DP's Security Bits

Issued: February 9, 2010

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-002 - Critical
* MS09-060 - Critical

Bulletin Information:

* MS10-002 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
- Reason for Revision: V1.2 (February 9, 2010): Added entry to the
Update FAQ to clarify how the URL Validation Vulnerability
(CVE-2010-0027) is addressed by both this update (MS10-002)
and the MS10-007 update. Also, corrected the severity rating
for Internet Explorer 6 Service Pack 1 when installed on
Microsoft Windows 2000 Service Pack 4 for CVE-2010-0027.
- Originally posted: January 21, 2010
- Updated: February 9, 2010
- Bulletin Severity Rating: Critical
- Version: 1.2

* MS09-060 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx
- Reason for Revision: V1.4 (February 9, 2010): Revised this
bulletin to announce a detection logic change to fix the
issue where the July 8, 2008 update for Outlook 2003
(KB953432) was incorrectly being offered in addition to the
update package for Microsoft Office Outlook 2003 (KB973705).
This is a deployment change only that does not affect the
files contained in the initial update. Customers who have
successfully updated their systems do not need to reinstall
this update.
- Originally posted: October 13, 2009
- Updated: February 9, 2010
- Bulletin Severity Rating: Critical
- Version: 1.4

Issued: February 9, 2010

Security Advisories Updated or Released Today

* Microsoft Security Advisory (979682)
- Title: Vulnerability in Windows Kernel Could Allow
Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/979682.mspx
- Revision Note: V2.0 (February 9, 2010): Advisory updated to
reflect publication of security bulletin.
* Microsoft Security Advisory (977377)
- Title: Vulnerability in TLS/SSL Could Allow Spoofing
- http://www.microsoft.com/technet/security/advisory/977377.mspx
- Revision Note: V1.0 (February 9, 2010): Advisory published.

Note: There may be latency issues due to replication, if the page does not display keep refreshing

Today Microsoft released the following Security Bulletin(s).

Note: »www.microsoft.com/technet/security and »www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

»www.microsoft.com/technet/securi···feb.mspx

Critical (5)

Microsoft Security Bulletin MS10-006
Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
»www.microsoft.com/technet/securi···006.mspx

Microsoft Security Bulletin MS10-007
Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
»www.microsoft.com/technet/securi···007.mspx

Microsoft Security Bulletin MS10-008
Cumulative Security Update of ActiveX Kill Bits (978262)
»www.microsoft.com/technet/securi···008.mspx

Microsoft Security Bulletin MS10-009
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)
»www.microsoft.com/technet/securi···009.mspx

Microsoft Security Bulletin MS10-013
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
»www.microsoft.com/technet/securi···013.mspx

Important (7)

Microsoft Security Bulletin MS10-003
Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution
»www.microsoft.com/technet/securi···003.mspx

Microsoft Security Bulletin MS10-004
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416)
»www.microsoft.com/technet/securi···004.mspx

Microsoft Security Bulletin MS10-010
Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894)
»www.microsoft.com/technet/securi···010.mspx

Microsoft Security Bulletin MS10-011
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037)
»www.microsoft.com/technet/securi···011.mspx

Microsoft Security Bulletin MS10-012
Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)
»www.microsoft.com/technet/securi···012.mspx

Microsoft Security Bulletin MS10-014
Vulnerability in Kerberos Could Allow Denial of Service (977290)
»www.microsoft.com/technet/securi···014.mspx

Microsoft Security Bulletin MS10-015
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
»www.microsoft.com/technet/securi···015.mspx

Moderate (1)

Microsoft Security Bulletin MS10-005
Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706)
»www.microsoft.com/technet/securi···005.mspx

Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety 1-866-727-2338. International customers should contact their local subsidiary.

As always, download the updates only from the vendors website - visit Windows Update and Office Update or Microsoft Update websites. You may also get the updates thru Automatic Updates functionality in Windows system.

Security Tool
Find out if you are missing important Microsoft product updates by using MBSA

Microsoft Security Bulletin Advance Notification issued: February 4, 2010
Microsoft Security Bulletins to be issued: February 9, 2010

This is an advance notification of security bulletins that Microsoft is intending to release on February 9, 2010.

5 rated Critical
7 rated Important
1 rated Moderate

http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx

Issued: February 3, 2010

Security Advisory Released Today

* Microsoft Security Advisory (980088)
- Title: Vulnerability in Internet Explorer Could
Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/980088.mspx
- Revision Note: V1.0 (February 3, 2010): Advisory published.

Websense Security Labs™ ThreatSeeker™ Network has discovered a new malicious spam campaign that spoofs Google job application responses. The messages look very well written and are so believable that they are probably scrapes from actual Google job application responses. Typically, spam has grammatical errors or spelling mistakes that make the messages obviously unofficial and act as red flags. The text of these messages, however, has no such mistakes, making them much more believable--especially if the target really has applied for a job with Google.

Alert Details

Issued: January 27, 2010

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-002 - Critical
* MS09-073 - Important


Bulletin Information:

* MS10-002 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
- Reason for Revision: V1.1 (January 27, 2010): Corrected a log
file entry in the Reference table for Internet Explorer 5.01
Service Pack 4 on all supported editions of Windows 2000.
- Originally posted: January 21, 2010
- Updated: January 27, 2010
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-073 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-073.mspx
- Reason for Revision: V2.1 (January 27, 2010): Corrected erroneous
entries in the Executive Summary, Update FAQ, and
Vulnerability FAQ to clarify that the Microsoft Office XP
Service Pack 3 (KB975008) and Microsoft Office 2003 Service
Pack 3 (KB975051) update packages do not apply to Microsoft
Office Word but only to text converters used by other
Microsoft Office applications in order to read Word files.
This is an informational change only.
- Originally posted: December 8, 2009
- Updated: January 27, 2010
- Bulletin Severity Rating: Important
- Version: 2.1

Google has released Chrome 4.0.249.78 for Windows to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, bypass security restrictions, or cause a denial-of-service condition.

See Google Chrome Release for additional information

Issued: January 22, 2010

Security Advisories Updated or Released Today

* Microsoft Security Advisory (979682)
- Title: Vulnerability in Windows Kernel Could Allow
Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/979682.mspx
- Revision Note: V1.1 (January 22, 2010): Added links to
Microsoft Knowledge Base Article 979682 in the Issue
References table and Additional Suggestion Actions section.
Added a link to Microsoft Knowledge Base Article 979682 to
provide an automated Microsoft Fix it solution for the
workaround, Disable the NTVDM subsystem.

Register Online

Published: January 12, 2010 | Updated: January 21, 2010

Note: There may be latency issues due to replication, if the page does not display keep refreshing

Today Microsoft released the following Security Bulletin(s).

Note: »www.microsoft.com/technet/security and »www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

»www.microsoft.com/technet/securi···jan.mspx

Critical (2)

Microsoft Security Bulletin MS10-001
Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)
»www.microsoft.com/technet/securi···001.mspx

Microsoft Security Bulletin MS10-002
Cumulative Security Update for Internet Explorer (978207)
»www.microsoft.com/technet/securi···002.mspx

Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety 1-866-727-2338. International customers should contact their local subsidiary.

As always, download the updates only from the vendors website - visit Windows Update and Office Update or Microsoft Update websites. You may also get the updates thru Automatic Updates functionality in Windows system.

Security Tool
Find out if you are missing important Microsoft product updates by using MBSA

.

Issued: January 20, 2010

Security Advisories Updated or Released Today

* Microsoft Security Advisory (979682)
- Title: Vulnerability in Windows Kernel Could Allow
Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/979682.mspx
- Revision Note: V1.0 (January 20, 2010): Advisory published.

* Microsoft Security Advisory (979352)
- Title: Vulnerability in Internet Explorer Could
Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/979352.mspx
- Revision Note: V1.2 (January 20, 2010): Revised Executive
Summary to reflect the changing nature of attacks attempting
to exploit the vulnerability. Clarified information in the
Mitigating Factors section for Data Execution Prevention
(DEP) and Microsoft Outlook, Outlook Express, and Windows
Mail. Clarified several Frequently Asked Questions to provide
further details about the vulnerability and ways to limit the
possibility of exploitation. Added "Enable or disable
ActiveX controls in Office 2007" and "Do not open unexpected
files" to the Workarounds section.

Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing MS10-002 tomorrow, January 21^st, 2010. We are planning to release the update as close to 10:00 a.m. PST (UTC -8) as possible.  This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized. We recommend that customers install the update as soon as it is available.  For customers using automatic updates, this update will automatically be applied once it is released.

Today we also updated Security Advisory 979352 to include technical details addressing additional customer questions.

The updated Security Advisory includes guidance in relation to reports of proof of concept (POC) code that bypasses Data Encryption Prevention (DEP) and additional information on the exploitability of, and mitigations and workarounds for, Microsoft products that use mshtml.dll.

Based on our comprehensive monitoring of the threat landscape, we continue to see only limited attacks. To date, the only successful attacks that we are aware of have been against Internet Explorer 6.

We continue to recommend that customers update to Internet Explorer 8 to benefit from the improved security protection it offers.

Full Advance Notification

We wanted to provide a quick update on the threat landscape and announce that we will release a security update out-of-band to help protect customers from this vulnerability.

Based on our comprehensive monitoring of the threat landscape we continue to see very limited, and in some cases, targeted attacks.  To date, the only successful attacks that we are aware of have been against Internet Explorer 6.  We continue to recommend customers upgrade to Internet Explorer 8 to benefit from the improved security protection it offers.  We also recommend customers consider deploying the workarounds and mitigations provided in  Security Advisory 979352.

Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.

We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time.  We will provide the specific timing of the release tomorrow.

As always, we’re continuing to investigate this situation, so customers should look for the latest updates here on the Microsoft Security Response Center blog.

Thank you,

George Stathakopoulos
General Manager
Trustworthy Computing Security

*This posting is provided "AS IS" with no warranties, and confers no rights*

http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-979352-going-out-of-band.aspx

Issued: January 13, 2010

Summary

The following bulletin has undergone a major revision increment.

* MS09-073 - Important

Bulletin Information:

* MS09-073 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-073.mspx
- Reason for Revision: V2.0 (January 13, 2010): Renamed the update
packages formerly listed as Microsoft Office Word 2002
Service Pack 3 (KB975008) and Microsoft Office Word 2003
Service Pack 3 (KB975051) to Microsoft Office XP Service Pack
3 (KB975008) and Microsoft Office 2003 Service Pack 3
(KB975051), respectively. Added an Update FAQ to explain this
bulletin-only change. There were no changes to the detection
logic or the update files. Customers who have already
successfully updated their systems do not need to take any action.
- Originally posted: December 8, 2009
- Updated: January 13, 2010
- Bulletin Severity Rating: Important
- Version: 2.0

Oracle has released its Critical Patch Update for January 2010 to address 24 vulnerabilities across several products. This update contains the following security fixes:

• 10 for Oracle Database
• 3 for Oracle Application Server
• 3 for the Oracle Applications Suite
• 1 for PeopleSoft and JD Edwards Suite
• 5 for the BEA Products Suite
• 2 for the Oracle Primavera Products Suite

US-CERT encourages users and administrators to review the January 2010 Critical Patch Update and apply any necessary updates to help mitigate the risks. Additional information can be found in US-CERT Technical Cyber Security Alert TA10-012A

Microsoft is aware of reports of vulnerabilities in Adobe Flash Player 6 provided in Windows XP. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time but recommend that users install the latest version of Flash Player provided by Adobe.

The Adobe Flash Player 6 was provided with Windows XP and contains multiple vulnerabilities that could allow remote code execution if a user views a specially crafted Web page. Adobe has addressed these vulnerabilities in newer versions of Adobe Flash Player. Microsoft recommends that users of Windows XP with Adobe Flash Player 6 installed update to the most current version of Flash Player available from Adobe.

Microsoft Security Advisory (979267)

Issued: January 12, 2010

Summary

The following bulletin has undergone a major revision increment.

* MS09-035 - Moderate

Bulletin Information:

* MS09-035 - Moderate

- http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
- Reason for Revision: V3.0 (January 12, 2010): Rereleased this
bulletin to add Windows Embedded CE 6.0 to affected software.
The new update for Windows Embedded CE 6.0 (KB974616) is
available from the Microsoft Download Center only. Customers
using the Windows Embedded CE 6.0 platform should consider
applying the update. No other update packages are affected by
this rerelease.
- Originally posted: July 28, 2009
- Updated: January 12, 2010
- Bulletin Severity Rating: Moderate
- Version: 3.0

Register Online