MVP Jubo Security Blog

Microsoft Malware Protection Portal

Just released: Microsoft Malware Protection Center portal. Will officially launch in July with additional features such as malware sample submission. If you think additional features would be useful then your feedback is welcome!

Source: Roger's Security Blog.

Webcast: How Microsoft IT Does Information Security

When checking Donna's blog, I noticed that she refers to a podcast at the Microsoft Download site called: Information Security at Microsoft. But while listening to it I realized that it had to be a webcast with slides, audio etc. Did some searching at Microsoft Events and yes, here it is: How Microsoft IT Does Information Security. It was on TechNet in February.

If you're curious about how Microsoft handles IT security then you should watch this webcast. They give you an overview of the Microsoft IT environment and by examining the lessons learned and challenges Microsoft IT faced in managing and securing that environment.

Register for the webcast at: Microsoft Events or download just the audio file at the Download Center.

Presenter is Mark Estberg, Director of Information Security, Microsoft Corporation.

Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution

Microsoft Security Advisory (935964)

Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.

Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM.

Related Software:

• Microsoft Windows 2000 Server Service Pack 4
• Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 Service Pack 2

CVE Reference: CVE-2007-1748.

Microsoft Knowledge Base Article: 935964.

Microsoft Security Bulletin Summary for April 2007

On April 10th, Microsoft released 4 "critical" updates and one "important" updates. There's also a hotfix to help resolve the known issues related to MS07-017 with applications detailed in Microsoft Knowledge Base Article 925902.

Critical:

• MS07-018 - Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (925939)
• MS07-019 - Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (931261)
• MS07-020 - Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168)
• MS07-021 - Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)

Important:

• MS07-022 - Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784)

A more technical version of the Security Bulletin can be found at TechNet and an end-user version is available at Microsoft's Security At Home site.

Support:

• Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. International customers can receive support from their local Microsoft subsidiaries. Visit the International Support Web site.

See also: MSRC April 2007 Monthly Bulletin Release.

You know the drill... move your mouse over to Microsoft Update.

Email with subject: "Israel Just Have Started World War III"

Late last night I found a strange email in my email Inbox; from a person I didn't know. It even had an attachment called: "News.exe". I could even save it to my hard drive without any antivirus program jumping up. Decided to submit it to McAfee's Avert Labs and a few minutes later I received the following results:

(Click the Image for a larger view)

It shows you that DAT version 5004 didn't detect this "Nuwar" virus, but they already had an "Extra.dat" available, which detect this virus. Hopefully this "Extra.dat" is included in today's DAT update.

Then I also submitted the "News.exe" file to VirusTotal to see if any of the other antivirus vendors would find the virus. See this screen shot for their results:

(Click the image for a larger view)

Even though many of the antivirus vendors found the virus some of the bigger comapnies, like Sophos, Microsoft, McAfee and Panda didn't find the virus.

If you get an email from an unknown person with a subject like:

• Missle Strike: The USA kills more then 1000 Iranian citizens
• Missle Strike: The USA kills more then 10000 Iranian citizens
• Missle Strike: The USA kills more then 20000 Iranian citizens
• USA Missle Strike: Iran War just have started
• Israel Just Have Started World War III
• USA Just Have Started World War III
• Iran Just Have Started World War III
• USA Declares War on Iran

and it has an attachment like:

• More.exe
• Read More.exe
• Click Here.exe
• Click Me.exe
• Read Me.exe
• Movie.exe
• News.exe
• Video.exe

then delete the email immediately and make sure you have an up-to-date antivirus signature files.

And since this is "patch tuesday" also make sure your version of Windows is patched and has all the updates. If you don't have the automatic updates enabled then check it at Microsoft Update.

For more information about this virus see McAfee's writeup: W32/Nuwar.

Advance Notification: More updates on Tuesday

Apart from the critical update last week, Microsoft is planning to release five more security updates on April 10th, 2007:

• Security Updates
• Four Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates will require a restart.
• One Microsoft Security Bulletin affecting Microsoft Content Management Server. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.


•  Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.

For more information see:
Microsoft Security Bulletin Advance Notification
Updated: April 5, 2007

See also: MSRC Blog

New kid on the blo(g)ck...

McAfee's new CEO, David DeWalt, in his first blog, The New Guy, at McAfee's Security Insights Blog. Hope to see more of him there and maybe he'll find some time to visit the McAfee Support Forums one day...

Patch released for Windows Animated Cursor Handling (MS07-017)

Microsoft released Microsoft Security Bulletin MS07-017, Vulnerabilities in GDI Could Allow Remote Code Execution (925902).

Please visit the Microsoft Update Web site now.

For technical details see: Microsoft Security Bulletin Summary for April 2007.

Information for end-users: Microsoft security update for April 3, 2007.

See also: MSRC Blog.

Patch will be released to address the Windows Animated Cursor Handling

Tomorrow, April 3rd, 2007. Microsoft will release a patch to address the vulnerability in Windows Animated Cursor Handling. The highest Maximum Severity rating for this is Critical. This updates will require a restart.

In the meantime keep your antivirus signature files updated. It can help to protect you against attempts to exploit this vulnerability.

For the latest developments regarding this issue see the MSRC Blog.

When the patch becomes available please install it as soon as it is released.