DP's Security Bits

Websense® Security Labs™ ThreatSeeker™ Network has discovered that numerous Halloween-themed Web sites have been compromised as Halloween approaches and users are more likely to visit.

One particular example is a Web site selling Halloween costumes. The deobfuscation returned by ThreatSeeker shows that the JavaScript has multiple layers of obfuscation. The script contacts a malcious server in the .biz TLD. Within the ThreatSeeker network, we have seen almost ten thousand sites infected with the same obfuscation technique.

Details

OpenOffice.org has released bulletins to address two vulnerabilities. These bulletins address heap-based buffer overflow vulnerabilities in the processing of WMF and EMF files. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the following OpenOffice.org security bulletins and apply the resolutions provided by the vendor:

• Manipulated WMF files can lead to heap overflows and arbitrary code execution.
• Manipulated EMF files can lead to heap overflows and arbitrary code execution.

http://www.us-cert.gov/current/index.html#openoffice_releases_two_security_bulletins

Microsoft has released Security Advisory 958963 to alert users that exploit code is publicly available for the Windows Server Service vulnerability addressed in Microsoft Security Bulletin MS08-067. The advisory states that this exploit code has demonstrated arbitrary code execution on Windows 2000, XP and Server 2003.

US-CERT encourages users and administrators to review Microsoft Security Advisory 958963 and apply the update or workarounds listed in Microsoft Security Bulletin MS08-067 to help mitigate the risks.

Additional information regarding the Windows Server Service vulnerability is available in:

• Microsoft Security Bulletin MS08-067
• Vulnerability Note VU#827268
• Current Activity Entry - Microsoft Releases Out-of-Band Security Bulletin MS08-067

http://www.us-cert.gov/current/index.html#microsoft_releases_security_advisory_958963

Published: October 14, 2008 | Updated: October 23, 2008 to add 1 Critical

MS08-067 - Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Note: There may be latency issues due to replication, if the page does not display keep refreshing
October 23

Today Microsoft released the following Security Bulletin(s). 

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

October Bulletin Summary

Critical (5)

MS08-067 - Vulnerability in Server Service Could Allow Remote Code Execution (958644)
MS08-060 - Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
MS08-058 - Cumulative Security Update for Internet Explorer (956390)
MS08-059 - Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
MS08-057 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)

Important (6)

MS08-066 - Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
MS08-061 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
MS08-062 - Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
MS08-063 - Vulnerability in SMB Could Allow Remote Code Execution (957095)
MS08-064 - Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
MS08-065 - Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)

Moderate (1)

MS08-056 - Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

Issued: October 22, 2008


This is an advance notification of an out-of-band security bulletin
that Microsoft is intending to release on October 23, 2008.

The full version of the Microsoft Security Bulletin Advance
Notification for October 2008 can be found at
http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx.

This bulletin advance notification will be replaced with the
revised October bulletin summary on October 23, 2008. The revised
bulletin summary will include the out-of-band security bulletin as
well as the security bulletins already released on October 14, 2008.

For more information about the bulletin advance notification service,
see
http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever
Microsoft Security Bulletins are issued, subscribe to Microsoft
Technical Security Notifications on
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on
this out-of-band security bulletin on October 23, 2008, at 1:00 PM
Pacific Time (US & Canada). Register for this out-of-band Security
Bulletin Webcast at
http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize
monthly security updates with any non-security, high-priority
updates that are being released on the same day as the monthly
security updates. Please see the section, Other Information.

This advance notification provides the software subject as the
bulletin identifier, because the official Microsoft Security
Bulletin numbers are not issued until release. The bulletin summary
that replaces this advance notification will have the proper
Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the
bulletin identifier. The security bulletins for this month are as
follows, in order of severity:


Critical Security Bulletin

Windows Bulletin

  - Affected Software:
    - Microsoft Windows 2000 Service Pack 4
    - Windows XP Service Pack 2 and
      Windows XP Service Pack 3
    - Windows XP Professional x64 Edition and
      Windows XP Professional x64 Edition Service Pack 2
    - Windows Server 2003 Service Pack 1 and
      Windows Server 2003 Service Pack 2
    - Windows Server 2003 x64 Edition and
      Windows Server 2003 x64 Edition Service Pack 2
    - Windows Server 2003 with SP1 for Itanium-based Systems and
      Windows Server 2003 with SP2 for Itanium based Systems
    - Windows Vista and
      Windows Vista Service Pack 1
    - Windows Vista x64 Edition and
      Windows Vista x64 Edition Service Pack 1
    - Windows Server 2008 for 32-bit Systems
      (Windows Server 2008 Server Core installation affected)
    - Windows Server 2008 for x64-based Systems
      (Windows Server 2008 Server Core installation affected)
    - Windows Server 2008 for Itanium-based Systems

    - Impact: Remote Code Execution
    - Version Number: 1.0


Other Information

Non-Security, High-Priority Updates on MU, WU, and WSUS:

For information about non-security releases on Windows Update and Microsoft
update, please see:
* http://support.microsoft.com/kb/894199: Microsoft Knowledge Base
  Article 894199, Description of Software Update Services and
  Windows Server Update Services changes in content for 2008.
  Includes all Windows content.
* http://technet.microsoft.com/en-us/wsus/bb466214.aspx: New,
  Revised, and Released Updates for Microsoft Products Other Than
  Microsoft Windows

SanDisk Corp. has stepped up its efforts to convince corporate users that USB sticks are a secure medium, adding built-in antivirus capability to its latest Cruzer drive.

Any files copied or saved to the latest Cruzer Enterprise USB drive will automatically be scanned by a McAfee heuristics algorithm and antivirus engine that loads every time the drive is used. If it detects infected files being copied from a PC, all further transfers will be disallowed form that machine, stopping their spread.

The feature addresses the oft-made accusation that USB sticks can act like the floppy drives of old, allowing malware to circumvent firewalls and gateways if an infected drive is brought back into the network.

Story at computerworld.com

Trend Micro has released a Critical Patch to address a vulnerability in OfficeScan. This vulnerability is due to a stack-based buffer overflow condition. By sending a specially crafted HTTP request containing form data to the server CGI module, an attacker may be able to execute arbitrary code on the affected system.

US-CERT encourages users and administrators to review Trend Micro Critical Patch Release overview for Build 1374 and Build 3110 and apply any necessary updates to help mitigate the risks.

http://www.us-cert.gov/current/index.html#trend_micro_officescan_critical_patch

F-Secure has released a Security Bulletin to address a vulnerability that affects a number of their products. This vulnerability is due to improper RPM parsing. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users to review F-Secure Security Bulletin FSC-2008-3 and apply any necessary updates to help mitigate the risks.

http://www.us-cert.gov/current/index.html#f_secure_releases_security_bulletin

AVG Technologies, the first European software developer to provide free real-time protection against the stealthiest threats to today’s Internet users, today announces the availability of the first French language version of its popular and widely-used AVG Free 8.0 security software.

Full Press Release

Two researchers at the Swiss Federal Institute of Technology (EPFL) in Lausanne, Switzerland have surveyed 11 different wired computer keyboards and found that all leaked keystroke information.

The researchers, Martin Vuagnoux and Sylvain Pasini, used four different attacks to gather information at a distance of up to 20 meters via the electrical signals emitted from the they keyboards. The antenna used by the researchers could read the data even through walls, Vuagnoux said.

Story continues at securityfocus.com

Issued: October 16, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-062 - Important

Bulletin Information:

* MS08-062 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx
  - Reason for Revision: V2.1 (October 16, 2008): Added entry to the
    section, Frequently Asked Questions (FAQ) Related to This
    Security Update, to clarify that the Windows Internet
    Printing service runs in the context of the Spooler service,
    which runs under system privileges. Also, removed references
    to user rights in the Executive Summary and FAQ for Integer
    Overflow in IPP Service Vulnerability - CVE-2008-1446 sections. 
  - Originally posted: October 14, 2008
  - Updated: October 16, 2008
  - Bulletin Severity Rating: Important
  - Version: 2.1

Issued: October 15, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS08-062 - Important

Bulletin Information:

* MS08-062 - Important

 - http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx
 - Reason for Revision: V2.0 (October 15, 2008): Removed the
    severity rating for Windows Server 2008 for Itanium-based
    Systems. Added Frequently Asked Questions (FAQ) Related to
    This Security Update entries to explain the reason for the
    rating change and to clarify that the update for Windows
    Server 2008 for Itanium-based Systems is available through
    the Microsoft Download Center. Also, changed the Microsoft
    Baseline Security Analyzer and Systems Management Server
    deployment summaries to "no" for Windows Server 2008 for
    Itanium-based Systems in the Detection and Deployment Tools
    and Guidance section. There were no changes to the security
    update binaries. 
 - Originally posted: October 14, 2008
 - Updated: October 15, 2008
 - Bulletin Severity Rating: Important
 - Version: 2.0

Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. Due to the possibility that these security enhancements and changes may impact existing content, customers are advised to review this Adobe Developer Center article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition.

This update addresses the issue previously reported in Security Bulletin APSA08-08

http://www.adobe.com/support/security/bulletins/apsb08-18.html

Issued: October 15, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-065 - Important
  * MS08-064 - Important
  * MS08-063 - Important
  * MS08-060 - Critical
  * MS08-059 - Critical
  * MS08-058 - Critical
  * MS08-057 - Critical
  * MS08-041 - Critical

Bulletin Information:

* MS08-065 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-065.mspx
  - Reason for Revision: V1.1 (October 15, 2008): Added a link in the
    Affected Software table to MS07-065, the bulletin replaced by
    this update. 
  - Originally posted: October 14, 2008
  - Updated: October 15, 2008
  - Bulletin Severity Rating: Important
  - Version: 1.1
   
* MS08-064 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-064.mspx
  - Reason for Revision: V1.1 (October 15, 2008): Corrected the link
    to a reference MSDN article in FAQ for Virtual Address
    Descriptor Elevation of Privilege Vulnerability - CVE-2008-4036. 
  - Originally posted: October 14, 2008
  - Updated: October 15, 2008
  - Bulletin Severity Rating: Important
  - Version: 1.1
   
* MS08-063 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-063.mspx
  - Reason for Revision: V1.1 (October 15, 2008): Bulletin updated to
    clarify that the updates for Windows Vista and Windows 2008
    do not require a restart, and to correct the registry key
    verification entry for Windows XP. 
  - Originally posted: October 14, 2008
  - Updated: October 15, 2008
  - Bulletin Severity Rating: Important
  - Version: 1.1
   
* MS08-060 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-060.mspx
  - Reason for Revision: V1.1 (October 15, 2008): Updated the
    Non-Affected Software table. 
  - Originally posted: October 14, 2008
  - Updated: October 15, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-059 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx
  - Reason for Revision: V1.1 (October 15, 2008): Added reference to
    Microsoft Knowledge Base Article 956695 to Known Issues in
    the Executive Summary section.  Also, corrected the title of
    the HIS Command Execution Vulnerability (CVE- 2008-3466) in
    the Acknowledgments section. 
  - Originally posted: October 14, 2008
  - Updated: October 15, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-058 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx
  - Reason for Revision: V1.1 (October 15, 2008): Corrected a
    registry key verification entry for Windows 2003, and
    corrected File Information links. 
  - Originally posted: October 14, 2008
  - Updated: October 15, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-057 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx
  - Reason for Revision: V1.1 (October 15, 2008): Changed the Systems
    Management Server detection and deployment summary to "yes"
    for all supported versions of Microsoft Office Excel Viewer
    2003 in the Detection and Deployment Tools and Guidance
    section. This is an informational change only. There were no
    changes to the security update binaries or detection logic. 
  - Originally posted: October 14, 2008
  - Updated: October 15, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-041 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-041.mspx
  - Reason for Revision: V2.1 (October 15, 2008): Added reference to
    Microsoft Knowledge Base Article (KB957198) for SnapShot
    Viewer for Microsoft Access. Also, clarified that users who
    have successfully installed the update for Microsoft Office
    2000 Service Pack 3, Office XP Service Pack 2, or Office 2003
    Service Pack 2 or Office 2003 Service Pack 3 do not need to
    reinstall the update for the standalone Snapshot Viewer for
    Microsoft Access.  
  - Originally posted: August 12, 2008
  - Updated: October 15, 2008
  - Bulletin Severity Rating: Critical
  - Version: 2.1

Oracle has released their Critical Patch Update for October 2008 to address 36 vulnerabilities across several products. This update contains the following security fixes:

• 15 updates for Oracle Database Suite
• 6 updates for Oracle Application Server
• 4 updates for Oracle E-Business Suite and Applications
• 5 updates for Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne
• 6 Updates for BEA Product Suite

US-CERT encourages users and administrators to review the Critical Patch Update for October 2008 and apply any necessary updates.

http://www.us-cert.gov/current/index.html#oracle_releases_critical_patch_update4

Issued: October 14, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS08-041 - Critical

Bulletin Information:

* MS08-041 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-041.mspx
 - Reason for Revision: V2.0 (October 14, 2008): Bulletin revised to
    include the update for Standalone Snapshot Viewer for
    Microsoft Access. 
 - Originally posted: August 12, 2008
 - Updated: October 14, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0

Issued: October 14, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (956391)
  - Title: Cumulative Security Update of ActiveX Kill Bits
  - http://www.microsoft.com/technet/security/advisory/956391.mspx
  - Revision Note: Advisory Published. 

Note: There may be latency issues due to replication, if the page does not display keep refreshing
October 14

Today Microsoft released the following Security Bulletin(s). 

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

October Bulletin Summary

Critical (4)

MS08-060 - Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
MS08-058 - Cumulative Security Update for Internet Explorer (956390)
MS08-059 - Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
MS08-057 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)

Important (6)

MS08-066 - Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
MS08-061 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
MS08-062 - Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
MS08-063 - Vulnerability in SMB Could Allow Remote Code Execution (957095)
MS08-064 - Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
MS08-065 - Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)

Moderate (1)

MS08-056 - Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new malicious spam lure that uses the threat of a virus to encourage users to download a malicious Trojan.

The email explains that by downloading the application linked within the email, users can protect themselves against a virus that spams messages to a user's contacts. The email offers an update to Live Messenger Plus - this is actually a Trojan (md5: 5F1D2521F6949F8B71B9FF93C17A8BE2). Antivirus detection rate is low.

Details ...

Apple has released Security Update 2008-007 to address multiple vulnerabilities in a number of applications. These vulnerabilities may allow an attacker to execute arbitrary code, conduct cross-site request forgery or cross-site scripting attacks, cause a denial-of-service condition, or operate with escalated privileges.

US-CERT encourages users and administrators to review Apple Article HT3216 and apply any necessary updates to help mitigate the risks.

http://www.us-cert.gov/current/index.html#apple_releases_security_update_20082