March 2010 Bulletin Release Advance Notification
MSRC Blog: Today we are providing advance notification to customers that we will be releasing two bulletins this month affecting Windows and Microsoft Office products. Both bulletins are rated Important and address a total of 8 vulnerabilities.
We recommend that customers review the Advance Notification webpage and prepare to deploy these bulletins as soon as possible. To provide additional guidance for deployment prioritization, customers should note that both bulletins will address issues that would require a user to open a specially crafted file. There are no network based attack vectors.
We’re also continuing to monitor the situation with Security Advisory 981169, the VBScript issue disclosed on Monday. There are no known attacks but we encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected.
As always, we will be hosting a public webcast where we will go in to details about the bulletins for March and where customers can ask questions. We will have a room full of engineers on hand to answer those questions live during the webcast. Here are the details:
Views 1276 times by 62 visitors
Malware might be cause of Restart Issues MS10-015
MSRC blog:
In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating. Please review our blog post from yesterday for additional information.
One of the key components when investigating issues like this are obtaining memory dumps from computers experiencing the problem. In order to get the information we need to fully analyze the issue, some of our support engineers have actually driven to customer locations and picked up affected systems so we can get the needed crash data directly and help inform our investigation. For more information about memory dumps, please see: http://support.microsoft.com/kb/254649.
We encourage customers to follow our “Protect Your PC” best practices and always have up to date anti-virus software running on their systems to help prevent malware infections. For customers who do not have anti-virus software, you can either scan your system using our online tool at http://safety.live.com or you can install Microsoft Security Essentials for free.
This can be a difficult issue to solve once a computer is in an un-bootable state so we encourage customers who feel they have been impacted by this to contact our Customer Service and Support group by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.
The Microsoft Security Response Center (MSRC) Update – Restart Issues After Installing MS10-015
Views 196 times by 51 visitors
Restart issues after installing MS10-015
MSRC Blog:
I am writing to let you know that we are aware that after installing the February security updates a limited number of users are experiencing issues restarting their computers. Our initial analysis suggests that the issue occurs after installing MS10-015 (KB977165). However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software. Our teams are working to resolve this as quickly as possible. We also stopped offering this update through Windows Update as soon as we discovered the restart issues. However, those using enterprise deployment systems such as SMS or WSUS will still see and be able to deploy these packages.
As you may recall from previous blog posts, MS10-015 is an Elevation of Privilege that would require the attacker to have valid credentials in order to be able to leverage the vulnerability in an attack. Several other updates in this release were identified as having a high priority for deployment and we continue to encourage customers to thoroughly test the updates and deploy them immediately. At this time, we are not aware of any issues with the other updates that were released this month and we continue to encourage customers to install them as soon as possible in order to help ensure that they protected from the vulnerabilities they address.
While we work to address this issue, customers who choose not to install the update can implement the workaround outlined in the bulletin. CVE-2010-0232 was publicly disclosed and we previously issued Security Advisory 979682 in response. Customers can disable the NTVDM subsystem as a workaround and we have provided an automated method of doing that with a Microsoft Fix It that you can find here: http://support.microsoft.com/kb/979682.
Customers who are experiencing issues after installing any of our security updates can get help resolving the issues by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.
The Microsoft Security Response Center (MSRC)
Related Blogs
- Related Blogs on Security
- Big Dogs House » Blog Archive » Democrats And National Security
- » PC Worlds Top 10 Security Nightmares of the Decade – Blogger …
- » Attempted Bombing of Airplane Highlights “Security Illusion …
- Security Through Obscurity TSA/GSM Edition | Robert Accettura's …
Views 2088 times by 68 visitors
Further Insight into Security Advisory 979352 and the Threat Landscape
We wanted to provide you some insight into the vulnerability reported in Microsoft Security Advisory 979352, which is related to our ongoing investigation into the recently publicized attacks against Google and other large corporate networks. We understand that there is a lot of noise about this topic right now and we know that our customers are receiving a lot of information about this situation from a variety of sources, so we want to provide some additional insight.
First, we will provide an update on the threat landscape – there has been a lot of speculation, so we’ll share detailed information on what Microsoft is seeing in terms of attacks across all of our monitoring systems. Second, we’ll highlight what customers should do to protect themselves. Finally, I will provide an update on the continuing work at Microsoft to respond to this situation and help protect our customers.
In terms of the threat landscape, we are only seeing very limited number of targeted attacks against a small subset of corporations. The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6. Based on a rigorous analysis of multiple sources, we are not aware of any successful attacks against IE7 and IE8 at this time. This is likely due to improved security protections provided by newer versions of Internet Explorer and Windows as described in our recent Security Research and Defense Blog. In summary, we are not seeing any widespread attacks by any means, and thus far we are not seeing attacks focused on consumers.
That said, we remain vigilant about this threat evolving and want to be sure our customers take appropriate action to protect themselves. That is why we continue to recommend that customers using IE6 or IE7, upgrade to IE8 as soon as possible to benefit from the improved security protections it offers. Customers who are using Windows XP SP2 should be sure to upgrade to both IE8 and enable Data Execution Protection (DEP), or upgrade to Windows XP SP3 which enables DEP by default, as soon as possible. Additionally customers should consider implementing the workarounds and mitigations provided in the ……………….Continue At Source
Related Blogs
- Related Blogs on Microsoft
- 140Char » Did Microsoft China copy and clone Plurk?
Views 320 times by 79 visitors
Security Advisory 979352 Released for IE
MSRC blog: Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks. Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer. Additionally, we are cooperating with Google and other companies, as well as authorities and other industry partners.
Microsoft remains committed to taking the appropriate action to help protect our customers. We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with protections against exploit of this vulnerability. Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.
It is important to note that complex attacks targeting specific corporate networks are becoming more prevalent in the threat landscape, therefore organizations should follow defense-in-depth best practices, and deploy multiple layers of protection to improve their security posture. In addition, Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user’s machine. Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.
Customers can also set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. You can find details on implementing these settings in the advisory.
The Microsoft Security Response Center (MSRC) Security Advisory 979352 Released
Views 3964 times by 65 visitors
Categories: Internet Explorer, Security Tags: Security
The Decade’s 10 Most Dastardly Cybercrimes
It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.
Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium.
2000
MafiaBoy
Michael “Mafiaboy” Calce
Once upon a time, “distributed denial of service attacks” were just a way for quarreling hackers to knock each other out of IRC. Then one day in February 2000, a 15-year-old Canadian named Michael “MafiaBoy” Calce experimentally programmed his botnet to hose down the highest traffic websites he could find. CNN, Yahoo, Amazon, eBay, Dell and eTrade all buckled under the deluge, leading to national headlines and an emergency meeting of security experts at the White House.
Compared to modern DDoS attacks, MafiaBoy’s was trivial. But his was the cyberstrike that put the internet’s security issues on a national stage, and inaugurated an era where any pissed off script kiddy could take down part of the web at will.
2002
California Payroll Database Breach
On April 5, 2002, an unidentified hacker penetrated a California server housing the state government’s payroll database, gaining access to names, Social Security numbers and salary information for 265,000 state workers from the governor on down. The breach itself was small potatoes, but when it emerged that the California Controller’s Office had waited two weeks to warn the victims, angry lawmakers reacted by passing the nation’s first breach disclosure law, SB1386.
The law requires hacked organizations to promptly warn potential identity theft victims. Its passage pulled the rock off the string of major corporate breaches that companies would have preferred to hush up. Today, 45 states have enacted similar laws.
2003
Slammer
In 2003, fear came in 376 bytes. The lightning-fast Slammer worm targeted a hole in Microsoft’s SQL server, and despite striking six months after a fix was released, the malware cracked an estimated 75,000 unpatched servers in the space of hours. Bank of America and Washington Mutual ATM networks ground to a halt. Continental Airlines delayed and canceled flights when its ticketing system got gummed up. Seattle lost its emergency 911 network, and a nuclear power plant in Ohio lost a safety monitoring system.
Slammer wasn’t the biggest worm ever, but in its aggressive, relentless spread, it exposed the secret interconnections that corporations were foolishly allowing between important private networks and the public internet.
2004
Foonet
Saad Echouafni
Years before there was a Russian Business Network, a small ISP hosted in a suburban basement in Ohio gained the dubious reputation as the first black-hat hosting company. It was a safe spot for hackers and packet monkeys to attack an unsuspecting internet. Foonet’s hosted clients included Carder Planet — the dedicated “carder forum” for credit card hackers — and its IRC servers were where legendary German hacker Axel “Ago” Gembe controlled his Agobot network of compromised Windows boxes.
After two FBI raids, in 2004, Foonet’s founder and some of the staff were indicted for a DDoS-for-hire scheme that collaterally slammed Amazon.com and the Department of Homeland Security. Foonet’s owner, Saad Echouafni, skipped out on $750,000 to flee the country, and remains on the FBI’s wanted list today.
2006
The Los Angeles Traffic Signal Attack
When Los Angeles traffic engineers went on strike in August 2006, the city decided not to take any chances: They temporarily blocked most access to the computer that controls 3,200 traffic signals throughout the City of Angels. Two of the striking engineers hacked in anyway. From a laptop, Kartik Patel and Gabriel Murillo picked four key intersections and changed the timing on the traffic signals so the most congested approach would hit long red lights.
The timing tweaks wreaked havoc in a city already flirting with gridlock, according to the Los Angeles Times, snarling traffic at the Los Angeles International Airport, backing up the Glendale Freeway and paralyzing Little Tokyo and the streets of the downtown Civic Center. It evidently took several days for managers to figure out what was going on.
In December 2009, the engineers were sentenced to probation.
2006
Max Vision
Max “Iceman” Vision
In 2006, a former computer security researcher turned professional black hat weighed and measured the computer underground, and found it wanting. So in a two-night hackfest from his San Francisco safe house, Max Vision (aka Iceman) trained his guns on the online carder forums where hackers and fraudsters buy and sell stolen data, fake IDs and specialized underground services.
When he was done hacking in and wiping out their databases, he absorbed their content and membership into his own site, CardersMarket, turning it into the largest English-speaking criminal marketplace on the web — 6,000 members strong. The hostile takeover got the attention of the feds who’d thoroughly infiltrated some of the sites he hacked, and a year later FBI and Secret Service tracked Iceman to his hideout. He’s now awaiting sentencing for stealing 2 million credit cards that rang up $86 million in fraudulent charges.
2008
RBS Worldpay Heist
The first time we learned that the payment processor RBS Worldpay had been hacked, it sounded like no big deal: The company announced in December 2008 that it had seen fraud on only 100 of the 1.5 million payroll and gift card accounts compromised in the breach. But it turns out the hackers were able to raise the withdrawal limits on 44 of those cards to as high as $500,000. Then they dispatched a global army of cashers to slam the accounts with repeated rapid-fire withdrawals.
More than 130 ATMs in 49 cities from Moscow to Atlanta were hit simultaneously just after midnight Eastern Time on November 8, 2008, resulting in a one-day haul of $9.5 million in cold, hard cash. In November, the United States indicted four of the alleged ringleaders, who are in Estonia, Russia and Moldova. Good luck with that.
2005 – 2008
Albert Gonzalez
Albert “Segvec” Gonzalez
He called it “Operation Get Rich or Die Tryin’.” For nearly four years ending in 2008, 28-year-old Albert “Segvec” Gonzalez and his accomplices in America and Russia staged the biggest data thefts in history, stealing credit and debit card magstripe data for sale on the black market. Using Wi-Fi hacking and SQL injection, the gang popped companies like 7-Eleven, Dave & Buster’s, Office Max, TJX, and the credit card processor Heartland Payment Systems, which alone gave up 130 million cards.
The intrusions didn’t just make Gonzalez a millionaire — he buried $1.1 million in his parents’ backyard — they exposed slipshod security in America’s card-processing infrastructure, and positioned the former Secret Service informant to break a new record: longest U.S. prison term for hacking. His plea agreements envision a 17- to 25-year sentence. It could be worse. One of Gonzalez’s overseas accomplices got 30 years in a Turkish prison.
2009
Conficker
Bots were probably the biggest black-hat innovation of the decade, and the biggest and best was Conficker. From the start, the Conficker botnet had a trouble managing expectations. But just because the worm didn’t destroy the internet, as predicted by the mainstream press, doesn’t mean it wasn’t an impressive achievement.
Packing state-of-the-art encryption, and sophisticated peer-to-peer update mechanism, Conficker tantalized security researchers and resisted attempts at eradication, inhabiting at its peak as many as 15 million unpatched Windows boxes, mostly in China and Brazil.
Experts think it’s the work of an organized team of coders, and there are hints that it originated in Ukraine. And like most of the hacking out of Eastern Europe, the software has a profit motive: It’s been seen sending spam, and serving victims a fake anti-virus product that offers to remove malware for $49.95. Dude. It used to be about the mayhem.
2009
Money Mules
Another innovation from the former Soviet empire were the so-called “money mule” scams that emerged in 2009. Using specialized Trojan horses like Zeus and URLZone, the perps target small businesses that use online banking, stealing the victim’s credentials and initiating wire transfers from their accounts, usually totaling tens or hundreds of thousands of dollars.
In some cases, the Trojan horse even covers up the crime by rewriting the victim’s online bank statement on the fly; other times, the hacker just wipes the hard drive to keep the target off the internet for a while. The stolen money goes to mules who’ve been recruited through bogus work-at-home offers, and whose job it is to withdraw the cash and send the bulk of it to the scammers via Moneygram. It’s the perfect crime, one the FBI says has racked up $100 million in thefts, and counting.
(Photos: Michael Calce courtesy Arcade Publishing; Max Vision courtesy Santa Clara County Department of Corrections; Albert Gonzalez courtesy law enforcement;
Views 249 times by 70 visitors
Categories: Security Tags: cybercrimes
December 2009 Bulletin Release Advance Notification
Advance Notification for the December 2009 Security Bulletin Release
For December we are planning to release six new security bulletins addressing 12 vulnerabilities in Windows, Internet Explorer (IE) and Microsoft Office products. Three of the bulletins have a maximum severity rating of Critical and three have a maximum severity rating of Important. To help customers plan for their deployment of these updates, I want to specifically call out that they touch all supported versions of Windows and IE. On the Office side, the bulletins impact Project, Word and Works 8.5. All of the updates for Windows will require a restart so please plan accordingly.
We want to make customers aware that we will be addressing the vulnerability discussed in Security Advisory 977981 in the IE bulletin on Tuesday. We know that customers are concerned about this issue and we are also aware that Proof of Concept (PoC) code is available publicly.
Here is a preview of the guidance we will be releasing with the bulletins on Tuesday: The IE update maps to bulletin number 4 in the ANS and will be at the top of our deployment priority list. The other critical update affecting Windows (bulletin number 1) will have a lower Exploitability Index rating, so while the impact is higher with a critical severity rating, the lower risk will drop the deployment priority down a little. The final critical update affecting Microsoft Project (bulletin number 3), is only critical for Project 2000. The other affected versions are important. That coupled with a lower Exploitability Index will also drive it down on the deployment priority list. Customers have asked us to map the numbered bulletins in the ANS to the final bulletin ID’s after release so we will be doing that in the blog post here on Tuesday.
We are targeting the release of these bulletins for next Tuesday Dec. 8 at 10:00 a.m. PST (UTC -8). We will post more guidance at that time both here on the MSRC blog and on the Security Research & Defense (SRD) blog. Our guidance will include risk and impact information, our deployment priority list and deeper technical information on the bulletins form the SRD team. Until then, please review the ANS page here.
The Microsoft Security Response Center (MSRC) December 2009 Bulletin Release Advance Notificatio
Related Blogs
- Related Blogs on December 2009 Bulletin Release Advance Notification
Views 105 times by 36 visitors
Categories: Security Tags:
Black Screen Issue is caused by mallware
MSRC blog: We’ve received questions about public reports that customers might be experiencing system issues with the November Security Updates (which some are referring to “Black Screen” issues). We’ve investigated these reports and found that our November Security Updates are not making changes to the system that these reports say are responsible for these issues.
While these reports weren’t brought to us directly, from our research into them, it appears they’re saying that our security updates are making permission changes in the registry to the value for the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell key.
We’ve conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don’t believe the updates are related to the “black screen” behavior described in these reports.
We’ve also checked with our worldwide Customer Service and Support organization, and they’ve told us they’re not seeing “black screen” behavior as a broad customer issue. Because these reports were not brought to us directly, it’s impossible to know conclusively what might be causing a “black screen” in those limited instances where customers have seen it. However, we do know that “black screen” behavior is associated with some malware families such as Daonol.
This underscores the importance of our guidance to customers to contact our Customer Service and Support group any time they think they’re affected by malware or are experiencing issues with security updates. This enables us to determine what might be happening and take steps to help customers by documenting new malware families in our MMPC malware encyclopedia or documenting known issues in our security bulletins and the supporting Knowledge Base articles.
Reports of Issues with November Security Updates
Related Blogs
- Related Blogs on Black Screen Issue is caused by mallware
Views 105 times by 36 visitors
Categories: Security Tags:
Microsoft Security Advisory (977981)Vulnerability in IE Could Allow Remote Code Execution
Microsoft is investigating new public reports of a vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 and Internet Explorer 8 on all supported versions of Microsoft Windows are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected.
The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code.
At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.
Microsoft continues to encourage customers to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.
Mitigating Factors:
- Internet Explorer 8 is not affected.
- Protected Mode in Internet Explorer 7 in Windows Vista limits the impact of the vulnerability.
- By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
- By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
More at source:
Microsoft Security Advisory (977981) Vulnerability in Internet Explorer Could Allow Remote Code
Views 1999 times by 43 visitors