DP's Security Bits

Note: There may be latency issues due to replication, if the page does not display keep refreshing

Today Microsoft released the following Out-of-Band Security Bulletin(s).

Note: »www.microsoft.com/technet/security and »www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Full Bulletin Summary:

»www.microsoft.com/technet/securi···mar.mspx

Critical (1)

Microsoft Security Bulletin MS10-018
Cumulative Security Update for Internet Explorer (980182)
»www.microsoft.com/technet/securi···018.mspx

Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety 1-866-727-2338. International customers should contact their local subsidiary.

As always, download the updates only from the vendors website - visit Windows Update and Office Update or Microsoft Update websites. You may also get the updates thru Automatic Updates functionality in Windows system.

Security Tool
Find out if you are missing important Microsoft product updates by using MBSA

Microsoft Security Bulletin Advance Notification issued: March 29, 2010
Microsoft Security Bulletins to be issued: March 30, 2010

This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on March 30, 2010. The bulletin is being released to address attacks against customers of Internet Explorer 6 and Internet Explorer 7. Users of Internet Explorer 8 and Windows 7 are not vulnerable to these attacks. The vulnerability used in these attacks, along with workarounds, is described in Microsoft Security Advisory 981374. The out-of-band security bulletin is a cumulative security update for Internet Explorer and will also contain fixes for privately reported vulnerabilities rated Critical on all versions of Internet Explorer that are not related to this attack.

http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx

Firefox 3.6.2 available for download.

What's new if Firefox 3.6.2

Firefox 3.6.2 fixes the following issues found in previous versions of Firefox 3.6:

• Fixed a critical security issue that could potentially allow remote code execution (see bug 552216).
• Fixed several additional security issues.
• Fixed several stability issues.

Please see the complete list of changes in this version. You may also be interested in the Firefox 3.6 release notes for a list of changes in the previous version.

US-CERT is aware of public reports of malicious code circulating via spam email messages impersonating the Department of Homeland Security (DHS). The attacks arrive via unsolicited email messages that may contain subject lines related to DHS or other government activity. These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan.

US-CERT encourages users and administrators to take the following measures to protect themselves:

• Do not follow unsolicited web links or attachments in email messages.
• Maintain up-to-date antivirus software.
• Refer to Cyber Security Tip ST04-014 - Avoiding Social Engineering and Phishing Attacks
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.

http://www.us-cert.gov/current/index.html#us_cert_warns_against_zeus

Issued: March 17, 2010

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-016 - Important
* MS10-015 - Important

Bulletin Information:

* MS10-016 - Important

- http://www.microsoft.com/technet/security/bulletin/ms10-016.mspx
- Reason for Revision: V1.1 (March 17, 2010): Corrected the
registry keys in the workaround, Remove the Microsoft
Producer 2003 .MSProducer, .MSProducerZ, and .MSProducerBF
file associations.
- Originally posted: March 9, 2010
- Updated: March 17, 2010
- Bulletin Severity Rating: Important
- Version: 1.1

* MS10-015 - Important

- http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx
- Reason for Revision: V1.3 (March 17, 2010): Added verification
registry keys for the revised packages released March 2, 2010
for Microsoft Windows 2000, Windows XP, and Windows Server
2003. This is an informational change only.
- Originally posted: February 9, 2010
- Updated: March 17, 2010
- Bulletin Severity Rating: Important
- Version: 1.2

Apple has released Safari 4.0.5 to address multiple vulnerabilities in ColorSync, ImageIO, PubSub, Safari, and WebKit. These vulnerabilities may allow a remote attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or bypass security restrictions.

US-CERT encourages users and administrators to review Apple article HT4070 and upgrade to Safari 4.0.5 to help mitigate the risks.

http://www.us-cert.gov/current/index.html#apple_releases_safari_4_04

Issued: March 9, 2010

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-033 - Important

Bulletin Information:

* MS09-033 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-033.mspx
- Reason for Revision: V2.0 (March 9, 2010): Rereleased this
bulletin to add Microsoft Virtual Server 2005 to affected
software. No other update packages are affected by this rerelease.
- Originally posted: July 14, 2009
- Updated: March 9, 2010
- Bulletin Severity Rating: Important
- Version: 2.0

Issued: March 9, 2010

Security Advisories Updated or Released Today

* Microsoft Security Advisory (981374)
- Title: Vulnerability in Internet Explorer Could
Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/981374.mspx
- Revision Note: V1.0 (March 9, 2010): Advisory published.

* Microsoft Security Advisory (973811)
- Title: Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
- Revision Note: V1.3 (March 9, 2010): Updated the FAQ to
announce the rerelease of the update that enables Internet
Information Services to opt in to Extended Protection for
Authentication. For more information, see Known issues in
Microsoft Knowledge Base Article 973917.

Register Online

Note: There may be latency issues due to replication, if the page does not display keep refreshing

Today Microsoft released the following Security Bulletin(s).

Note: »www.microsoft.com/technet/security and »www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

»www.microsoft.com/technet/securi···mar.mspx

Important (2)

Microsoft Security Bulletin MS10-016
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)
»www.microsoft.com/technet/securi···016.mspx

Microsoft Security Bulletin MS10-017
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)
»www.microsoft.com/technet/securi···017.mspx

Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety 1-866-727-2338. International customers should contact their local subsidiary.

As always, download the updates only from the vendors website - visit Windows Update and Office Update or Microsoft Update websites. You may also get the updates thru Automatic Updates functionality in Windows system.

Security Tool
Find out if you are missing important Microsoft product updates by using MBSA

.

Microsoft Security Bulletin Advance Notification issued: March 4, 2010

Microsoft Security Bulletins to be issued: March 9, 2010

This is an advance notification of security bulletins that Microsoft is intending to release on March 9, 2010.

2 rated Important

http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx

Microsoft Security Advisory (981169)
Vulnerability in VBScript Could Allow Remote Code Execution
Published: March 01, 2010

Microsoft is investigating new public reports of a vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer. Our investigation has shown that the vulnerability cannot be exploited on Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008. The main impact of the vulnerability is remote code execution. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.

http://www.microsoft.com/technet/security/advisory/981169.mspx