security bulletins or any other updates released for the platform.

It isn't only Windows 2000 that is finding official support ceasing, with Windows XP SP2, arguably one of the most significant Windows versions of all time, also having extended support ceased on July 13 this year. Users who are still happy with what SP2 has provided them can always apply Service Pack 3 if they wish to stay on Windows XP and continue to receive updates from Microsoft.

With two ageing versions of Windows being put out to pasture in July, it is somewhat surprising to see the RTM (effectively SP0) version of Windows Vista no longer being supported as of April 13 this year, and SP1 no longer supported as of July 12, 2011.

2.2	Google Taking on China is One Giant Taking on Another

At at time when the Australian Defence Force is marking the formal establishment of their Cyber Security Operations Centre, state level Information Security attacks are all over the news.

Google recently stunned the world when it suddenly published details of an attack against it and some of the GMail accounts that it manages for Chinese human rights supporters, and took the surprise tactic ofthreatening to pull out of China completely in protest of what was widely seen as state-sponsored attacks against the company. A change in the censorship applied to Google searches within China was just part of the posturing that began immediately and is sure to be a sticking point for the Chinese government representatives when the two sides sit down to negotiate a peaceful way forward.

Competing China-based search engine, Baidu, claimed that the move was financially driven - a claim that looks reasonable on the surface, given that Google has only around a third of the Chinese search market, compared to Baidu's share of over 60%.

Attacks were targeted against Chinese human rights activists and their online mail accounts held with Google, though the attack apparently was not successful at gaining access to the content of emails (subject lines were accessible). Other supporters of Chinese human rights, based outside of China, apparently had their accounts accessed as well, though through vulnerabilities on the user's systems and not through compromised Google systems.

The attack against Google has been linked to other companies, including networking equipment manufacturer Juniper, and search competitor Yahoo!. Adobe have also reported a major attack against their systems and those of their clients. There have been recent claims that the attack was the result of an insider in Google's own China offices.

From vulnerabilities in Adobe Reader and Acrobat, to vulnerabilities in Internet Explorer, there is a lot of information, claims, counter-claims, rumour and general speculation flying around the Internet about the attacks. Microsoft issued an advisory about the 0-day vulnerability in Internet Explorer that led to the initial attacks, and has since followed it up with more information about the nature of the attacks and vulnerability, including the general availability of exploit code that reliably works against Internet Explorer 6.

It has been speculated that the whole set of attacks could have been funded from a budget of less than $50,000 USD, including the cost of purchasing the vulnerabilities and exploit frameworks on the black market. Blended attacks, with a combination of threats and approaches seems to have been what succeeded in the end.

With companies and their networks under almost constant assault, why does the partial breach of two email accounts lead to such a massive incident? Baidu's claims that Google is just being opportunistic with this particular attack do seem to be reasonable, though Google claims otherwise. Watching a company that started out as just another search engine have the clout to take on a major nation-state so openly is simply amazing and the results are going to have widespread effects for government-business relationships not only in China, but also globally. Trade disputes, when large enough, have involved governments arguing it out, but rarely has it been a sole company taking on a government directly.

Lines are being drawn in the sand between companies and governments and all manner of parties. Yahoo and Alibaba can't seem to keep out of the fight and as each day passes, more parties seem to be drawn into the dispute and taking sides.

The widespread publicity that this set of cases is receiving is eye-opening and it has seen governments start to issue advice against using Internet Explorer.

It doesn't really matter who wins in the end, it has shown that it is possible for a company to become so powerful as a result of the Internet and managing information that it can quite feasibly stand up to a government for something it has taken offence to.

2.3	Microsoft Takes Four Months to Patch Critical Exploit

Microsoft releasing a single Security Bulletin for January 2010 is no longer accurate, with a hurriedly released out-of-cycle patch (MS10-002) released to address a number of issues with Internet Explorer. Due to the criticality of the vulnerabilities and the fact that some have been used in active attacks (most notably the Google compromise) and with exploit code freely available, it is Critical that the bulletin is applied as soon as possible.

As part of the patching process, weaknesses in the mshtml.dll library are fixed, protecting other software that relies upon it for processing and displaying content. Just because a concerned user stopped using Internet Explorer doesn't mean that they are safe from these vulnerabilities.

From Microsoft's own Security Team, the vulnerability being used in active attacks was privately reported in September last year and Microsoft were planning to release a cumulative Internet Explorer update in February, anyway.

The cumulative patch, MS10-002, has now been released and it addresses eight separate vulnerabilities that range from Information Disclosure to Remote code execution. Not all eight vulnerabilities are equally applicable to each supported version of Internet Explorer, but the presence of at least one Remote Code Execution vulnerability for each version means that the rating of Critical is applicable for all the versions.

For all of Microsoft's significant advancements in handling and managing security, planning on taking five months to release a security bulletin for such a Critical vulnerability seems risky, especially in light of the fact that three months after the vulnerability was initially reported (but still two months prior to patch release) the vulnerability was being targeted via exploits, with at least one highly visible successful attack as a result.

Further complicating matters is release of information that suggests the Data Execution Protection (DEP) system used in Windows can be bypassed. Microsoft's investigation identifies that Windows XP is vulnerable to the current DEP avoidance method, but later Windows versions, which utilise Address Space Layout Randomisation (ASLR) have more effective protection against exploitation.

Microsoft continues to attract public attention on security issues, with details of a privilege elevation vulnerability that affects all 32-bit versions of Windows being made public. To successfully attack this vulnerability, the attacker needs to have valid login credentials to the target system. With this level of access, the attacker can exploit a weakness in the NT Virtual Dos Machine and gain higher levels of privilege across the system, leading to complete control over the target system. Despite only being made public now, the vulnerability has been around for at least 17 years.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.