DP's Security Bits

US-CERT is aware of a public report describing how MD5 collisions can be leveraged to generate rogue SSL CA certificates. A rogue CA certificate could be used by an attacker to generate valid SSL certificates for arbitrary web sites. Using these certificates in DNS redirection attacks, an attacker could spoof an SSL protected web site and obtain sensitive information.  

US-CERT will provide additional information as it becomes available.

http://www.us-cert.gov/current/index.html#md5_hashing_algorithm_vulnerability

Issued: December 30, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (961509)
  - Title: Research proves feasibility of collision
    attacks against MD5
  - http://www.microsoft.com/technet/security/advisory/961509.mspx
  - Revision Note: Advisory published

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the download site under china.com has been compromised. Malicious code has been inserted into the homepage of the site. This code has been changing over the course of last week, leading to different exploit sites. The exploits target Yahoo! Messenger, Adobe Flash, Real Player, and MS office.

China.com is one of the largest and highly-reputed portal sites in China, providing broad services including social networking, forums, online TV, news feeds and so on.

At the time of posting this alert, the site is clean. Websense will continue to monitor this threat.

Screenshot of the infected site:

Trend Micro has released a patch to address a vulnerability in HouseCall 6.6. This vulnerability may allow an attacker to execute arbitrary code. Visitors to the publicly available HouseCall application may receive an older, vulnerable version of the control.

US-CERT encourages users to review Hot Fix B1285  and apply any necessary updates.

http://www.us-cert.gov/current/index.html#trend_micro_releases_updates_for

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the Web site of John Sands Greeting Card Company is infected with a mass JavaScript injection that delivers a malicious payload. Multiple pages on the site has been found to contain the said malicious code.

John Sands is the largest greeting card company in Australasia, helping both Australians and New Zealanders to celebrate with a huge variety of cards and gift wrap items under their brand names such as John Sands, The Ink Group, Momentum Greetings and Creative Stationery. Acquired by American Greetings in 1996, the company was founded in 1837 by John Sands, the son of an English engraver. The company is Australia's second oldest registered company.

Full Alert

Issued: December 22, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (961040)
  - Title: Vulnerability in SQL Server Could Allow
    Remote Code Execution
  - http://www.microsoft.com/technet/security/advisory/961040.mspx
  - Revision Note: Advisory published

Issued: December 18, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-078 - Critical

Bulletin Information:

* MS08-078 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
  - Reason for Revision: V1.1 (December 18, 2008): Added unaffected
    server core notation for Windows Server 2008 for 32-bit
    Systems and Windows Server 2008 for x64-based Systems.
    Clarified the entry, in Frequently Asked Questions (FAQ)
    Related to This Security Update, about this out-band update
    and cumulative security updates for Internet Explorer.
    Finally, added an undo method for the workaround, Disable XML
    Island functionality. 
  - Originally posted: December 17, 2008
  - Updated: December 18, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1

Issued: December 17, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-072 - Critical
  * MS08-069 - Critical

Bulletin Information:

* MS08-072 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx
  - Reason for Revision: V1.1 (December 17, 2008): Changed the
    Microsoft Baseline Security Analyzer deployment summary to
    "no" for Microsoft Office Word 2000 Service Pack 3 in the
    Detection and Deployment Tools and Guidance section. Also,
    revised the bulletins replaced by this update for Microsoft
    Office Outlook 2007 and Microsoft Office Outlook 2007 Service
    Pack 1 in the Affected Software table. There were no changes
    to the security update binaries. 
  - Originally posted: December 9, 2008
  - Updated: December 17, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-069 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
  - Reason for Revision: V1.2 (December 17, 2008): Added log file
    entries in the Security Update Deployment section Reference
    table for Microsoft XML Core Services 6.0 when installed on
    Windows Server 2003 Service Pack 1, Windows Server 2003
    Service Pack 2, Windows Server 2003 x64 Edition, and Windows
    Server 2003 x64 Edition Service Pack 2. 
  - Originally posted: November 11, 2008
  - Updated: December 17, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2

Issued: December 17, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (961051)
  - Title: Vulnerability in Internet Explorer Could
    Allow Remote Code Execution
  - http://www.microsoft.com/technet/security/advisory/961051.mspx
  - Revision Note: December 17, 2008: Advisory updated to
    reflect publication of security bulletin. 

Published: December 9, 2008 | Updated: December 17, 2008

Note: There may be latency issues due to replication, if the page does not display keep refreshing
December 9

Today Microsoft released the following Security Bulletin(s). 

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

December Bulletin Summary

Critical (7)

MS08-071 - Vulnerabilities in GDI Could Allow Remote Code Execution (956802)
MS08-075 - Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)
MS08-073 - Cumulative Security Update for Internet Explorer (958215)
MS08-078 - Security Update for Internet Explorer (960714)
MS08-070 - Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)
MS08-072 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)
MS08-074 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)

Important (2)

MS08-077 - Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)
MS08-076 - Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

Fixed in Firefox 3.0.5

MFSA 2008-69 XSS vulnerabilities in SessionStore
MFSA 2008-68 XSS and JavaScript privilege escalation
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-65 Cross-domain data theft via script redirect error message
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-63 User tracking via XUL persist attribute
MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

http://www.mozilla.com/en-US/firefox/

Issued: December 16, 2008

This is an advance notification of an out-of-band security bulletin
that Microsoft is intending to release on December 17, 2008.

The full version of the Microsoft Security Bulletin Advance
Notification for December 2008 can be found at
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx.

This bulletin advance notification will be replaced with the
revised December bulletin summary on December 17, 2008. The revised
bulletin summary will include the out-of-band security bulletin as
well as the security bulletins already released on December 9, 2008.

For more information about the bulletin advance notification service,
see
http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever
Microsoft Security Bulletins are issued, subscribe to Microsoft
Technical Security Notifications on
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host two webcasts to address customer questions on
this out-of-band security bulletin: on December 17, 2008, at 1:00 PM
Pacific Time (US & Canada) and December 18, 2008, at 11:00 AM
Pacific Time. Register for these out-of-band Security Bulletin
Webcasts at
http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize
monthly security updates with any non-security, high-priority
updates that are being released on the same day as the monthly
security updates. Please see the section, Other Information.

This advance notification provides the software subject as the
bulletin identifier, because the official Microsoft Security
Bulletin numbers are not issued until release. The bulletin summary
that replaces this advance notification will have the proper
Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the
bulletin identifier. The security bulletins for this month are as
follows, in order of severity:


Critical Security Bulletin

IE Bulletin

  - Affected Software:
    - Internet Explorer 5.01 Service Pack 4 when installed on
      Microsoft Windows 2000 Service Pack 4
    - Internet Explorer 6 Service Pack 1 when installed on
      Microsoft Windows 2000 Service Pack 4
    - Internet Explorer 6 for
      Windows XP Service Pack 2 and
      Windows XP Service Pack 3
    - Internet Explorer 6 for
      Windows XP Professional x64 Edition and
      Windows XP Professional x64 Edition Service Pack 2
    - Internet Explorer 6 for
      Windows Server 2003 Service Pack 1 and
      Windows Server 2003 Service Pack 2
    - Internet Explorer 6 for
      Windows Server 2003 x64 Edition and
      Windows Server 2003 x64 Edition Service Pack 2
    - Internet Explorer 6 for
      Windows Server 2003 with SP1 for Itanium-based Systems and
      Windows Server 2003 with SP2 for Itanium-based Systems
    - Internet Explorer 7 for
      Windows XP Service Pack 2 and
      Windows XP Service Pack 3
    - Internet Explorer 7 for
      Windows XP Professional x64 Edition and
      Windows XP Professional x64 Edition Service Pack 2
    - Internet Explorer 7 for
      Windows Server 2003 Service Pack 1 and
      Windows Server 2003 Service Pack 2
    - Internet Explorer 7 for
      Windows Server 2003 x64 Edition and
      Windows Server 2003 x64 Edition Service Pack 2
    - Internet Explorer 7 for
      Windows Server 2003 with SP1 for Itanium-based Systems and
      Windows Server 2003 with SP2 for Itanium-based Systems
    - Internet Explorer 7 in
      Windows Vista and
      Windows Vista Service Pack 1
    - Internet Explorer 7 in
      Windows Vista x64 Edition and
      Windows Vista x64 Edition Service Pack 1
    - Internet Explorer 7 in
      Windows Server 2008 for 32-bit Systems
    - Internet Explorer 7 in
      Windows Server 2008 for x64-based Systems
    - Internet Explorer 7 in
      Windows Server 2008 for Itanium-based Systems

    - Note for Windows Internet Explorer 8 Beta 2
      This vulnerability was reported after the release of Windows
      Internet Explorer 8 Beta 2. Customers running Windows Internet
      Explorer 8 Beta 2 are encouraged to download and apply the
      update to their systems when the bulletin is published.

    - Impact: Remote Code Execution
    - Version Number: 1.0


Other Information

Non-Security, High-Priority Updates on MU, WU, and WSUS:

For information about non-security releases on Windows Update and Microsoft
update, please see:
* http://support.microsoft.com/kb/894199: Microsoft Knowledge Base
  Article 894199, Description of Software Update Services and
  Windows Server Update Services changes in content for 2008.
  Includes all Windows content.
* http://technet.microsoft.com/en-us/wsus/bb466214.aspx: New,
  Revised, and Released Updates for Microsoft Products Other Than
  Microsoft Windows

Issued: December 15, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-070 - Critical

Bulletin Information:

* MS08-070 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-070.mspx
  - Reason for Revision: V1.1 (December 15, 2008): Added an entry in
    the section, Frequently asked questions (FAQ) related to this
    security update, announcing that Microsoft has released a
    cumulative update for Microsoft Visual Basic 6.0 Service Pack
    6 (KB957924) that includes the update for Microsoft Visual
    Basic 6.0 Runtime Extended Files (KB926857) provided in this
    bulletin. This is an informational change only. There were no
    changes to the security update binaries in this bulletin. 
  - Originally posted: December 9, 2008
  - Updated: December 15, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1

Issued: December 15, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (961051)
  - Title: Vulnerability in Internet Explorer Could
    Allow Remote Code Execution
  - http://www.microsoft.com/technet/security/advisory/961051.mspx
  - Revision Note: December 15, 2008: Updated the workarounds,
    Disable XML Island functionality and Disable Row Position
    functionality of OLEDB32.dll.

 * Microsoft Security Advisory (960906)
  - Title: Vulnerability in WordPad Text Converter
    Could Allow Remote Code Execution
  - http://www.microsoft.com/technet/security/advisory/960906.mspx
  - Revision Note: December 15, 2008: Updated the workaround,
    Disable the WordPad Text Converter for Word 97.

Apple has released Security Update 2008-008 and Mac OS X v10.5.6 to address multiple vulnerabilities in Mac OS X and related products. The impacts of these vulnerabilities include arbitrary code execution, privilege escalation, denial of service, or information disclosure.

US-CERT encourages users to review Apple article HT3338 and apply the appropriate updates.

http://www.us-cert.gov/current/index.html#apple_releases_security_updates_for3

Issued: December 12, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (961051)
  - Title: Vulnerability in Internet Explorer Could
    Allow Remote Code Execution
  - http://www.microsoft.com/technet/security/advisory/961051.mspx
  - Revision Note: December 12, 2008: Revised to correct
    operating systems that support Windows Internet Explorer 8
    Beta 2. Also added more workarounds and a reference to
    Microsoft Security Advisory (954462). 

Issued: December 11, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (961051)
  - Title: Vulnerability in Internet Explorer Could
    Allow Remote Code Execution
  - http://www.microsoft.com/technet/security/advisory/961051.mspx
  - Revision Note: December 11, 2008: Revised to include
    Microsoft Internet Explorer 5.01 Service Pack 4, Internet
    Explorer 6 Service Pack 1, Internet Explorer 6, and Windows
    Internet Explorer 8 Beta 2 as potentially vulnerable
    software. Also added more workarounds.

Issued: December 10, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-075 - Critical
  * MS08-071 - Critical
  * MS08-069 - Critical
  * MS08-068 - Important

Bulletin Information:

* MS08-075 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-075.mspx
  - Reason for Revision: V1.1 (December 10, 2008): Corrected registry
    key in Workarounds for Windows Search Parsing Vulnerability -
    CVE-2008-4269 section. 
  - Originally posted: December 9, 2008
  - Updated: December 10, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-071 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-071.mspx
  - Reason for Revision: V1.1 (December 10, 2008): Updated the
    Severity Ratings and Vulnerability Identifiers table to list
    the security impact for GDI Heap Overflow Vulnerability -
    CVE-2008-3465 as Remote Code Execution for Microsoft Windows
    2000 Service Pack 4, Windows XP Service Pack 2 and Windows XP
    Service Pack 3, Windows XP Professional x64 Edition and
    Windows XP Professional x64 Edition Service Pack 2, Windows
    Server 2003 Service Pack 1 and Windows Server 2003 Service
    Pack 2, Windows Server 2003 x64 Edition and Windows Server
    2003 x64 Edition Service Pack 2, and Windows Server 2003 with
    SP1 for Itanium-based Systems and Windows Server 2003 with
    SP2 for Itanium-based Systems. 
  - Originally posted: December 9, 2008
  - Updated: December 10, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-069 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
  - Reason for Revision: V1.1 (December 10, 2008): Removed the kill
    bit workaround from Workarounds for MSXML DTD Cross-Domain
    Scripting Vulnerability - CVE-2008-4029. Also added a note to
    the Supported Security Update Installation Switches tables
    clarifying that the /overwriteoem installation switch is not
    applicable for Microsoft XML Core Services 4.0 or Microsoft
    XML Core Services 6.0 when installed on Microsoft Windows
    2000 Service Pack 4, Windows XP Service Pack 2, Windows XP
    Professional x64 Edition, Windows XP Professional x64 Edition
    Service Pack 2, Windows Server 2003 Service Pack 1, or
    Windows Server 2003 Service Pack 2. 
  - Originally posted: November 11, 2008
  - Updated: December 10, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-068 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx
  - Reason for Revision: V1.2 (December 10, 2008): Added a link to
    Microsoft Knowledge Base Article 957097 under Known Issues in
    the Executive Summary and added a known issues entry to the
    Frequently Asked Questions (FAQ) Related to this Security
    Update section. 
  - Originally posted: November 11, 2008
  - Updated: December 10, 2008
  - Bulletin Severity Rating: Important
  - Version: 1.2

Google posted on Wednesday a handbook for Web developers that highlights the key security features and quirks of major Web browsers.

The document, dubbed the Browser Security Handbook, has three parts that tackle the security features in browsers and browser-specific issues that could lead to security weaknesses.

"Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities," Michal Zalewski, a developer at Google, stated in the introduction to the handbook. "Although all browsers implement roughly the same set of baseline features, there is relatively little standardization — or conformance to standards — when it comes to many of the less apparent implementation details."

http://www.securityfocus.com/brief/870

US-CERT is aware of public reports of an email scam circulating that is targeting holiday travelers. The email messages related to this scam appear to come from legitimate major airlines and contain a .zip attachment.  This .zip attachment appears to contain a purchase invoice and flight ticket. If a user opens this attachment, malicious code may be installed on the system.

US-CERT encourages users to do the following to help mitigate the risks:

• Install antivirus software and keep the virus signatures up to date.
• Use caution when opening attachments.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

http://www.us-cert.gov/current/index.html#airline_ticket_email_scam