Out of Band Release Re: Microsoft Security Advisory 2286198

On Monday, August 2, 2010, Microsoft is planning to release a security update to address the vulnerability discussed in Security Advisory 2286198.

As indicated by Christopher Budd in the MSRC Blog:

"We are releasing the bulletin as we've completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers. Additionally, we're able to confirm that, in the past few days, we've seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers."

Details about the threat are available in the MMPC Blog at Stuxnet, malicious .LNKs, ...and then there was Sality.

References:

• MMPC Blog: Stuxnet, malicious .LNKs, ...and then there was Sality
• MSRC Blog: Out of Band Release to address Microsoft Security Advisory 2286198
• TechNet: Microsoft Security Bulletin Advance Notification for August 2010

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Tragic News for Amero Family

For those of us who spent almost two full years following the story of substitute teacher Julie Amero, the news that her husband, Wes Volle, has been diagnosed with terminal lung cancer is devastating.

Please see Alex Eckelberry's post at Some tragic news and if you are in a position to help, donations can be made here.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Coordinated Vulnerability Disclosure (CVD)

Today Microsoft announced a shift in philosophy on their approach to the topic of vulnerability disclosure. Rather than referring to "Responsible Disclosure" the new framework is "Coordinated Vulnerability Disclosure" or CVD.

The MSRC Blog describes CVD as follows:

"Newly discovered vulnerabilities in hardware, software, and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves.

Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors. Each member of this community of defenders plays a role in improving the overall security of the computing ecosystem."

Opinion:

In my opinion, it is irresponsible for any researcher to publicly disclose the details of a vulnerability, particularly one that is not in the wild. Regardless of whether the process is called "Responsible Disclosure" or "Coordinated Vulnerability Disclosure" or whether "in the wild" or not, those who expect immediate response when a vulnerability is reported need to keep some things in mind.

The most important aspect of making a software change is to make one change at a time and "test, test, and test again" after each change. Even after stringent tests are conducted, to ensure the change does not "break" something else, it is necessary to translate the changes to the many supported languages -- and test yet again. I would much rather wait the extra time for the testing to be properly conducted than get buggy updates!

Edit Note:

This, from Protection for New Malware Families Using .LNK Vulnerability, is precisely why it is my opinion that it is irresponsible by researchers to release proof-of-concept details to the public.

"What we’re seeing with the use of this new vulnerability by two other malware families is typical when an exploitable vulnerability is made public: initially, details emerge about a proof-of-concept malware or a targeted attack, then someone releases a public exploit, then the exploit gets incorporated into malware crime kits, and then we begin seeing different families using it."

For more detailed information regarding the tenants of CVD, please see Katie Moussouris' Ecostrat blog post, Coordinated Vulnerability Disclosure: Bringing Balance to the Force.


References:

• MSRC Blog: Announcing Coordinated Vulnerability Disclosure
• MSRC Ecosystem Strategy Team: Coordinated Vulnerability Disclosure: Bringing Balance to the Force
• The Register: Microsoft to banish 'responsible' from disclosure debate
• (Added) MMPC: Protection for New Malware Families Using .LNK Vulnerability
  

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Fix it Released for Security Advisory 2286198

Microsoft updated Microsoft Security Advisory 2286198 to provide an automated "Fix It" solution to implement the workaround provided in the original Security Advisory release.

The Fix it disables .LNK and .PIF file functionality automatically on a computer that is running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server R2.

Edit Note:

For for applying the workaround to a home computer or even a handful of computers, the Fix it solution is simply to apply. To apply the same workaround to all your domain computers using Group Policy, see the instructions by Microsoft MVP, Alan Burchill, at How to workaround KB2286198 Shortcut Icon security issues with Group Policy.

Complete details about the Fix it solution to both enable the workaround and disable it after a security update has been released are available in Microsoft KB 2286198.

Enable Workaround

Fix this problem
Microsoft Fix it 50486

NOTE: Applying the Fix it will require a restart of the machine.

After a security update is released for this vulnerability, you can undo the changes made by the Fix it solution by using Microsoft Fix it 50487:

Disable workaround

Fix this problem
Microsoft Fix it 50487

References:

• KB 2286198: Vulnerability in Windows Shell could allow remote code execution
• MSRC Blog Security Advisory 2286198 Updated
• How to workaround KB2286198 Shortcut Icon security issues with Group Policy

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Vulnerabilities, Information,

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Mozilla Firefox 3.6.7 Security Update

Mozilla released Firefox version 3.6.7 which fixes several security and stability issues.

If not prompted to update, existing Firefox users can update via Help > Check for Updates.


Clubhouse Tags: Clubhouse, Security, Vulnerabilities, Information,

References:

• Release Notes
• Complete list of Changes
  

Clubhouse Tags: Clubhouse, Security, Vulnerabilities, Updates, Information






Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Microsoft Security Advisory (2286198)

Microsoft has released Security Advisory 2286198, which addresses a publicly reported vulnerability in Windows Shell. From the Security Advisory:

"The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives."

If AutoPlay is disabled, particularly for USB devices, in order for the vulnerability to be exploited, it would be necessary to manually browse to the root folder of the removable disk. AutoPlay for removable disks is automatically disabled on Windows 7. In the event you have enabled AutoPlay, it is strongly advised that it be disabled.

To disable AutoPlay the prerequisites in Microsoft KB Article 967715 must first be installed. If your computer is up-to-date, they are already installed. The KB Article also includes instructions on "How to disable the Autorun functionality in Windows".

Note that it is additionally reported on the MSRC Blog that, "In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware". For more information on Stuxnet, see the MMPC blog post. Of further interest, as the MSRC Blog reports

"signatures in up-to-date versions of Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform protect customers against the Stuxnet malware."

References:

• MMPC: The Stuxnet Sting
• MSRC: Security Advisory 2286198 Released
• TechNet: Security Advisory 2286198
• How to disable the Autorun functionality in Windows

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Vulnerabilities, Information,

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

July 2010 Security Bulletin Release

Microsoft released 4 security bulletins to address 5 vulnerabilities in Windows and Microsoft Office. In-depth information on MS10-024 is available in the Security Research & Defense blog.

Following is the description of the bulletins from the MSRC Blog,

"MS10-042 resolves a publicly disclosed and actively exploited vulnerability discussed in Security Advisory 2219475. The update addresses an issue in the Windows Help and Support Center feature included in Windows XP and Windows Server 2003. Even though this issue affects Server 2003, we have not found an attack vector on that platform so the severity rating is Low. Windows XP customers should install this update as soon as possible.

MS10-043 resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause a Denial of Service (DoS). Note that this bulletin affects only 64-bit versions of Windows 7 and Windows Server 2008 R2 with Windows Aero enabled. Aero is not installed by default on Server 2008 R2. We are not aware of any active attacks against this issue.

MS10-044 resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. This issue could allow remote code execution if a customer with Access installed opened a specially crafted Office file, or viewed a Web page that instantiated Access ActiveX controls. This security update is rated Critical for supported editions of Microsoft Office Access 2003 and Microsoft Office Access 2007.

MS10-045 This security update resolves another privately reported vulnerability that could allow remote code execution if a customer opened an attachment in a specially crafted e-mail message using an affected version of Outlook -- Microsoft Outlook 2002, Microsoft Office Outlook 2003, or Microsoft Office Outlook 2007.

References:

• MSRC: July 2010 Security Bulletin Release
• TechNet: Microsoft Security Bulletin Summary for July 2010
• MS10-042: Vulnerability in Help and Support Center

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

July 2010 Bulletin Release Advance Notification

On July 13, 2010 Microsoft is planning to release four (4) new security bulletins addressing 5 vulnerabilities. Two of the bulletins are currently rated as critical. The bulletin summary is below.

In addition, Microsoft is closing out two Security Advisories this month:

• Security Advisory 2028859 (Vulnerability in Canonical Display Driver Could Allow Remote Code Execution) in the July bulletins.
• Security Advisory 2219475 (Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution) with a comprehensive update that addresses the issue currently under attack.

=================================
NEW BULLETIN SUMMARY
=================================

Bulletin ID: Bulletin 1
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows XP and Windows Server 2003.

-------------------------------------------
Bulletin ID: Bulletin 2
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows 7 for x64-based systems and Windows Server 2008 R2 for x64-based systems.

-------------------------------------------
Bulletin ID: Bulletin 3
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office Access 2003 and Office Access 2007.

-------------------------------------------
Bulletin ID: Bulletin 4
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office Outlook 2002, Office Outlook 2003, and Office Outlook 2007.



References:

• MSRC Blog: July 2010 Bulletin Release Advance Notification
• TechNet: Microsoft Security Bulletin Advance Notification for July 2010

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More