Security and Privacy

Security Advisory 979682 Released

Today we released Security Advisory 979682 to address an Elevation of Privilege (EoP) vulnerability in the Windows kernel, affecting all currently supported versions of 32-bit Windows. 64-bit versions of Windows, including Windows Server 2008 R2, are not affected. The advisory provides customers with actionable guidance to help with protections against exploit of this vulnerability.

To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system. An attacker could then elevate their privileges to the administrative level and run programs of their choice on the system.

To help mitigate exploit of this vulnerability, customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications, can disable the NTVDM subsystem. Information on this workaround can be found in the Advisory.

We are not currently aware of any active attacks against this vulnerability and believe risk to customers, at this time, is limited. We continue to recommend customers review the mitigations and workarounds detailed in the Security Advisory.

We are also working with our Microsoft Active Protections Program (MAPP) partners to help provide broader protections for customers.

Our teams are continuing to work on an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out-of-band.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.

We will also keep customers apprised of any additional details and updates through the MSRC Blog.

Thanks,

Jerry Bryant

via http://blogs.technet.com/msrc/archive/2010/01/20/security-advisory-979682-released.aspx

Adobe released new versions of Flash and AIR today to address vulnerabilities in both products. Applying these updates as soon as practicable is a good idea, as Flash vulnerabilities are popular exploit vehicles in the wild.

Click here to install Flash 10.0.42.34.

Click here to install AIR 1.5.3.

The expanded security advisory explains that critical vulnerabilities could provoke crashes or remote code execution. Adobe Flash Player 10.0.32.18 and earlier versions and Adobe AIR 1.5.2 and earlier versions on all platforms are vulnerable.

7 new vulnerabilities are described cursorily. A patch to an eighth and older vulnerability is also updated. Adobe issues thanks to 6 different researchers for the help they provided with the vulnerabilities.

The advisory also adds that Flash Player version 10.1, which Adobe expects to release in the first half of 2010, will be the last to support PowerPC-based G3 Macs. They are discontinuing support, including security updates, past that version because they are implementing performance enhancements not supported in those processors.

Sun Java Runtime Environment Multiple Vulnerabilities
Affected:
JDK and JRE 6 Update 16 and earlier
JDK and JRE 5.0 Update 21 and earlier
SDK and JRE 1.4.2_23 and earlier
SDK and JRE 1.3.1_26 and earlier

Description: Sun’s implementation of the Java Runtime Environment (JRE) and Java Web Start contains multiple vulnerabilities. A specially crafted Java application, an audio or image file or an applet could trigger one of these vulnerabilities, with consequences ranging from arbitrary code execution with the privileges of the current user to denials-of-service and security restriction bypass. Note that, depending upon configuration, Java applets embedded in web pages may be opened automatically upon the loading of the page. One of the error is that the update mechanism does not update JRE to the new version when running on non-English Windows versions. There are errors in decoding DER encoded data and the parsing of HTTP headers which might lead to memory exhaustion. There is an authentication bypass vulnerability in JRE while verifying HMAC digests. Multiple buffer overflow and integer overflow vulnerabilities have been reported in JRE while processing specially crafted audio and image files. There is a command execution vulnerability in JRE which could be triggered by a specially crafted web page. There is a flaw in the implementation of security model permissions in the Java Web Start Installer. Some technical details for some of these vulnerabilities are publicly available.

Status: Vendor not confirmed, no updates available. [edit] Updates are available

References:
Zero Day Initiative Advisories
http://www.zerodayinitiative.com/advisories/ZDI-09-076
http://www.zerodayinitiative.com/advisories/ZDI-09-077
 http://www.zerodayinitiative.com/advisories/ZDI-09-078
http://www.zerodayinitiative.com/advisories/ZDI-09-079
http://www.zerodayinitiative.com/advisories/ZDI-09-080
Sun Security Advisories
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270476-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269870-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269869-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269868-1
Product Home Page
http://java.sun.com
SecurityFocus BID
http://www.securityfocus.com/bid/36881

for this DO NOT rely on check for updates in JAVA control panel BUT go to http://java.com/en/download/ie_manual.jsp?locale=en&host=java.com:80

if you have a 64 bit version of windows, you need to install the standard 32 bit version AND the 64 bit version http://java.com/en/download/manual.jsp

 Affected: Adobe Shockwave Player versions 11.x

Description: Adobe Shockwave Player, with over 450 million users, is a multimedia player that allows Adobe Director applications to be published and viewed by a browser that is installed with a Shockwave plug-in.

 Multiple vulnerabilities have been reported in Adobe Shockwave Player, which be triggered by a specially crafted Shockwave content.  There is a error in the way the invalid index is used.  There are also a couple of issues caused by the inappropriate use of the invalid pointer.  And the last issue is a memory corruption error when processing string lengths.

 In all the cases successful exploitation might allow an attacker to execute arbitrary code in the context of the logged on user.

There is not enough public information about these vulnerabilities.

Status: Vendor confirmed, updates available.

References:

 Adobe Security Bulletin (APSB09-16)  http://www.adobe.com/support/security/bulletins/apsb09-16.html

Wikipedia Article on Adobe Shockwave  http://en.wikipedia.org/wiki/

Adobe_Shockwave Product Home Page  http://www.adobe.com/products/shockwaveplayer/

 SecurityFocus BID http://www.securityfocus.com/bid/36905

Adobe recommends Shockwave Player users install Shockwave Player version 11.5.2.602 available here: http://get.adobe.com/shockwave/
Remember: You need to install shockwave in Every Browser you use separately, if you wish to use it in your browser

http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.4

Mozilla fixes 16 flaws with Firefox 3.5.4:

http://www.computerworld.com/s/article/9140008/Mozilla_fixes_16_flaws_with_Firefox_3.5.4

 Mozilla today patched 16 vulnerabilities in Firefox, 11 of them critical, as it updated the open-source browser to version 3.5.4. 

 The 11 critical Firefox 3.5 vulnerabilities were located in a variety ofn components, including Web worker calls, the GIF color map parser, the string-to-number converter, a trio of third-party media libraries, and both the JavaScript and browser engines.

Microsoft Malware Protection Center : Microsoft Security Essentials –
Week One:
http://blogs.technet.com/mmpc/archive/2009/10/15/microsoft-security-essentials-week-one.aspx

The Windows 7 numbers are spectacular for an operating system that
hasn’t yet released for global availability. Even better, about 1/3rd
of Windows 7 Microsoft Security Essentials machines are 64-bit, which is
even more resistant to malware than 32-bit due to PatchGuard.

By looking at detections divided by active Microsoft Security Essentials
machines over the whole population, we see far more detections per XP
machine, with the fewest from Win7. This follows our usual observed
trend of seeing less malware on newer OSes and service packs.

Brief Description:
On a computer that has a Windows Installer based product installed, you may receive an error while installing an update for the product and the installation of the update may fail

Windows Installer uses the registry to record information about updates installed for each Windows Installer-based product. These registry keys help identify the state of each update: registered, applied, superseded, or obsoleted. Information about installed updates is stored across several registry keys and values. To allow for the product to be in a serviceable state in which it can be repaired, updated, or uninstalled, it is critical for the data in these registry keys to be synchronized. When the data in these registry keys is no longer synchronized, maintenance mode operations cannot be performed on the product .msi file.

The Patch Registration Cleanup Tool helps resolve some issues that are related to invalid or corrupted update registration. This tool lets you bring the product back to a known state so that you can reinstall updates.

http://support.microsoft.com/?kbid=976220

direct download for the Patch Registration Cleanup Tool

Applies to all currently supported windows versions from XP SP2 up to Windows 7 including all versions of Vista ( SP1 and higher) & server 2003 (SP2 ) and server 2008

Microsoft has issued its biggest ever security update on 13 October.

The update includes 13 bulletins that between them tackle 34 vulnerabilities.

Microsoft said that eight of the bulletins were rated as critical – the most serious sort of vulnerability.

The security patches close loopholes in many different programs including different editions of Windows, Internet Explorer and some elements of Office.

One update, rated as critical, tackles a loophole in Internet Explorer 8 running under Windows 7. The next version of Microsoft’s operating system is due to be released on 22 October.

For home users the best way is to use Microsoft update on your computer.

These updates are vital and need to be installed immediately Continue reading…

Adobe has released security bulletin APSB09-15 to alert users of acritical vulnerability in Adobe Reader and Acrobat.

Adobe indicates thatit has received reports of active exploitation of this vulnerability.

Release of an update for this vulnerability is scheduled for Tuesday,October 13. Continue reading…

October 2009 Bulletin Release Advance Notification

Advance Notification for the October 2009 Security Bulletin Release

For October we are releasing 13 bulletins (eight critical and five important), addressing 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart so please factor that into your deployment planning.
Continue reading…