DP's Security Bits

v.3.5.5, released November 5th, 2009

Fixes in this version

Microsoft Security Bulletin Advance Notification issued: November 5, 2009

Microsoft Security Bulletins to be issued: November 10, 2009

This is an advance notification of security bulletins that Microsoft is intending to release on November 10, 2009

3 rated Critical and 3 rated Important.

http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx

Issued: November 4, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-062 - Critical
* MS09-061 - Critical
* MS09-060 - Critical
* MS09-055 - Critical
* MS09-044 - Critical

Bulletin Information:

* MS09-062 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
- Reason for Revision: V2.1 (November 4, 2009): Removed erroneous
references to Microsoft Office Visio Viewer 2007 as affected
software; corrected the setup switches for Microsoft .NET
Framework 1.1 and Microsoft .NET Framework 2.0; clarified the
entry, "If I have an installation of SQL Server, how am I
affected?" in the FAQ section; and corrected the removal
information for Microsoft Windows 2000.
- Originally posted: October 13, 2009
- Updated: November 4, 2009
- Bulletin Severity Rating: Critical
- Version: 2.1

* MS09-061 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx
- Reason for Revision: V1.2 (November 4, 2009): Added an entry to
the Frequently Asked Questions (FAQ) Related to This Security
Update section to explain this revision. Customers who have
successfully installed this update do not need to reinstall.
- Originally posted: October 13, 2009
- Updated: November 4, 2009
- Bulletin Severity Rating: Critical
- Version: 1.2

* MS09-060 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx
- Reason for Revision: V1.2 (November 4, 2009): Removed erroneous
references to Microsoft Office Visio Viewer 2007 as affected software.
- Originally posted: October 13, 2009
- Updated: November 4, 2009
- Bulletin Severity Rating: Critical
- Version: 1.2

* MS09-055 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-055.mspx
- Reason for Revision: V1.2 (November 4, 2009): Added three entries
in Frequently Asked Questions (FAQ) Related to This Security
Update to explain user options for Visio Viewer 2007 and
MS09-060. Also corrected the dll name for Visio Viewer in the
FAQ for CVE-2009-2493.
- Originally posted: October 13, 2009
- Updated: November 4, 2009
- Bulletin Severity Rating: Critical
- Version: 1.2

* MS09-044 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-044.mspx
- Reason for Revision: V2.1 (November 4, 2009): Added a new known
issues entry to the Frequently Asked Questions (FAQ) Related
to This Security Update section.
- Originally posted: August 11, 2009
- Updated: November 4, 2009
- Bulletin Severity Rating: Critical
- Version: 2.1

Available at: »java.sun.com/javase/downloads/index.jsp

Release notes: »java.sun.com/javase/6/webnotes/R···tes.html

Issued: November 2, 2009

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-054 - Critical

Bulletin Information:

* MS09-054 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
- Reason for Revision: V2.0 (November 2, 2009): Revised to announce
the availability of a hotfix to address application
compatibility issues. Customers who have already applied this
update may install the hotfix from Microsoft Knowledge Base
Article 976749. Also corrected the log file names, spuninst
folder names, and registry key values for Microsoft Windows 2000.
- Originally posted: October 13, 2009
- Updated: November 2, 2009
- Bulletin Severity Rating: Critical
- Version: 2.0

The Microsoft Security Intelligence Report (SIR) provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Using data derived from hundreds of millions of Windows computers, and some of the busiest online services on the Internet, this report also provides a detailed analysis of the threat landscape and the changing face of threats and countermeasures and includes updated data on privacy and breach notifications. The seventh volume of the report is now available:

http://www.microsoft.com/security/portal/Threat/SIR.aspx

On November 3, 2009, Sun will release the following security updates:

• JDK and JRE 6 Update 17
• JDK and JRE 5.0 Update 22
• SDK and JRE 1.4.2_24
• SDK and JRE 1.3.1_27

http://blogs.sun.com/security/entry/advance_notification_of_security_updates6

Issued: October 29, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-052 - Critical

Bulletin Information:

* MS09-052 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-052.mspx
- Reason for Revision: V1.1 (October 29, 2009): Removed a
workaround. Also added an entry in the section, Frequently
Asked Questions (FAQ) Related to This Security Update, to
clarify why some customers without Windows Media Player 6.4
on their systems may be offered this update.
- Originally posted: October 13, 2009
- Updated: October 29, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

Issued: October 28, 2009

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-062 - Critical

Bulletin Information:

* MS09-062 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
- Reason for Revision: V2.0 (October 28, 2009): Added Microsoft
Office Visio Viewer 2007, Microsoft Office Visio Viewer 2007
Service Pack 1, and Microsoft Office Visio Viewer 2007
Service Pack 2 as affected software, and added SQL Server
2008 and SQL Server 2008 Service Pack 1 to the Non-Affected
Software table. Also added notes to the Affected Software
table for SQL Server 2005 customers with a Reporting Services
SharePoint dependency; corrected the MBSA detection entries
for Microsoft Report Viewer; and corrected the log file and
registry key verification information for Microsoft Internet
Explorer 6 Service Pack 1 when installed on Microsoft Windows
2000 Service Pack 4.
- Originally posted: October 13, 2009
- Updated: October 28, 2009
- Bulletin Severity Rating: Critical
- Version: 2.0

The Federal Deposit Insurance Corporation (FDIC) has released information warning the public about fraudulent email messages purporting to come from the FDIC. These email messages provides a link to a fraudulent FDIC website. Users are then instructed to download their "personal FDIC Insurance File."

More information regarding these messages can be found in the Federal Deposit Insurance Corporation's Consumer Alerts website.

Users are encouraged to take the following measures to protect themselves from this type of phishing scam:

Source: US-CERT

Firefox 3.5.4 is available for download.

Fixed in Firefox 3.5.4:

MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-54 Crash with recursive web-worker calls
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing

Issued: October 27, 2009

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-043 - Critical

Bulletin Information:

* MS09-043 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx
- Reason for Revision: V2.0 (October 27, 2009): Bulletin revised to
communicate the rerelease of the update for Microsoft Office
2003 Service Pack 3 and Microsoft Office 2003 Web Components
Service Pack 3 to fix a detection issue. This is a detection
change only; there were no changes to the binaries. Customers
who have successfully updated their systems do not need to
reinstall this update.
- Originally posted: August 11, 2009
- Updated: October 27, 2009
- Bulletin Severity Rating: Critical
- Version: 2.0

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new wave of malicious email attacks claiming to be a password reset confirmation from Facebook. The From: address on the messages is spoofed using support@facebook.com to make the messages believable to recipients. The messages contain a .zip file attachment with an .exe file inside. The .exe file currently has a detection rate of about 30 percent on VirusTotal. Our ThreatSeeker™ Network has seen up to 90,000 of these messages sent out so far today.

Alert Details

Issued: October 21, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-061 - Critical
* MS09-060 - Critical

Bulletin Information:

* MS09-061 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx
- Reason for Revision: V1.1 (October 21, 2009): Corrected the
deployment information for Microsoft .NET Framework on all
supported releases of Microsoft Windows. This is an
informational change only. Customers who have successfully
installed this update do not need to reinstall.
- Originally posted: October 13, 2009
- Updated: October 21, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-060 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx
- Reason for Revision: V1.1 (October 21, 2009): Added entries to
the section, Frequently Asked Questions (FAQ) Related to This
Security Update, to describe the known issue update available
from KB974554, KB974556, or KB974234.
- Originally posted: October 13, 2009
- Updated: October 21, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

Oracle has released its Critical Patch Update for October 2009 to address 38 vulnerabilities across several products. This update contains the following security fixes:

• 16 for the Oracle Database
• 3 for the Oracle Application Server
• 8 for the Oracle E-Business Suite and Applications
• 4 for the Oracle PeopleSoft and JD Edwards Suite
• 6 for the Oracle BEA Products Suite
• 1 for the Oracle Industry Applications Products Suite

US-CERT encourages users and administrators to review the October Critical Patch Update and apply any necessary updates.

Source: US-CERT

Issued: October 19, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-054 - Critical
* MS09-053 - Important

Bulletin Information:

* MS09-054 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
- Reason for Revision: V1.2 (October 19, 2009): Added a link to
Microsoft Knowledge Base Article 974455 under Known Issues in
the Executive Summary.
- Originally posted: October 13, 2009
- Updated: October 19, 2009
- Bulletin Severity Rating: Critical
- Version: 1.2

* MS09-053 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx
- Reason for Revision: V1.1 (October 19, 2009): Removed the
acknowledgments section. Corrected the affected software and
severity tables to reclassify Windows XP Professional x64
Edition Service Pack 2 as running IIS 6.0.
- Originally posted: October 13, 2009
- Updated: October 19, 2009
- Bulletin Severity Rating: Important
- Version: 1.1

Issued: October 19, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-053 - Important

Bulletin Information:

* MS09-053 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx
- Reason for Revision: V1.1 (October 19, 2009): Removed the
acknowledgments section. Corrected the affected software and
severity tables to reclassify Windows XP Professional x64
Edition Service Pack 2 as running IIS 6.0.
- Originally posted: October 13, 2009
- Updated: October 19, 2009
- Bulletin Severity Rating: Important
- Version: 1.1

Issued: October 18, 2009

Summary

The following bulletin has undergone a minor revision increment.

* MS09-054 - Critical

Bulletin Information:

* MS09-054 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
- Reason for Revision: V1.1 (October 18, 2009): Revised the
Executive Summary and added FAQ entries for CVE-2009-2529 to
provide direction for Firefox users.
- Originally posted: October 13, 2009
- Updated: October 18, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new wave of malicious attacks claiming to be an update for Microsoft Outlook Web Access (OWA). Victims receive a message leading to a site to apply mailbox settings which were supposedly changed due to a "security upgrade." The especially dangerous thing about these messages is that they are very deceiving. The messages and attack pages are personalized for the To: email address to imply the message is being sent from tech support of the domain. The URL in the email looks like it leads to the company's own OWA system. We have seen upwards of 30,000 of these messages per hour and they have low AV detection.

Alert Details

Issued: October 14, 2009

Security Advisory Updated or Released Today

* Microsoft Security Advisory (973811)
- Title: Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
- Revision Note: V1.1 (October 14, 2009): Updated the FAQ
with information about a non-security update included in
MS09-054 relating to WinINET.