Computer Security Articles

Microsoft tonight released a security advisory for a publicly-disclosed vulnerability in all versions of Windows. Security Advisory 2501696 describes a bug in the MHTML handler in Windows which could lead to information disclosure.

MHTML (MIME Encapsulation of Aggregate HTML) encapsulates HTML in a MIME structure. MIME (Multipurpose Internet Mail Extensions) is a data format for encapsulating more complex binary structures in a text-only format. Windows includes a pluggable protocol handler (MHTML:) that allows applications to render MHTML structures. Internet Explorer is one of these and it can be abused to exploit the bug in the context of a web page, causing script to be executed. The user would have click a link to an MHTML:// document.

The vulnerability is similar to a cross-site scripting bug on a web page, in which HTML and script from another site is executed in the web page context. In this case, script could be executed in the client-side context.

Microsoft has provided a “Fix it” link to disable the MHTML protocol handler. This is a rather radical move, but it’s probably the only thing Microsoft can do without an actual patch, which they will of course provide—when it’s ready. They are also working with other companies to develop server-side protections to prevent attacks.

The link above to the Fix it also includes what amounts to a proof of concept for the bug which you can use to test if you are vulnerable or if mitigating measures have worked.

Full story: Security Watch

Article Topics & Links:

Microsoft Information Security Tools Team  Website | RSS Feed
Anti-XSS Library v3.1 Released!  – 17-Sep-2009
Introducing the Connected Information Security Framework and Risk Tracker  – 16-Sep-2009
Want to Develop Software Security Tools?  – 16-Sep-2009
Want to Shape Great Security Tools ?  – 15-Sep-2009
CISF Security Portal Architecture  – 15-Sep-2009
Automating Windows Firewall settings with C# (part 2)  – 14-Sep-2009
Microsoft Malware Protection Center  Website | RSS Feed
The modern rogue – a timely subject  – 18-Sep-2009
I can’t go back to yesterday – see you in Geneva  – 16-Sep-2009
September in Geneva  – 15-Sep-2009
MSRC Ecosystem Strategy  Website | RSS Feed
Announcing BlueHat v9: Through the Looking Glass  – 14-Sep-2009
Security Bulletins Advisories  Website | RSS Feed
Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution – 9/17/2009  – 17-Sep-2009
Security Bulletins Comprehensive  Website | RSS Feed
Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution  – 17-Sep-2009
MS09-047 – Critical: Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812) – Version:1.1  – 16-Sep-2009
Security Vulnerability Research and Defense  Website | RSS Feed
Update on the SMB vulnerability situation  – 18-Sep-2009
OffVis updated, Office file format training video created  – 14-Sep-2009
The Security Development Lifecycle  Website | RSS Feed
Two New Security Tools for your SDL tool belt (Bonus: a “7-easy-steps” whitepaper)  – 16-Sep-2009

Source: Microsoft Blogs

View full post on .:: Malware Info ::.

Microsoft today warned Windows users of a new unpatched vulnerability that attackers could exploit to steal information and dupe people into installing malware.

Full story: Network World on Security

Microsoft continues to move on up from industry security laughingstock to role model. Today at BlackHat DC they released a new Attack Surface Analyzer tool which will help developers to scrutinize those parts of their applications which can be attacked. This sort of accounting is required under Microsoft’s SDL or Security Definition Lifecycle, a process for developing secure software.

Since they were making SDL-related announcements, I asked them an SDL question.

A recently-revealed unpatched vulnerability in IE “bypasses” both DEP and ASLR, both of which are required by the SDL, by exploiting a DLL on the system not built to use DEP or ASLR. I asked if the SDL would be modified in some way related to this, and got a response from Steve Lipner, Senior Director of Security Engineering Strategy in Microsoft’s Trustworthy Computing Group:

The latest version of the SDL does include compiling with /dynamicbase [ed: which invokes ASLR], however the version of .NET used in this exploit is an older version before this was a mandatory part of SDL. This is a good example of why we released EMET—it is an effective tool at bringing the latest mitigations to even older products. It’s important to note, even for applications released since this was requirement, exceptions may exist even in newer products, but that is determined on a case-by-case basis after extensive technical security review and senior level signoff. These exceptions are very unusual and typically deal with compatibility requirements with older or third party products.

To sum up a few relevant facts, users of up-to-date systems might be running software developed prior to the point when ASLR, and even DEP, were required. Microsoft’s advice in this case said that there was no downside to using EMET to force the affected component to use ASLR. I’m sure the number of similar components in a modern Windows system is very large.

So why should end users have to do the EMETing? And why should we wait until the next unpatched vulnerability to modify that component? This sounds like a job for Microsoft and Windows Update.

If an established component on Windows system, whether in .NET or in Office or some old SQL Server client, doesn’t support ASLR and/or DEP, Microsoft should find out if it can without side-effects. If so, I propose the use of a tool which, like the MSRT (Malicious Software Removal Tool), runs once a month with Patch Tuesday. This tool searches for specific installed programs which Microsoft has determined can be changed and changes them.

The time to reinforce your attack surface is before weaknesses are found in it, not in reaction to them. It must bother Microsoft to go back fixing old code which will “age out” of support before too long, but if the work go backwards in time they will eventually reach a point where their mission is accomplished, and no Microsoft code will be so easily exploitable.

Full story: Security Watch

Nearly a month after it yanked an Outlook 2007 update over connection and performance problems, Microsoft has re-released the patch to correct its mistakes.

Full story: Computerworld Security News

Microsoft today turned to a new defensive measure to help users ward off ongoing attacks exploiting a known bug in IE.

Full story: Computerworld Security News

Microsoft today patched three vulnerabilities in Windows, one that could be exploited by attackers who dupe users into visiting a malicious Web site.

Full story: Computerworld Security News

Hello and welcome to this month’s blog on the Microsoft patch release. This is quiet month —the vendor is releasing two bulletins covering a total of three vulnerabilities. One of the issues is rated ‘Critical’ and it affects Microsoft Data Access Components (MDAC). The remaining two issues are rated ‘Important’ and affect MDAC and a previously public issue in Windows Backup Manager.

Attackers can exploit all of these issues to execute arbitrary code. As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the January releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-jan.mspx

The following is a breakdown of the issues being addressed this month:

1. MS11-002 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)

CVE-2011-0026 (BID 45695) Microsoft Data Access Components Data Source Name Buffer Overflow Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Microsoft Data Access Components due to how it validates third-party API usage. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Data Access Components 2.8 SP1, 2.8 SP2, and 6.0

CVE-2011-0027 (BID 45698) Microsoft Data Access Components ActiveX Data Objects Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Microsoft Data Access Components due to how it validates memory allocation when handling internal data structures. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Data Access Components 2.8 SP1, 2.8 SP2, and 6.0

2. MS11-001 Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935)

CVE-2010-3145 (BID 42763) Microsoft Windows Backup 'fveapi.dll' DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A previously public (Aug 26, 2010) remote code-execution vulnerability affects Microsoft Backup Manager due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.wbcat’ file from a remote SMB or WebDAV share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Windows Vista SP1, SP2, x64 Edition SP1, and x64 Edition SP2

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Full story: Symantec Connect – Security Response – Blog Entries

Yesterday Microsoft released 17 security bulletins, finally fixing the last 0day flaw exploited by Stuxnet malware which had been left open up until now. In all, 7 out of 38 flaws fixed by Microsoft were already disclosed publicly and they allowed both remote code execution and elevation of privilege.

Microsoft patched some of their software which was vulnerable to the flaw disclosed in last August, relative to the insecure DLL loading exploit. We talked about this vulnerability in a specific blog post in August, where we already said this shouldn’t be considered as a vulnerability of the operating system itself, but a coding error by the software developers.

Finally, Microsoft patched the long discussed and well known Windows Task Scheduler exploit used by Stuxnet malware to gain administrative privileges. With this update, all the 0day exploits used by Stuxnet have been definitely fixed.

The task scheduler exploit was known since September and a working proof of concept exploit had been released publicly in November, allowing malware writers to use it in their malware code, evading by limited account and UAC restrictions.

In a Microsoft blog post written on 9th December 2010, Mike Reavey from Microsoft Security Response Center wrote that the 0day exploit affecting the Windows Task Scheduler had not been used anywhere else aside by the Stuxnet malware. Contrary to this we have had reports of the infamous TDL4 rootkit exploiting the same flaw since first days of December 2010. We have covered this topic in a previous blog post. Anyway, now the exploit has been fixed and TDL4 will need to other ways to elevate its privileges when dropped on the victims PC.

With this massive security update Microsoft patched a lot of flaws that could be exploited by malware. Is that all? Actually not. This massive update still leaves open a security flaw that allows privilege escalation, the one we talked about in a blog post written here, relative to the win32k.sys stack overflow flaw.

This is bad, and it becomes even more dangerous due to the fact that the exploit code for this vulnerability has been already disclosed publicly. In fact we should expect malware starting to use it for malicious purpose very soon. Now that the Windows Task Scheduler flaw has been successfully closed, this other exploit will probably be in the spotlight for a while until Microsoft releases a patch for it.

Looking at malware like TDL4 rootkit, its development trend suggests that their authors will use this exploit very soon, giving again the rootkit the ability to automatically elevate its privileges and infect both x86 and x64 versions of Microsoft Windows operating system, again.

Prevx customers are already protected by this Windows 0day exploit, so are the users of Prevx free version. So, while waiting for the Microsoft patch, why don’t you just give Prevx a try and stay protected from this exploit?

]]>

View the original article at Prevx Blog

A new, potentially critical vulnerability in Microsoft Windows has come to our attention at Websense Security Labs. A specially-crafted Microsoft Office document can cause the GRE (Graphical Rendering Engine) to crash simply by opening a folder containing the file with Windows Explorer, or clicking on a Word or PowerPoint document email attachment. A compromised Web site can contain a link to an online WebDAV folder holding a malicious document which then opens automatically with Explorer when user clicks on the link.

…(read more)

Full story: Security Labs

[Editor's Note: The original version of this story was published before receiving proper vetting, and many of you rightly chastised us for it. We apologize and present the following coverage, which more completely examines the issue.]

Microsoft is at odds with a researcher employed by Google who published a zero-day Internet Explorer vulnerability on New Year’s Day. The vulnerability was discovered using cross_fuzz, a browser fuzzing tool created by Google researcher Michal Zalewski, who says he gave Microsoft more than six months of warning before going public with the flaw. That hasn’t stopped Microsoft from sharply disagreeing, however, with the company arguing that Zalewski has now put thousands of IE users at risk.

According to Zalewski’s published timeline of events, he first told Microsoft about the vulnerability in July of last year and provided the company with copies of cross_fuzz for independent verification. Zalewski informed the company that he planned to release the tool in January, and Microsoft acknowledged the report at that time—confirmed on Tuesday by Microsoft spokesperson Jerry Bryant.

Microsoft said it was unable to reproduce any problems using the cross_fuzz tool upon being informed of the issue in July, despite Zalewski’s insistence that he saw “multiple crashes and GDI corruption issues” in IE. The company claims it was only notified on December 21 of a new version of cross_fuzz that could cause a potentially exploitable crash.

Microsoft immediately issued Security Advisory (2488013), confirming that the vulnerability impacted all supported versions of IE. Microsoft explained that the vulnerability exists due to the creation of uninitialized memory during a CSS function within the browser, making it possible for the memory to be leveraged by an attacker with a specially crafted webpage.

“We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable,” Bryant told Ars.

This is when the stories diverge, however. Zalewski says he heard virtually nothing from Microsoft until mid-December, at which point others were able to reproduce the problem, including by means of the original cross_fuzz version used last July. According to Zalewski, Microsoft was suddenly concerned about the potential PR fallout and claimed the IE problems only surfaced after he had updated his code. Zalewski said he confirmed that the problem was unchanged by running both the new and old versions of the fuzzer and told Microsoft again that he planned to release the tool in January.

“Response from [Microsoft Security Research Center] confirms that these crashes are reproducible with the July 29 fuzzer; unclear why they were unable to replicate them earlier, or follow up on the case,” Zalewski wrote on December 29. As promised, he released the fuzzer on January 1.

Now, Microsoft is accusing Zalewski of increasing the risk to IE users—the company says attackers may find a way to exploit the flaw before a patch can be tested and distributed. Zalewski insists that Microsoft knew about the flaw and his plan to release in January for more than six months, however, and did nothing until it was almost too late.

Whichever way this he-said, she-said fight ends up, Microsoft says it’s actively monitoring the situation and plans to issue a patch soon.

Read the comments on this post

Full story: Security

Microsoft and a Google security engineer are sparring over a bug the researcher reported to Microsoft last July.

Full story: Computerworld Security News

Microsoft has just published an advisory about a remotely-exploitable vulnerability in the Windows graphics rendering engine. A patch isn’t available yet, but with Patch Tuesday just a week away, we can hope that it will be knocked on the head then.

The bug was presented as a sort-of “hacker case study” at a recent hacking convention in Korea, and a working exploit was recently added to the freely-available Metaspolit Framework by a developer named jduck.

Fortunately, the Metasploit exploit code is rather limited, officially targeting only Windows 2000 and Windows XP SP3, but it does serve as a documented proof-of-concept for anyone who cares to study it.

According to jduck (no relation to me – his real name is Joshua Drake, geddit?), the vulnerability exists in code which processes a DIB (device-independent bitmap), allowing a “stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents.”

This isn’t the first time that Microsoft has been hit by security problems processing graphical objects.

A calculation flaw in handling JPEG files led to a remotely exploitable hole in September 2004, a long-forgotten feature-turned-bug in WMF (Windows Metafile) handling forced an out-of-band security fix in January 2006, and in August 2010, bitmap-handling code was the culprit in a kernel vulnerability which allowed unprivileged users to crash Windows computers at will.

Sadly, our increasing insistence that everything we see on the internet to be served up in a sea of graphical gewgaws comes with considerable risk: greatly increased code complexity, the unrelenting enemy of computer security.

Full story: Naked Security – Sophos

Reuters – Some versions of Microsoft Corp’s Windows operating system are vulnerable to attack from hackers exploiting a flaw in the software that could allow them to remotely take control of a personal computer.

Full story: Yahoo! News: Security News

Last November, Microsoft released security bulletin MS10-087, which addresses a number of critical vulnerabilities in how Microsoft Office parses various office file formats. One of them is CVE-2010-3333, “RTF Stack Buffer Overflow Vulnerability,” which could lead to remote code execution via specially crafted RTF data. A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious shellcode which downloads other malware.

The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one. The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack. 

Figure 1.10 

After executing the code in figure 1.10, the stack memory is overwritten by first part of the shellcode. The challenge for the exploit writer here is to make sure that the shellcode gets control and is executed. In this sample, one of the return addresses was overwritten by another address, which can be found in any known DLL loaded in the memory. That address contains a single piece of code, “Jmp ESP”, that  transfer the control to the stack memory containing our first shellcode.

Let’s take a look at the first shellcode: 

Figure 1.20 

The code above uses a brute-force method to find the second shellcode entry-point by searching for the string “pingping” starting from hardcoded address 0×500000. To avoid causing exceptions while parsing these memory pages, it checks if the page is accessible by calling NtAccessCheckAndAuditAlarm() via Int 2Eh – passing EAX = 2h (NtAccessCheckAndAuditAlarm system call ordinal) and passing the page address in EDX. It returns STATUS_ACCESS_VIOLATION to EAX if the page is not accessible. 

The second shellcode starts by decrypting the rest of the codes and string using a XOR operation with constant keys. It retrieves the address of the needed APIs, downloads the malware from a remote location, and then executes it. In our sample, it attempts to download a file named svchost.exe and saves it as <system folder>\a.exe (detected as Trojan:Win32/Turkojan.C). 

Microsoft detects this exploit as Exploit:Win32/CVE-2010-3333.

We recommend customers that have not yet installed the security update MS10-087 to do so at their earliest convenience.

For reference, here’s a list of some SHA1s we’ve seen related to these targeted attacks:

• 00d9af54c5465c28b8c7a917c9a1b1c797b284ab
• 24ee459425020ea61a10080f867529ea241c51dc
• 2e6abd663337c76379ae26b8aa6cf4db98137b64
• 77637eccf9011d420cccc520bcb3ed0cf907dc00
• CC47A73118C51B0D32FD88D48863AFB1AF7B2578

– Rodel Finones

Full story: Microsoft Malware Protection Center

A stack-based buffer overflow vulnerability in Microsoft Office was recently discovered to have been actively exploited in the wild. Trend Micro now detects the exploit .RTF files as TROJ_ARTIEF.SM.

The malicious .RTF files have shell codes designed to overflow the stack and to cause Microsoft Word to crash. As a result, malicious users can execute arbitrary commands on an affected system.

From the screenshot above, we can see that the malware employed a (NOP) sled to overflow the buffer and to execute codes in the context of Microsoft Word. The malware we encountered dropped another malicious file detected as TROJ_INJECT.ART.

One of the more serious concerns is that a malicious user could send an RTF email to target users. Since Microsoft Outlook uses Word to handle email messages, the mere act of opening or viewing specially crafted messages in the reading pane may cause the exploit code to execute.

Microsoft already released an update to address the said vulnerability. Users are strongly advised to download and install the patch, which can be found in the official bulletin MS10-087. This was issued as part of November’s Patch Tuesday.

Post from: TrendLabs | Malware Blog – by Trend Micro

Malicious .RTF Files Exploit Microsoft Office Vulnerability

– Karl Dominguez (Threat Response Engineer) on TrendLabs | Malware Blog – by Trend Micro

Customers of Microsoft’s Business Productivity Online Suite—a cloud-based suite including Exchange, SharePoint, LiveMeeting, and Office Communicator—may have had certain data leaked after a configuration error left their contact information exposed.

The configuration problem left information in customers’ Offline Address Books exposed to other customers. The Offline Address Book is an Exchange feature that allows Outlook users to download a copy of all the e-mail addresses and mailing list aliases that an organization uses, so that they can be used even when disconnected from Exchange. It’s e-mail addresses on those lists that could have been made available.

Microsoft says that it fixed the configuration problem within two hours of discovering the problem, and that only a small number of illegitimate downloads occurred. However, the company didn’t say when the faulty configuration was pushed to its servers, so it’s not known how long the problem has existed. The company says it has notified all affected customers.

As data breaches go, this one was quite limited. No e-mails or documents were disclosed, nor were any personal contacts. Still, the disclosure of corporate address books is something of an unfortunate black eye for the company as it strives to expand its cloud services market. Microsoft is positioning the next version of BPOS, named Office 365, as a complete package to compete with the likes of Google Apps.

This setback is unlikely to impede the growth of cloud services—but they do highlight one of the risks that they bring. A similar configuration problem on a private Exchange server is unlikely to have any consequences—the sharing of infrastructure can bring with it risks that don’t exist on private installations.

As the use of cloud services proliferates, this kind of issue is likely to be a regular occurrence. Cloud services bring many conveniences—freedom from having to administer an Exchange server is no small thing—but those upsides will have to be balanced against the unique downsides that cloud systems bring.

Read the comments on this post

– on Security

Microsoft late Wednesday confirmed that all versions of Internet Explorer (IE) contain a critical vulnerability that attackers can exploit by persuading users to visit a rigged Web site. – on Computerworld Security News

After blogging about the new unpatched vulnerability in Internet Explorer I became curious about something: Why wasn’t mscorie.dll linked with the /DYNAMICBASE option? This option enables ASLR (Address Space Layout Randomization), the absence of which is the door through which the exploit walks into remote code execution land.

mscorie.dll is identified as the “Microsoft .NET IE MIME Filter.” In a knowledge base article which describes the interactions between IE and .NET, its function is described:

The .NET Framework includes two components that handle the .NET Framework components in Internet Explorer. The first component, Mscorie.dll, contains a Multipurpose Internet Mail Extensions (MIME) Type Filter. This filter hooks into Internet Explorer and monitors all incoming data streams with the MIME type application/octet-stream. A primary role of this startup shim is to examine the incoming stream to see whether or not the stream is a managed code. If the filter determines that the incoming data is not a managed code, the filter allows Internet Explorer to handle the data the way that it did formerly.

As a workaround, Microsoft recommended that users “rebase” all DLLs used by Internet Explorer using their EMET tool. This has the same effect on the DLL as if the developers had used /DYNAMICBASE at link-time. But if there is a good reason why they didn’t use it, there may be side-effects of the change which we should know about. If there is no reason why, why not?

I asked Microsoft about this and the response from Dave Forstrom, Director, Trustworthy Computing, was:

Microsoft’s analysis does not indicate any potential problems by rebasing mscorie.dll.

So why didn’t they do it to begin with? It turns out that /DYNAMICBASE is only recommended and not required by the Microsoft SDL (Security Development Lifecycle). That, in and of itself, is not a reason not to do it, but it’s a reason why it might pass inspection.

Still, statically-based DLLs are one of only a few ways to get around the combination of DEP+ASLR. I would expect Microsoft to start flushing out cases like these and rebasing the files where possible. If there’s no reason why you shouldn’t run EMET for this, then there’s no reason Microsoft shouldn’t have used /DYNAMICBASE.

– on Security Watch

Microsoft has retired the Office Genuine Advantage program has been retired according to KB Article 917999:

The Office Genuine Advantage (“OGA”) program has been retired.

Under OGA if you wanted to install certain updates, such as templates, you had to pass a software test to show that your copy of Office was not counterfeit. This is what doesn’t happen anymore. The downloads are unimpeded.

Microsoft still touts the advantages of genuine, non-pirated copies of Office for all the same reasons they always have, but the notifications program appears not to be worth the effort.

Hat tip to Ed Bott on ZDNet.

Ed shows that the news of OGA’s retirement hasn’t reached all areas of microsoft.com. The Windows Genuine Advantage program to validate Windows for certain updates and products is still alive and well.

– on Security Watch

Hello and welcome to this month’s blog on the Microsoft patch release. This is another large release —the vendor is releasing 17 bulletins covering a total of 40 vulnerabilities.

Eight of the issues are rated ‘Critical’ and they affect Internet Explorer and the OpenType Font (OTF) format driver. The remainder of the issues are rated ‘Important’ or ‘Moderate’ and affect Publisher, Office, SharePoint, Windows, Windows kernel, Exchange, and Hyper-V. Included in this patch release is a fix for the last of the vulnerabilities Stuxnet was exploiting, the Windows Task Scheduler issue.

 As always, customers are advised to follow these security best practices:

-     Install vendor patches as soon as they are available.

-     Run all software with the least privileges required while still maintaining functionality.

-     Avoid handling files from unknown or questionable sources.

-     Never visit sites of unknown or questionable integrity.

-     Block external access at the network perimeter to all key systems unless specific access is required.
 
Microsoft’s summary of the December releases can be found here:

http://www.microsoft.com/technet/security/bulletin/ms10-dec.mspx

The following is a breakdown of the ‘Critical’ bulletins being addressed this month:

1. MS10-090 Cumulative Security Update for Internet Explorer (2416400)

CVE-2010-3340 (BID 45255) Microsoft Internet Explorer Uninitialized Object CVE-2010-3340 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6 and 7

CVE-2010-3342 (BID 45256) Microsoft Internet Explorer CVE-2010-3342 Cross Domain Information Disclosure Vulnerability (MS Rating: Moderate / Symantec Rating: 5.7/10)

A cross-domain information-disclosure vulnerability affects Internet Explorer because it incorrectly allows cached content to be rendered as HTML across domains. An attacker can exploit this issue by tricking an unsuspecting victim into visiting a Web page containing malicious content. A successful exploit will result in the disclosure of potentially sensitive information. Information obtained may aid in further attacks. Affects: Internet Explorer 6, 7, and 8

CVE-2010-3343 (BID 45259) Microsoft Internet Explorer Uninitialized Object CVE-2010-3343 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6

CVE-2010-3345 (BID 45260) Microsoft Internet Explorer Uninitialized HTML Element CVE-2010-3345 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 8

CVE-2010-3346 (BID 45261) Microsoft Internet Explorer Uninitialized HTML Element CVE-2010-3346 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6, 7, and 8

CVE-2010-3348 (BID 45263) Microsoft Internet Explorer CVE-2010-3348 Cross Domain Information Disclosure Vulnerability (MS Rating: Moderate / Symantec Rating: 5.7/10)

A cross-domain information-disclosure vulnerability affects Internet Explorer because it incorrectly allows cached content to be rendered as HTML across domains. An attacker can exploit this issue by tricking an unsuspecting victim into visiting a Web page containing malicious content. A successful exploit will result in the disclosure of potentially sensitive information. Information obtained may aid in further attacks. Affects: Internet Explorer 6, 7, and 8

CVE-2010-3962(BID 44536) Microsoft Internet Explorer CSS Tags Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.3/10)

A previously public (Nov 3, 2010), remote code-execution vulnerability affects Internet Explorer when storing a certain combination of Cascading Style Sheet (CSS) tags, resulting in a use-after-free condition. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6, 7, and 8

2. MS10-091 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Remote Code Execution (2296199)

CVE-2010-3956 (BID 45311) Microsoft Windows OpenType Font (OTF) Driver Invalid Array Index Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)

A remote code execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems

CVE-2010-3957 (BID 45315) Microsoft Windows OpenType Font (OTF) Driver Double-Free Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)

A remote code-execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems

CVE-2010-3959 (BID 45316) Microsoft Windows OpenType Font (OTF) Driver CMAP Table Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)

A remote code-execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems

More information on these and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

– Robert Keith on Symantec Connect – Security Response – Blog Entries

Ads served by DoubleClick (Google) and MSN (Microsoft) were distributing drive-by malware last week after attackers were able to trick the networks using a ploy from the phishers’ playbook: they masqueraded as a legitimate advertising provider by using a domain name that looked the same as the provider’s.

AdShuffle.com is a legitimate company selling ads to various ad networks, including DoubleClick and MSN. AdShufffle.com—three fs—is not, but it looks close enough to AdShuffle.com that the networks were tricked. These banner ads attempted to use a range of exploits (two Internet Explorer, one Java, and four Adobe Reader flaws—all which are currently patched), to install the HDD Plus malware. HDD Plus is bogus disk diagnostic software; it warns of impending failures, and says that to avoid trouble you should buy the full version.

Analysis of the attacks suggests that various obfuscation techniques were used to disguise the exploitation, and that as a result, antivirus software was having a hard time detecting and trapping the attacks. The offending ads have been pulled by the networks in question, but the people behind the attack have registered more domains and similar attempts are likely to occur in the future.

Phishing attacks aimed directly at end-users have long used this kind of look-alike URL to trick users into trusting content that they shouldn’t, and typo-squatting, relying on users misspelling URLs when they type them into their browser, is a long-standing phenomenon. Clearly these techniques work, but it’s a little disappointing that the gatekeepers at both DoubleClick and MSN fell for the same trick. The broad reach of these advertising networks means that exposure to the bad ads may have been significant, though neither network has disclosed exactly how many people were exposed to the ads in question.

In addition to exposing human flaws, the attacks show that the automated procedures used by the networks aren’t good enough; though the networks do claim to have malware filtering that detected the malware in question, this was not sufficient to prevent real-world exploitation.

This is not the first time that a company has been tricked into running malicious ads; last year, the New York Times‘ Digital Advertising department ran Vonage ads that included drive-by malware. Tricking an advertising network like DoubleClick and MSN allows for even more widespread distribution, making it likely that other networks will be similarly targeted—indeed, they may have been targeted already.

Read the comments on this post

– on Security

Microsoft has removed one of the updates this past Patch Tuesday. Problems have been observed with Microsoft Outlook 2007 on certain configurations. I have personally observed some of them.

1. Outlook may fail to connect if SPA (Secure Password Authentication) is configured for an account and the server doesn’t support SPA. Outlook connected to Google Apps is such a configuration.
2. Performance problems may be observed switching between folders if the account is not connected to a Microsoft Exchange server. I have seen this with my Google Apps account.
3. AutoArchive cannot be configured for IMAP, POP3, or Outlook Live Connector accounts unless there is also an Exchange account in the same profile.

If you are experiencing any of these problems, follow the instructions in the blog to remove the update. It’s a simple process.

Hat tip to the Internet Storm Center.

– on Security Watch

Our top 10 security stories of 2010

What computer security topics do our readers care about most? Take a look at our most popular articles and blog posts from the past year.

1. Download free antivirus and antispyware software
2. Safer surfing with SmartScreen filter
3. How to recognize phishing email messages and links
4. Avoid scams that use the Microsoft name fraudulently
5. Microsoft Security Essentials vs. Windows Defender
6. Hey! Did MSN hijack my browser?
7. Watch out for fake virus alerts
8. "I’ve been mugged. Send money!"
9. Got a virus? Get free help fast
10. Speed up your PC

– on MalwareInfo.Org Blog