You are hereFeed aggregator / Sources / SANs Internet Storm Centre
SANs Internet Storm Centre
ISC Feature of the Week: Handler Diaries, (Wed, Feb 22nd)
4 hours 53 min agoOverview
Internet Storm Center features daily handler diaries with summarizing and analyzing new threats to networks and internet security events. Diaries range from 0day vulnerability announcements to the latest software update releases. If it's security related, we'll probably put up a diary about it!
The ISC homepage https://isc.sans.edu always displays the last 24 hours of diaries. The top and bottom of every diary, wherever it is listed, contains a previous/next navigation link that will iterate through all the diaries in order. You can click the title to view the full diary page.
What's in a Diary?
A Diary title is always an active link so you can right-click and copy to send to a friend or co-worker you think would be interested in the information. Alternatively, there is a Share menu to the right of the title if you want to publicly share on any number of social networking sites!!
Under the title you will see the original published date and the last updated date if any changes have been logged to the diary. Below that you will see the name of the handler that authored the diary and version number. The Rate this diary is currently disabled but should be back soon.
The number of comments displays how many comments have been added and is a link that will take you straight to the comments section below the diary. You can leave a comment if you are logged to your ISC/DShield account. Not logged in? No worries, just click the link, login and you should be brought right back to leave your comment. The Alias will default to what you have set in Your Information https://isc.sans.edu/myinfo.html but you can change it to whatever you want. Every comment is vetted by the handlers and inappropriate or blatant ads are removed.
The diary content will vary. It can contain anything from just a few lines of text, sometimes with web links, to a full tutorial with illustrated graphics. A handler will have their own custom signature at the end of every diary posted. If an announcement is short and doesn't require a lot of detail, a handler may post a oneliner which is highlighted with a different background/border and generally just one sentence.
A Keywords list follows the diary content. This is a individually linked list that will take you to a page displaying a table of all the diaries that contain that same keyword, along with the date published and author.
How can I find past dairies?
The easiest way to find past diaries is to search for keywords as explained here https://isc.sans.edu/diary/ISC+Feature+of+the+Week+ISC+Search/12496. ALL the diaries can be listed by date on the Diary Archives page https://isc.sans.edu/diaryarchive.html. This is useful if you know the general timeframe or title text of a specific diary or just want to skim titles as an entire month is shown at once.
The site footer always contains some of the most recent Diary Archives in the center as well as a link to all the archives page. The homepage also lists some more of the most recent diaries as well as a link to the Diary Archives page https://isc.sans.edu/diaryarchive.html. There is also a link to the archives after every comment section on the diary page.
How can I get these diaries you speak of?
Well, you can make https://isc.sans.edu your default browser page so you don't miss anything.
You can also receive full or title only diaries by subscribing in your favorite RSS reader. The links can be found here https://isc.sans.edu/xml.html#rss
Let us know in the section below if you have suggestion or feeback about our diaries or send us any questions or comments in the contact form at https://isc.sans.edu/contact.html
--
Adam Swanger, Web Developer (GWEB)
Internet Storm Center (http://isc.sans.edu)
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
Apache 2.4 Features, (Wed, Feb 22nd)
12 hours 43 min agoThe Apache Foundation released version 2.4.1 of its popular web server, including a number of interesting changes [1]. Among the features, I would like to highlight some of the security relevant changes:
- more granular logging. Logging is always a tedious and often overlooked security component. Apache 2.4 will allow for log levels to be configured on a per-directory level.
- various changes to timeouts. We had a number of tools over the last few years that attacked web servers by exhausting connections. The new timeout changes may help with that, but over all, I don't think there is a simple fix for this problem.
- changes to the proxy configuration. Some use apache not just as a web server, but as a proxy to restrict access to resources, or as a load balancer. This can help with security, but in the past, bugs in Apache's implementation of these features has caused problems.
- Apache now includes a mod_session that will have Apache take care of sessions. This includes support for encrypted sessions, and support for session based authentication. Really have to see how this will all work in more detail. It appears that headers will be used to add data to sessions. This could be a new opportunity to exploit http response splitting. Note that the session information may be stored on the client, not just the server. Unencrypted sessions on the client could pose interesting security issues.
- mod_ssl has been improved to allow it to check for invalid client certificates via OCSP.
Version 2.4.1 is now available for download. I recommend you start testing it, but hold off on using it in production until some of the features have been debugged.
[1] http://httpd.apache.org/docs/2.4/new_features_2_4.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
ISC StormCast for Wednesday, February 22nd 2012 http://isc.sans.edu/podcastdetail.html?id=2344, (Wed, Feb 22nd)
Wed, 02/22/2012 - 12:33(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
How to test OS X Mountain Lion's Gatekeeper in Lion, (Wed, Feb 22nd)
Wed, 02/22/2012 - 12:16While I started working on comparing various OS X hardening guides (see the prior diary from a couple of days ago), Apple announced one important new security feature in OS X 10.8 (Mountain Lion). The new operating system to be released this summer will include a white listing system based on iOS. iOS has received a lot of criticism for its closed nature, but so far, I have to admit it has worked pretty well. We have heard very little about iOS malware while Android malware appears to start steal the show from Windows malware (it got a while to go, but all the news lately appears to be about Android malware).
iOS uses a pretty simple and effective security model to fight malware: Whitelisting. All software installed on an iOS device has to be digitally signed. In order to be digitally signed, the software has to be reviewed by Apple. Only software that uses standard Apple vetted APIs is considered trustworthy to be signed, making it difficult to sneak in malicious code. If malicious software slips through, it can be recalled later.
Over the last few years, the opposite model, blacklisting (Anti Malware) has failed spectacularly. Even many desktop users now use third party whitelisting software which is usually more granular then what Apple proposes.
Apple's approach allows for essentially three different settings:
- Only allow Apple approved software (pretty much what iOS does)
- allow Apple approved software, but also allow software signed with specific additional certificates (you could use this to sign your own software. Kind of like accepting the certificate from an iOS developer for testing)
- allow all software (pretty much unlocked in iOS terms)
There are some specific limitations to Apple's approach:
- the signatures are only tested during install. If malicious software passes the install, it will not be inspected further.
- only executables are checked. A malicious PDF may still cause havoc, even if it may no longer be able to then download and install additional malware
The best part in my opinion is that the functionality was already pushed out to systems as part of the last OS X update (10.7.3). So you can already experiment with the feature and see how well it works (or doesn't work). I am running it now for a while off and on and so far, haven't experienced any ill effects, aside from it blocking me once or twice from installing software. Each time, I just disabled it temporarily (which could be considered a weakness).
The command line utility spctl can be used to enable or disable the feature. spctl --enable will enable it, spctl --disable disable it. You need to be root to run the utility.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
ISC StormCast for Tuesday, February 21st 2012 http://isc.sans.edu/podcastdetail.html?id=2341, (Tue, Feb 21st)
Tue, 02/21/2012 - 12:58(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
DNSChanger resolver shutdown deadline is March 8th, (Mon, Feb 20th)
Tue, 02/21/2012 - 09:05The ISChas written a number of diaries about DNSChanger in the past, including this excellent diary by a number of ISC Handlers, so Iam not going to rehash the history.
With the FBI's March 8th deadline for disabling the DNSChanger resolvers rapidly approaching, the predictable fearmongering is beginning in the blogosphere and the regular press. Rest assured that DNSChanger infected a relatively small number of computers compared to most infections, and turning off the temporary resolvers will barely be blip on the Internet. There are some suggestions that the FBImay extend this deadline to permit companies to complete their cleanup. Frankly Iam on the fence about whether or not an extension is a good idea. Icertainly don't want to entertain the possibility that the companies that Ido business with, and entrust my personal information to, may take more than 4 months to cleanup a known malware infection.
The fact is that DNSChanger has provided us a rare opportunity. DNSChanger itself never reached its full potential because of the FBI's intervention, but analysis of DNSChanger infected computers has revealed that computers infected with DNSChanger are nearly always infected with a range of other malware including malware that disables automatic updates and antivirus products. Others have been found with credential stealing Trojans and rootkits. Certainly the detection of this sort of malware should result in immediately taking the computer off the network and rebuilding it.
The symptoms of a DNSChanger malware infection are relatively easy to detect. From shortly after the FBI's Operation Ghost Click was revealed, the DNSChanger Working Group (DCWG) provided instructions on how to determine if your computer is infected, and shadowserver.org has made reports available which permit anyone who owns their own address space to reliably detect the presence of DNSChanger infections, and by extension associated malware.
In the last month or so another way of detecting DNSChanger infected computers has been made available. Several countries have launched eyechart sites which will tell you if the machine you are on is infected with malware. For the most part these sites follow the pattern of dns-ok.CC where CC is the country code of the hosting country. Some that are available are dns-ok.us (U.S.), dns-ok.ca (Canada), dns-ok.de (Germany), dns-ok.be (Belgium) and Iam sure many others. They all follow a familiar pattern. If the site is a friendly green your computer is not infected with DNSChanger, a not so friendly red requires further investigation.
One caveat. It appears that in relatively rare circumstances, DNSChanger may infect SOHOrouters. So although the eyechart may be red, it may not be the computer you are on that is infected. It may be the router. Either way you know that some investigation is warranted.
Please consider using these available tools to cleanup malware infections on your network...before the FBIturns off the resolvers.
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
Simple Malware Research Tools, (Mon, Feb 20th)
Tue, 02/21/2012 - 02:46A lot of people ask me what kind of tools I use for malware research.
That's definitely a really broad question, because sometimes each malware may need a different approach. However, there are some simple tools that can help on a first approach and sometimes will give all the answers you need, without the need to go deeper on more complete debuggers and disassemblers as OllyDbg and IDA Pro, which by the way are two great tools!
For this diary I am not considering exploits, like pdf or java exploits, but just plain PE files ( EXE and DLLs).
As part of my first look kit I use the pescanner python script from Malware Analysis Cookbook, which the authors made available here.
This script can give you some valuable information about the PE file, like the PE Sections, Version information (if available), and compilation date. Because there are some known bad indicators, the script will also print out the [SUSPICIOUS] word when it finds one of those indicators, such as strange compilation date, and strange entropy values found on the PE Sections.
Once you are used to the analysis, a simple look on this will help you to identify possible malicious files. Since it was based on Ero Carrera's pefile python module, you can modify and add additional features if you think is necessary. One addition I did on mine was to show if the file contains an overlay. On a few situations you should see valid overlay in files, and it is very common to find parasitic virus including its code as an overlay on the PE file.
Another great tool that I use is called HIEW (Hacker's View) hex editor. It is a really complete old-style tool. I mean old style because it uses a DOS window, there is no GUI...:)
It has a lot of features, from a complete HEX editor, an ASCII view of the file, and a Decode view, where you are presented with a disassembler. It also contains several shortcuts with pre-defined functions, as to show you the basic PE information, the number of sections, the entry point address and much more.
It also allows you to go straight to section you want or jump to a specific address on the file, list the imports and exports and even edit the file.
It is a paid tool available here, but it contains a free version (6.50) which does not contain all features but can definitely give you a feel of it.
There was a open source product called Biew that had almost the same features of Hiew, but seems that it is not being updated since 2009.
Another tool that I've been checking lately is called HT Editor, that is a promissing project. It still doesnt have a lot of feaures but I like it. You may check it here
Enjoy!
------------------------------------------------------------
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
ISC StormCast for Monday, February 20th 2012 http://isc.sans.edu/podcastdetail.html?id=2338, (Mon, Feb 20th)
Mon, 02/20/2012 - 12:17(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
The Ultimate OS X Hardening Guide Collection, (Mon, Feb 20th)
Mon, 02/20/2012 - 12:04Many security professionals tend to use OS X systems. Maybe for the nice and shiny looks, or the Unix under pinnings that make it a great platform to run current tools. However, the operating system itself isn't exactly secure out of the box and like all operating systems can profit from some additional hardening tricks.
I have recently looked over a number of OS X hardening guides, and found that not many specifically address the latest version of OS X (Lion, 10.7), nor are they necessarily well maintained. Instead of coming up with another (soon to be outdated) guide, I am trying to come up with a meta guide. If you know of a good hardening guide for OS X: Please let me know. Also, if there are any tricks that you find useful (or things that fired back and didn't work at all): Let me know too.
Most notably: Apple released a guide for each version of OS X up to Snow Leopard, but I can't find one for Lion. Does it exist?
Here are some of the guides that I have sound so far:
Apple: http://www.apple.com/support/security/guides/
NSA Guide:http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf
Mac Shadows:http://www.macshadows.com/kb/index.php?title=Hardening_Mac_OS_X
Univ. Texas:https://wikis.utexas.edu/display/ISO/Mac+OS+X+Server+Hardening+Checklist
Center for Internet Security:http://benchmarks.cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.os.unix.osx
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
It is time to update your Web Browser, (Fri, Feb 17th)
Sat, 02/18/2012 - 04:46Both Firefox and Chrome have release updates this week. Firefox has released 10.2 and Chrome is up to 17.0.963.56. Firefox has released a couple of updates in quick succession with an impressive list of bugs being fixed. Check out this list :http://www.mozilla.org/en-US/firefox/10.0/releasenotes/buglist.html Consider doing an update soon.
Firefox
Download:http://www.firefox.com
Release Notes:http://www.mozilla.org/en-US/firefox/10.0.2/releasenotes/
Chrome
Download:https://www.google.com/chrome
Release Notes:http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
ISC StormCast for Friday, February 17th 2012 http://isc.sans.edu/podcastdetail.html?id=2335, (Fri, Feb 17th)
Fri, 02/17/2012 - 15:31(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
Intersting Facebook SPAM, (Fri, Feb 17th)
Fri, 02/17/2012 - 11:27Facebook is kind of training its user base that it is OKto click on links in emails, as long as they look like pretty buttons. When there is a friend request, or a comment has been added, in the interest of making sure that you get the message it is emailed. It was probably only a matter of time before Facebook like SPAM/PHISHemail started arriving.
When Ireceived the following, I must confess Inearly clicked it automatically, before Inoticed the actual link.
When Idid click the link, Igot a second surprise. To be honest Iwas expecting a facebook login page, failing that Iwas expecting malware, but what Iended up with was this. Plain old SPAM
Not terribly exciting Iagree. What caught my eye however was that the SPAMemail looked darn close to the real thing, the emails Facebook users get every day.
If you have a user base that uses Facebook, you may wish to bring this to their attention. At the moment it is only SPAM, but it doesn't have to be.
If you are into blocking, this particular SPAM run ends up on 115.145.129.35 (South Korea), loads medicalaf.ru (In China) which redirects to cvecpills.com (In Romania). Not a bad method to get some distance between the emil and the eventual landing page. Allows them to switch targets easily.
Mark H -Shearwater
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
Java Update for February, (Thu, Feb 16th)
Fri, 02/17/2012 - 02:04The February Critical Patch Update for Java SE was recently released from Oracle. February has brought the release of 14 patches from Oracle that are categorized as Critical. As stated on the release page All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
This alone is reason enough to fast track this package into your change management solution and deploy as quickly as possible.
Tony Carothers
tony d0t carothers at gmail
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
ISC StormCast for Thursday, February 16th 2012 http://isc.sans.edu/podcastdetail.html?id=2332, (Thu, Feb 16th)
Thu, 02/16/2012 - 15:45(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
Adobe Flash Player Update, (Thu, Feb 16th)
Thu, 02/16/2012 - 15:40On Tuesday, Adobe released an update for Shockwave Player (APSB12-02) and RoboHelp for Word (APSB12-04). The odd question on tuesday was: What happened to APSB12-03. Today, we learned the answer: Another bulletin from Adobe, APSB12-03, accompanied by a patch for Adobe's Flash player.
Sadly, with the odd release date, this bulletin has fallen a bit between the cracks. However, you should apply the patch *QUICKLY* as at least one of the vulnerabilities has already been exploited in the wild.
http://www.adobe.com/support/security/bulletins/apsb12-03.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
ISC Feature of the Week: XML Feeds, (Wed, Feb 15th)
Thu, 02/16/2012 - 01:47Overview
You can subscribe to ISC content from our XMLFeeds page at isc.sans.edu/xml.html Here we list feeds available for you to subscribe to in your favorite RSSreader.
Features
RSSFeeds
isc.sans.edu/xml.html#rss
The Handler Diaries are available in summary and full text. There is also a consolidated news feed which includes recent posts from numerous security feeds.
Audio Feeds
isc.sans.edu/xml.html#audio
This section provides RSSas well as iTunes feed links for the ISCMonthly Threat Update podcast and the ISCDaily Stormcast
NOTE: This month starts back the posting of an audio version of the Monthly Threat Update webcast!!
Text Feeds
isc.sans.edu/xml.html#text
Lists a subset of ISCcontent feeds for ports, IPs and the recommended DShield.org blocklist.
E-mail Alerts
isc.sans.edu/xml.html#email
This links to our Pager/E-mail Notifications page which has additional options to get our content pushed to you.
Let us know in the section below of any feeds you think would improve this page or send us any questions or comments in the contact form at https://isc.sans.edu/contact.html
--
Adam Swanger, Web Developer (GWEB)
Internet Storm Center (http://isc.sans.edu)
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
ISC StormCast for Wednesday, February 15th 2012 http://isc.sans.edu/podcastdetail.html?id=2329, (Wed, Feb 15th)
Wed, 02/15/2012 - 12:49(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
Problem with Microsoft Antivirus regarding malware from google website, (Tue, Feb 14th)
Wed, 02/15/2012 - 11:50
In my company, we began experiencing a problem when the users tried to access http://www.google.com.co though our Forefront TMG proxy. Every corporate user saw the following message:
This really looked strange, specially coming from google. I captured some packets and queried about the http get operations and got the following:
Got three operations: one from the main query, second one retrieving a javascript file and a third one unknown. First one looked normal as always, so I started analyzing second one. The MD5 for the javascript file is 886e4780fc0af43a19eb4dcd55b728d7. I looked up the resulting MD5 and got nothing. I uploaded the script to jsunpack and got nothing:
Also tried VirusTotal to scan the URL (http://www.google.com.co) and also got nothing:
I started analysis for http get number three. Wireshark shows some compressed content, so I took it from the capture and decompressed:
The compressed file has md5 1375a0f59d52d862a1297df7566c6894, the uncompressed file has md5 c4c490a2a55a16492c068ec50827958b and when loaded starts a download from http://ssl.gstatic.com/gb/js/sem_480d0cc56e70fa5af3dda306c8bc7ce6.js. I analyzed that javascript and wepawet and jsunpack shows nothing abnormal.
This problem has been confirmed in Microsoft website. I will update the diary when I have more information about it.
UPDATE: As of 20:11 GMT-5 Feb 14 2012, we received confirmation from Microsoft stating that this problem is a false positive and will be corrected in the update 1.119.1986.0 or higher for the antivirus.
Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail:msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
February 2012 Microsoft Black Tuesday, (Tue, Feb 14th)
Wed, 02/15/2012 - 06:41Overview of the February 2012 Microsoft patches and their status.
#
Affected
Contra Indications - KB
Known Exploits
Microsoft rating(**)
ISC rating(*)
clients
servers
MS12-008
Code Execution Vulnerabilities in Windows Kernel-Mode Drivers
(Replaces MS11-087)
win32k.sys
CVE-2011-5046
CVE-2012-0154
KB 2660465
disclosed vuln.
Severity:Critical
Exploitability: Likely
Critical
Critical
MS12-009
Elevation of privilege vulnerabilities in ancillary function driver
(Replaces MS11-046, MS11-080)
Ancillary Function Driver
CVE-2012-0148
CVE-2012-0149
KB 2645640
no.
Severity:Important
Exploitability: Likely
Important
Important
MS12-010
Cumulative Patch for Internet Explorer
(Replaces MS11-099)
Internet Explorer
CVE-2012-0010
CVE-2012-0011
CVE-2012-0012
CVE-2012-0155
KB 2647516
no.
Severity:Critical
Exploitability: Likely
Critical
Important
MS12-011
Sharepoint Elevation of Privileges Vulnerabilities
Sharepoint
CVE-2012-0017
CVE-2012-0144
CVE-2012-0145
KB 2663841
no.
Severity:Important
Exploitability: -
N/A
Important
MS12-012
Remote code execution vulnerability in color control panel
Color Control Panel
CVE-2010-5082
KB 2643719
no.
Severity:Important
Exploitability: Likely
Critical
Important
MS12-013
Vulnerability in C Run-Time Library Could Allow Remote Code Execution
C Run Time Library
CVE-2010-3138
KB 2654428
no
Severity:Critical
Exploitability: Likely
Critical
Critical
MS12-014
Vulnerability in Indeo Codec Could Allow Remote Code Execution
Indeo Audio Codec
CVE-2010-3138
KB 2661637
no
Severity:Important
Exploitability: Likely
Important
N/A
MS12-015
Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution
(Replaces MS11-089)
Microsoft Office Suites and Software
CVE-2012-0019
CVE-2012-0020
CVE-2012-0136
CVE-2012-0137
CVE-2012-0138
KB 2663510
no.
Severity:Important
Exploitability: Likely
Important
N/A
MS12-016
Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution
(Replaces MS11-069)
.NET Framework
CVE-2012-0014
CVE-2012-0015
KB 2651026
no.
Severity:Critical
Exploitability: Likely
Critical
Critical
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
We use 4 levels:
PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
Adobe Shockwave Player and RoboHelp for Word Patches, (Tue, Feb 14th)
Wed, 02/15/2012 - 00:21Adobe released two security bulletins for today's patch tuesday kickoff:
APSB12-02 [1]: Security update for Adobe Shockwave Player
This patch fixes a total of 9 vulnerabilities that affect Shockwave Player 11.6.3.633 and earlier on Windows and OS X. After the update is applied, you should be at version 11.6.4.634. Adobe rates these vulnerabilities critical as some of them allow the execution of arbitrary code.
APSB12-04 [2]: Security update for RoboHelp for Word
RoboHelp is not as commonly installed as other Adobe products. This patch fixes one vulnerability that is considered important. The vulnerability introduces a cross site scripting flaw in output generated by RoboHelp. I am not that familiar with the product, but even though Adobe doesn't specify it, it sounds like it may be necessary to re-create RoboHelp output after the update is applied to avoid the XSS issue in content generated with older versions.
[1]http://www.adobe.com/support/security/bulletins/apsb12-02.html
[2]http://www.adobe.com/support/security/bulletins/apsb12-04.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Spam and Incident Response Blogs
