DP's Security Bits

Microsoft Security Bulletin Advance Notification for May 2008
Issued: May 8, 2008

This is an advance notification of security bulletins that
Microsoft is intending to release on May 13, 2008.

The full version of the Microsoft Security Bulletin Advance
Notification for May 2008 can be found at
http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx.

This bulletin advance notification will be replaced with the
May bulletin summary on May 13, 2008. For more information
about the bulletin advance notification service, see
http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever
Microsoft Security Bulletins are issued, subscribe to Microsoft
Technical Security Notifications on
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on
these bulletins on Wednesday, May 14, 2008,
at 11:00 AM Pacific Time (US & Canada). Register for the May
Security Bulletin Webcast at
http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize
monthly security updates with any non-security, high-priority
updates that are being released on the same day as the monthly
security updates. Please see the section, Other Information.

This advance notification provides the software subject as the
bulletin identifier, because the official Microsoft Security
Bulletin numbers are not issued until release. The bulletin summary
that replaces this advance notification will have the proper
Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the
bulletin identifier. The security bulletins for this month are as
follows, in order of severity:

Critical Security Bulletins

Word Bulletin

  - Affected Software:
    - Microsoft Word 2000 Service Pack 3
    - Microsoft Word 2002 Service Pack 3
    - Microsoft Word 2003 Service Pack 2
    - Microsoft Word 2003 Service Pack 3
    - Microsoft Word 2007
    - Microsoft Outlook 2007
    - Microsoft Word 2007 Service Pack 1
    - Microsoft Outlook 2007 Service Pack 1
    - Microsoft Office 2004 for Mac
    - Microsoft Office 2008 for Mac
    - Microsoft Word Viewer 2003
    - Microsoft Word Viewer 2003 Service Pack 3
    - Microsoft Office Compatibility Pack for Word, Excel, and
      PowerPoint 2007 File Formats
    - Microsoft Office Compatibility Pack for Word, Excel, and
      PowerPoint 2007 File Formats Service Pack 1

    - Impact: Remote Code Execution
    - Version Number: 1.0

Publisher Bulletin

  - Affected Software:
    - Microsoft Publisher 2000 Service Pack 3
    - Microsoft Publisher 2002 Service Pack 3
    - Microsoft Publisher 2003 Service Pack 2
    - Microsoft Publisher 2003 Service Pack 3
    - Microsoft Publisher 2007
    - Microsoft Publisher 2007 Service Pack 1

    - Impact: Remote Code Execution
    - Version Number: 1.0

Jet Bulletin

  - Affected Software:
    - Microsoft Windows 2000 Service Pack 4
    - Microsoft Windows XP Service Pack 2
    - Windows XP Professional x64 Edition
    - Windows Server 2003 Service Pack 1
    - Windows Server 2003 x64 Edition
    - Windows Server 2003 with SP1 for Itanium-based Systems

    - Impact: Remote Code Execution
    - Version Number: 1.0


Moderate Security Bulletins

Security Software Bulletin

  - Affected Software:
    - Windows Live OneCare
    - Microsoft Antigen for Exchange
    - Microsoft Antigen for SMTP Gateway
    - Microsoft Windows Defender
    - Microsoft Forefront Client Security
    - Microsoft Forefront Security for Exchange Server
    - Microsoft Forefront Security for SharePoint
    - Standalone System Sweeper located in Diagnostics and Recovery
      Toolset 6.0

    - Impact: Denial of Service
    - Version Number: 1.0


Other Information

Microsoft Windows Malicious Software Removal Tool:

Microsoft will release an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Update, Microsoft Update,
Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS:

Please see:
* http://support.microsoft.com/kb/894199: Microsoft Knowledge Base
  Article 894199, Description of Software Update Services and
  Windows Server Update Services changes in content for 2008.
  Includes all Windows content.
* http://technet.microsoft.com/en-us/wsus/bb466214.aspx: New,
  Revised, and Released Updates for Microsoft Products Other Than
  Microsoft Windows

Microsoft Security Bulletin Minor Revisions
Issued: May 7, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-040 - Critical

Bulletin Information:

* MS07-040 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
  - Reason for Revision: V3.2 (May 7, 2008): Bulletin updated:
    Removed erroneous references to .NET Framework 1.0 as a
    component of Windows Server 2008 x64 Edition and Windows
    Server 2008 for Itanium-based Systems. 
  - Originally posted: July 10, 2007
  - Updated: May 7, 2008
  - Bulletin Severity Rating: Critical
  - Version: 3.2
 

Q&A Natalya Kaspersky set up antivirus company Kaspersky Lab with then-husband Eugene Kaspersky in 1997.

She graduated from the Moscow Institute of Electronic Engineering in 1989 with a degree in applied mathematics and then worked as a research assistant at the Russian Central Scientific Design Office.

In 1994, she commenced employment at the KAMI Information Technologies Center, where she managed the antivirus software development group set up by Eugene. When the two established Kaspersky Lab three years later, Eugene provided the technical expertise, while Natalya, as chief executive, supplied the business acumen.

Continues at news.com 

In a continuation of its series of posts on Internet security, Google on Tuesday warned its users about phishing attacks.

Google engineer Ian Fette in a blog post explains that phishing is pretty simple: "Someone masquerades as someone else in an effort to fool you into sharing personal or other sensitive information with them," he says. "Phishers can masquerade as just about anyone, including banks, e-mail and application providers, online merchants, online payment services, and even governments."

Fette acknowledges that while some phishing attacks are obvious, many are not. "That fake e-mail from 'your bank' can look very real; the bogus 'login page' you're redirected to can seem completely legitimate," he cautions.

Story continues at informationweek.com 

Microsoft Security Bulletin Minor Revisions
Issued: April 30, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-016 - Critical
  * MS07-025

Bulletin Information:

* MS08-016 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-016.mspx
  - Reason for Revision: V2.1 (April 30, 2008): Bulletin updated.
    Added a new entry to the Update FAQ describing additional
    security features included in the update for Microsoft Office
    2003 Service Pack 2. 
  - Originally posted: March 11, 2008
  - Updated: April 30, 2008
  - Bulletin Severity Rating: Critical
  - Version: 2.1
   
* MS07-025

  - http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx
  - Reason for Revision: V2.1 (April 30, 2008): This Bulletin has
    been revised to move Microsoft Office Compatibility Pack for
    Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
    from the Affected Software list to the Non-Affected Software
list. 
  - Originally posted: May 8, 2007
  - Updated: April 30, 2008
  - Bulletin Severity Rating: Critical
  - Version: 2.1
 

Attackers are increasingly exploiting common database vulnerabilities to leave behind code on thousands of sites, redirecting visitors to servers that host malicious downloads, security experts warned last week.

The attacks, which apparently started at the beginning of April, attempt to use any field on a Web site that accepts user input to execute commands on the database that stores the site's information. Since most databases use some variant of the structured query language (SQL), the attack is known as SQL injection.

http://www.securityfocus.com/brief/729 

US-CERT is aware of a public report indicating that a phishing scam is circulating. This scam is related to the U.S. Internal Revenue Service economic stimulus rebate and arrives via email messages that appear to be from the IRS. The messages include text that attempts to convince users to follow a link to a website before a deadline to expedite the rebate process. This website requests that the user provide bank account information.

US-CERT encourages users to do the following to help mitigate the risks:

• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks (pdf) document for more information on social engineering attacks.
• Refer to the Internal Revenue Service Service Suspicious e-Mails and Identity Theft website for more information on current scams.

http://www.us-cert.gov/current/index.html#irs_rebate_phishing_scam

Microsoft Security Bulletin Minor Revisions
Issued: April 23, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-024 - Critical
  * MS08-023 - Critical
  * MS08-019 - Important
  * MS07-040 - Critical
  * MS07-015

Bulletin Information:

* MS08-024 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx
  - Reason for Revision: V2.1 (April 23, 2008): Bulletin updated:
    Removed erroneous references to Windows XP Professional x64
    Edition Service Pack 3. 
  - Originally posted: April 8, 2008
  - Updated: April 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 2.1
   
* MS08-023 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-023.mspx
  - Reason for Revision: Corrected the Registry Key Verification for
    all supported x64-based editions of Windows Server 2003 
  - Originally posted: April 8, 2008
  - Updated: April 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
   
* MS08-019 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-019.mspx
  - Reason for Revision: V1.5 (April 23, 2008): Clarified the Update
    FAQ entry about the last revision, dated April 18. That
    change was a detection change only that does not affect the
    files contained in the initial update. 
  - Originally posted: April 8, 2008
  - Updated: April 23, 2008
  - Bulletin Severity Rating: Important
  - Version: 1.5
   
* MS07-040 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
  - Reason for Revision: V3.1 (April 23, 2008): Bulletin updated:
    Removed erroneous references to Windows XP Professional x64
    Edition Service Pack 3. 
  - Originally posted: July 10, 2007
  - Updated: April 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 3.1
   
* MS07-015

  - http://www.microsoft.com/technet/security/bulletin/ms07-015.mspx
  - Reason for Revision: V1.2 (April 23, 2008) Bulletin updated:
    Microsoft Visio 2002 removed from Microsoft Office XP Service
    Pack 3 section of Affected Software table. Microsoft Visio
    2002 Service Pack 2 is listed separately in the Affected
    Software table. 
  - Originally posted: February 13, 2007
  - Updated: April 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2

Microsoft Security Advisory Notification
Issued: April 23, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (951306)
  - Title: Vulnerability in Windows Could Allow
    Elevation of Privilege
  - http://www.microsoft.com/technet/security/advisory/951306.mspx
  - Revision Note: April 23, 2008: Added clarification to
    impact of workaround for IIS 6.0

* Microsoft Security Advisory (932596)
  - Title: Update to Improve Kernel Patch Protection
  - http://www.microsoft.com/technet/security/advisory/932596.mspx
  - Revision Note: April 23, 2008: Added an FAQ entry about
    known issues in installing the kernel update   

US-CERT is aware of public reports of a vulnerability in Apple QuickTime. By convincing a user to open a specially crafted QuickTime file, an attacker may be able to execute arbitrary code. This vulnerability may have several attack vectors, such as visiting a malicious or compromised website.

US-CERT encourages users to use caution when opening QuickTime files, and apply the best security practices described in the Securing Your Web Browser document, to help mitigate the risks.

US-CERT will provide additional information as it becomes available.

http://www.us-cert.gov/current/index.html#apple_quicktime_vulnerability 

IT security and control firm Sophos has published its latest Security Threat Report, which looks at worldwide cybercrime during the first quarter of 2008. The findings show a dramatic increase in web-based threats compared to 2007 – the first three months of 2008 showed Sophos finding and blocking a new infected webpage every five seconds, compared with one every 14 seconds last year.

http://www.sophos.com/pressoffice/news/articles/2008/04/secrep08q1.html 

AVG Technologies, a leading provider of Internet security software, will tomorrow release AVG Anti-Virus Free 8.0, the latest version of the company’s popular and widely-used free security software, which now incorporates protection against spyware through a new combined anti-virus and anti-spyware engine.

AVG Free provides basic protection against viruses and spyware, together with the safe-searching component of the company’s patent-pending LinkScanner® technology, incorporated into the new AVG Security Toolbar. The Free product does not include the proactive safe-surfing (“drive-by download” protection) of the full LinkScanner module that is included in the commercial AVG products, nor the protection against hackers, keyloggers, spam, phishing attacks, and malicious file downloads that can come through instant messaging and attachments from seemingly friendly sources. The free product also does not include the round-the-clock email support provided with the commercial products.

Press Release