DP's Security Bits

Cisco has released a Security Advisory to address multiple vulnerabilities in the ACE Application Control Engine Module, ACE 4710 Application Control Engine. These vulnerabilities may allow an attacker to obtain administrative level access, operate with escalated privileges, or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Cisco Security Advisory cisco-sa-20090225-ace and apply any necessary workarounds or updates to help mitigate the risks.

http://www.us-cert.gov/current/index.html#cisco_releases_security_advisory_for8

Issued: February 25, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-003 - Critical
* MS08-076 - Important

Bulletin Information:

* MS09-003 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-003.mspx
- Reason for Revision: V2.1 (February 25, 2009): Added a footnote
in the Affected Software table, and modified two entries in
the section, Frequently Asked Questions (FAQ) Related to This
Security Update, relating to the Exchange System Management
Tools for Exchange Server 2003. This is an informational
change only. There were no changes to the security update
files in this bulletin.
- Originally posted: February 10, 2009
- Updated: February 25, 2009
- Bulletin Severity Rating: Critical
- Version: 2.1

* MS08-076 - Important

- http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx
- Reason for Revision: V3.1 (February 25, 2009): Corrected registry
key verification in the reference tables of this bulletin.
- Originally posted: December 9, 2008
- Updated: February 25, 2009
- Bulletin Severity Rating: Important
- Version: 3.1

Issued: February 25, 2009

Security Advisories Updated or Released Today

* Microsoft Security Advisory (968272)
- Title: Vulnerability in Microsoft Office Excel
Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/968272.mspx
- Revision Note: February 25, 2009: Added Open XML File
Format Converter for Mac to the affected software listed in
the Overview section. Also, corrected the mitigating factors
for the Web-based attack scenario.

Apple announced on Tuesday the public availability of its next browser, Safari 4, seemingly adding a host of new security features to the program along with speedier Javascript processing and additional eye candy, such as cover flow.

The security features are not new, however. The company quietly added anti-malware and phishing protection, as well as support for extended validation certificates with its Safari 3.2 update last November. The quiet release of the security features in the previous version of Apple's browser explains why the company did not mark any of its list of 19 security features as new.

http://www.securityfocus.com/brief/915

Release date: February 24, 2009

Summary

A potential vulnerability has been identified in Adobe Flash Player 10.0.12.36 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit this potential vulnerability. Additional vulnerabilities have been addressed in this update. Adobe recommends users update to the most current version of Flash Player available for their platform.

Affected software versions

Adobe Flash Player 10.0.12.36 and earlier (Adobe Flash Player 10.0.15.3 and earlier for Linux)

To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Solution

Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.159.0, which can be downloaded from the following link.

Full Details

Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution

Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability.

http://www.microsoft.com/technet/security/advisory/968272.mspx

Update for Windows Autorun
Published: February 24, 2009

Microsoft is announcing the availability of an update that corrects a functionality feature that can help customers in keeping their systems protected. The update corrects an issue that prevents the NoDriveTypeAutoRun registry key from functioning as expected.

When functioning as expected, the NoDriveTypeAutoRun registry key can be used to selectively disable Autorun functionality (e.g. AutoPlay, double click, and contextual menu features associated with Autorun) for drives on a user's system and network. Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file.

We encourage Windows customers to review and install this update. This update is available through automatic updating and from the download center. For more information about this issue, including download links for this non-security update, see Microsoft Knowledge Base Article 967715.

http://www.microsoft.com/technet/security/advisory/967940.mspx

US-CERT is aware of public reports concerning a new variant of the Conficker/Downadup worm, named Conficker B++. This variant propagates itself via multiple methods, including exploitation of the previously patched vulnerability addressed in MS08-067, password guessing, and the infection of removable media. Most significantly, Conficker B++ implements a new backdoor with "auto-update" functionality, allowing machines compromised by the new variant to have additional malicious code installed on them. According to Microsoft, there is no indication that systems infected with previous variants of Conficker can automatically be re-infected with the B++ variant.

US-CERT strongly encourages users to review Microsoft Security Bulletin MS08-067 and update unpatched systems as soon as possible.

Additionally, US-CERT recommends that users take the following preventative measures to help mitigate the security risks:

• Install antivirus software, and keep the virus signatures up to date.
• Review the Microsoft Malware Protection Center blog entry for details regarding the worm.
• Review the Using Caution with USB Drives Cyber Security Tip for more information on protecting removable media.

http://www.us-cert.gov/current/index.html#new_variant_of_conficker_downadup

Websense Security Labs™ ThreatSeeker™ Network has discovered that the official Web site of The American Society of Sydney, Australia has been compromised and is infecting site visitors with malicious code. The malicious code found on the main page of the site leads to an Adobe Reader PDF exploit such as CVE-2007-5659.

The American Society of Sydney (AMSOC) was founded in 1922 as a place for Americans living in Sydney to gather, meet, acclimate to life in and around Sydney and celebrate American culture from afar. It aims to help and support all Americans who have relocated to live and work in Sydney.

Full Alert

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with anti-virus vendors, including McAfee and Symantec, on this issue in order to ensure the security of our mutual customers. A security bulletin will be published on http://www.adobe.com/support/security as soon as product updates are available.

Full Bulletin

A new rogue anti-malware attack adds entries to your HOSTS file so that when you try to go to tech sites like PCMag.com, you are instead brought to its site and are shown its content.

Thanks to bleepingcomputer.com for pointing out a new rogue anti-malware attack with a twist: They add entries to your HOSTS file so that if you go to any of a number of technology sites, including pcmag.com, you are instead brought to their site and are shown their content. This content includes a PCMag review of their fake anti-malware product.

Full Story and Details

Issued: February 18, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-024 - Critical

Bulletin Information:

* MS08-024 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx
  - Reason for Revision: V2.2 (February 18, 2009): Added unaffected
    server core notation for Windows Server 2008 for 32-bit
    Systems and Windows Server 2008 for x64-based Systems. 
  - Originally posted: April 8, 2008
  - Updated: February 18, 2009
  - Bulletin Severity Rating: Critical
  - Version: 2.2

US-CERT is aware of a public report indicating active exploitation of a previously patched vulnerability in Microsoft Internet Explorer 7. This vulnerability was addressed in Microsoft Security Advisory MS09-002. Additional information is available in US-CERT Technical Cyber Security Alert TA09-041A.

US-CERT encourages users to apply the update or workarounds as specified in Microsoft Security Advisory MS09-002. Additional information can be found in Microsoft Knowledge Base Article 961260.

Source:US-CERT

Issued: February 16, 2009

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS09-003 - Critical

Bulletin Information:

* MS09-003 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms09-003.mspx
 - Reason for Revision: V2.0 (February 16, 2009): Added the
    Microsoft Exchange Server MAPI Client as affected software.
    Also, added several entries to the section, Frequently Asked
    Questions (FAQ) Related to This Security Update, relating to
    updating the MAPI Client and the Exchange System Management
    tools. No other update packages are affected by this
    re-release. Customers running all other supported and
    affected versions of Microsoft Exchange Server who have
    already successfully applied the original security update
    packages do not need to take any further action. 
 - Originally posted: February 10, 2009
 - Updated: February 16, 2009
 - Bulletin Severity Rating: Critical
 - Version: 2.0

Issued: February 16, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS09-002 - Critical

Bulletin Information:

* MS09-002 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx
  - Reason for Revision: V1.1 (February 16, 2009): Added a link to
    Microsoft Knowledge Base Article 961260 under Known Issues in
    the Executive Summary. 
  - Originally posted: February 10, 2009
  - Updated: February 16, 2009
  - Bulletin Severity Rating: Critical
  - Version: 1.1

Apple has released the following security updates:

• Security Update 2009-001
• Java for Mac OS X 10.5 Update 3
• Java for Mac OS X 10.4 Release 8
• Safari 3.2.2 for Windows   
  

These security updates address vulnerabilities in multiple Apple products. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, access the system with escalated privileges, or obtain sensitive information.

US-CERT encourages users and administrators to review the following Apple Security Articles and apply any necessary updates:

• Security Update 2009-001 (Article: HT3438)
• Java for Mac OS X 10.5 Update 3 (Article: HT3437)
• Java for Mac OS X 10.4 Release 8 (Article: HT3436)
• Safari 3.2.2 for Windows (Article: HT3439)

http://www.us-cert.gov/current/index.html#apple_releases_security_updates2

Research In Motion has released a Security Advisory to address a vulnerability in the BlackBerry Application Web Loader ActiveX control. By convincing a user to view a specially crafted HTML document, an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer to crash.

US-CERT encourages users to review BlackBerry Security Advisory KB16248 and apply the resolution or implement the workaround listed in the document to help mitigate the risk.

http://www.us-cert.gov/current/index.html#blackberry_security_advisory1

Microsoft this morning announced a $250,000 reward and an industry alliance in an effort to stop the spread of the Conficker worm, which targets a Windows Server service vulnerability that the company patched last October. The worm, also known as Downadup, has continued to spread by infecting unpatched systems.

The reward is being offered for information leading to the people who released the worm. The vulnerability targeted by the worm lets an attacker take full control of an unpatched system over a network. The Redmond company has used reward money in the past to track down people who release high-profile worms, with some success.

Full Story

Issued: February 11, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-070 - Critical
  * MS08-040 - Important

Bulletin Information:

* MS08-070 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-070.mspx
  - Reason for Revision: V1.2 (February 11, 2009): Clarified the
    class IDs for two ActiveX controls. First, listed a second
    class ID in the workaround, "Prevent Windows Common AVI
    ActiveX Control from running in Internet Explorer," for
    CVE-2008-4255. Second, listed in the section, Frequently
    asked questions (FAQ) related to this security update, the
    class ID for the Winsock Control for which the kill bit is
    being set as a security-related change to functionality in
    this update. This is an informational change only. There were
    no changes to the security update files in this bulletin. 
  - Originally posted: December 9, 2008
  - Updated: February 11, 2009
  - Bulletin Severity Rating: Critical
  - Version: 1.2
   
* MS08-040 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx
  - Reason for Revision: V1.8 (February 11, 2009): Removed erroneous
    reference to Microsoft SQL Server 2000 Desktop Engine (WMSDE)
    on Microsoft Windows 2000 Service Pack 4 from the Affected
    Software table for Windows Components. Also changed the log
    file entry in the Reference table for Windows Internal
    Database (WYukon) in the Security Update Deployment section. 
  - Originally posted: July 8, 2008
  - Updated: February 11, 2009
  - Bulletin Severity Rating: Important
  - Version: 1.8

Issued: February 10, 2009

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (961040)
  - Title: Vulnerability in SQL Server Could Allow
    Remote Code Execution
  - http://www.microsoft.com/technet/security/advisory/961040.mspx
  - Revision Note: V2.0 (February 10, 2009): Advisory updated
    to reflect publication of security bulletin.

 * Microsoft Security Advisory (960715)
  - Title: Update Rollup for ActiveX Kill Bits
  - http://www.microsoft.com/technet/security/advisory/960715.mspx
  - Revision Note: Advisory published.