Information Security
Archives of FSP Alerts and other remote exploits
If you are returning from vacation, please review and test the security patches issued by Microsoft on Feb 12th. Microsoft labels them as 6 critical and 5 important. SANS and a number of security professionals in EDUCAUSE believe that MS08-005 (KB942831) and MS08-006 (KB942830) are both critical for servers running IIS. In addition exploits have been made public for MS08-006, MS08-007 Web Dav, and MS08-011 Microsoft works. So please review, test and deploy as soon as possible.
January's Microsoft Security Update included one critical patch (MS08-001) for mu ltiple vulnerabilities in the TCP/IP stack effecting all Microsoft platforms, and a second important patch (MS08-002) for a local vulnera bility and privilege escalation in LSASS. No problems have been identified with either patch
Microsoft's December Security Update includes 4 Critical patches and three important fixes. Three of the vulnerabilities have active exploits - so please review what is relevant to your group, test and patch as soon as fea sible.
Apple issued upgrades November 29th which include multiple security updates for M ac OSX and Safari. The upgrade (10.4.11) for Tiger includes 37 security patches. It's an all or nothing bundle, so I rec ommend loading it on a secondary computer and testing for a week. Leopard's update (1.5.1) includes three security fixes. If you've already installed Leopard, please get this upgrade as well.
August 30, 2007: Microsoft August Security Patches Update By now most of you have probably pushed the 9 critical and important security patches from Microsoft. Yesterday and today there ha ve been multiple updates.
- MS07-046 was re-released yesterday with updated code to prevent exploit code posted this week. SANS originally rated this as cri tical, and Microsoft had changed its rating from important to critical also.
- Five new patches were also released for Vista, some which resolve graphics/video issues and one which addresses a problem with t he August patch set.
Please test and deploy at your earliest convenience. -Network Engineering Security
Microsoft KB 938829
Vulnerability in GDI Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx
SANS August Patch Tuesday Summaries
http://isc.sans.org/diary.html?storyid=3264
SANS Vista Patches
http://isc.sans.org/diary.html?storyid=3334
August 27, 2007: On August 21st, multiple vulnerabilities were disclosed for Trend ServerProtect v5.58 build 1176 for Windows and prior. The evening of August 22/23 attacks began against hosts at Tufts. Discussions on various internet security sites disagreed on whether the attacks were exploiting a vulnerability from Feb 2007 or the August vulnerability, but all vulnerabi lities should be patched. Vendor Patches: Trend released security patch 4 to close the vulnerability. Please make sure all security patches have been applied to any instance of ServerProtect. The list of patches is available at: http://www.trendmicro.com/download/product.asp?productid=17 Firewall protection: Local ServerProtect hosts pull updates using port 80, no other ServerProtect ports need to be open to the inter net. Trend ServerProtect service (SpntSvc.exe) handles RPC requests on TCP port 5168 and this should only be open within Tufts betwe en clients and the information server.
July 15, 2007: Apple QuickTime vulnerability could allow remote attacker to run arbitrary code or cause a DoS. Please update to QuickTime v7.2.
July 13, 2007: Microsoft July Security Update includes 6 patches, all rated critical. MS07-036 fixes a vulnerability in Office but there are no known exploits. MS07-037 secures Publisher 2007 and is rated critical if it is installed. MS07-038 is critical for Vista, and MS07-041 is critical if IIS 5.1 is in use. None of these patches have any reported problems. The .NET patch, MS07040, also rated critical has reported issues and Microsoft has posted KB 931212 to address them.
May 9, 2007: Apple has released patches for the QuickTime remote compromise that was
discovered at CanSecWest during the "pwn-2-own" contest. Any browser on a W2K, WxP
or Mac OSX computer may be compromised by visiting a website with malicious embedded
code.
Apple released patches available for Mac OSX v10.3.9, Mac OS X, v10.4.9, Windows XP SP2, Windows 2000 SP4, at http://docs.info.apple
.com/article.html?artnum=305446.
If iTunes is installed on a computer, so is QuickTime. Please advise any students you know about the need to update.
Cybercriminals are already exploiting the Virginia Tech tragedy. Over 450 ne w domain names have been registered, related to the shootings, which may be used as phishing sites to steal charitable donations. In addition, an email is circulating which says the attachment is a camera video of the event , really it includes a malicious screensaver called "Terror_em_Virginia.SCR." -- April 19th
Max OSX users should download and apply Apple Security Update 2007-004 which includes 25 important patches. -- April 19th
Microsoft released five new security patches on April 10th, three are rated critical and two are import ant. So far no problems have been reported with these patches and it is very important to apply MS 07-021 which fixes a problem that can cause "remote Code execution, privilege escalation and DoS" attacks.
Internet Explorer Code Execut ion and Privilege Escalation Seven vulnerabilities that can lead to remote compromise, apply MS 07-017.
VMware ESX update fixes multiple security vulnerabilities
April 4, 2007 Windows Animated Cursor vulnerability may lead to remote compromise
Microsoft released a security advisory (935423) yesterday warning users with fully patched
Windows 2000, Windows XP, Windows 2003 Server and Vista computers that they may be at risk when surfing the Internet
with Internet Explorer or reading html email with Outlook Express. Due to a vulnerability in the way cursor animation
is coded, it is possible for a malicious attacker to gain control of the computer.
At Tufts, we are protected by Trend, which includes the signature in pattern file 4.375.
If you run as a standard user, your computer is not vulnerable to this attack.
If you use Mozilla Firefox to surf the Internet your computer is not vulnerable.
If you use Mozilla Thunderbird to read email, your computer is not vulnerable.
For more information please visit:
Trend Troj_Anicmoo.AV
Trend Troj_Anicmoo.AX
SANS which lists web sites with the malware code.
Microsoft Advisory 935423
Sept. 29 - Apple issued Security Update 2006-06to fix the rem ote exploit issue with playing Flash content.
Sept. 28 - Microsoft acknowledged another remote exploit in Internet Explorer. "So, its still not safe to surf with IE."
Sept. 28 - Microsoft confirmed another vulnerability in Powerpoint.
Microsoft just issued a security patch for the VML vulnerability in Internet Explorer on Sept. 26th. CERT and Microsoft recommend that the patch be tested and implemented as soon as possible.
Apple announced Security Update 2006-05 on Sept. 21 which sec ures remotely exploitable vulnerabilities in AirPort
Sunbelt announced an exploit found "in the wild" which is already being used to compromise Windows computers through Javascript in Internet Explorer.
Apple QuickTime version 7.1.2 and prior for Mac OS X and Microsoft Windows XP/2000 has multiple vulnerabilities. Please update to version 7.1.3.
Microsoft's August security patch set includes 12 patches fixing a total of 23 vulnerabilities (of which 9 are critical). One vulnerability, MS06-040, already has two botnets spreading through IM, network shares and email attachments. The worm is identified by Trend as worm.ircbot.jk and worm.ircbot.jl. The worm is a variant on the mocbot pattern, but the payload is not cleanable if a host is infected.
Apple's Security Update 2006-004 includes fixes for vulnerabilities in bluetooth, Apple Server, tiff image viewing, and dhcp issues.
For those of you waiting for analysis of Microsoft's July 2005 Security Update,
the set includes 2 moderate and 5 critical patches as well as updates for the
Malicious Software Removal tool and Outlook 2003 Junk Email Filter. So
please plan on testing and installing next week.
Apple iTunes Security Update was released just in time for the long weekend. The Update fixes a vulnerability that can lead to remote code execution. If you use iTunes on either Windows or Mac OSX, install the update because exploits have been released in the past.
Real Network Helix DNA Server, contains two remotely-exploitable buffer overflows. Versions 11.0.x and 10.0.x are affected. Real released fixes in Helix DNA Server Version 11.1 which can be downloaded at: https://helix-server.helixcommunity.org/2005/devdocs/builds
Nullsoft Winamp contains a buffer overflow vulnerability which allows an attacker to execute code with the permissions of the current user (another reason not to run as Admin). Winamp has fixed the problem in version 5.24
Microsoft's June security patch set is the largest to date, with 12 patches fixing a total of 21 vulnerabilities (of which 12 are critical). One patch MS06-011, which affects Windows XP and Windows 2003, is being re-released. The following resources include information on exploits and patch problems. Please identify patches relevant to your desktops and servers, test and apply critical patches as soon as possible.
- Microsoft Summary List
- Microsoft Security Bulletin, Technet
- eEye Analysis
- SANS listing of exploits
- SANS analysis of MS06-011
Two "critical" bulletins and one "moderate" bulletin regarding vulnerabilities and available patches were announced by Microsoft today: MS06-019 describes vulnerabilities with MS Exchange Server and will be of little interest to *most* of the Tufts support groups. MS06-020 pertains to Macromedia Flash Player and MS06-018 pertains to the MSDTC service; these issues will presumably affect a larger number of users with Windows desktops as well as many servers.
Secunia released information on another 0 day vulnerability in Internet Explorer. Secunia reported this to Microsoft in August 2006 and apparently has become inpatient with their patching schedule.
Exploit Code for one of the flaws addressed in Oracle's Quarterly Update has been released on the Internet.
Multiple vulnerabilities have been reported in Ethereal , which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. The vulnerabilities affect versions 0.8.5 through 0.10.14. Update to version 0.99 at Ethereal's website.
Apple Computer is looking into reports of seven unpatched flaws in its Mac OS X operating system. The most serious of the flaws lies in the Safari web browser and could be used to remotely compromise a computer. Tom Ferris at Security Protocols discovered the flaws.
Mozilla roled out security fixes for Firefox (1.5.0.2) two weeks ago, Thunderbird (1.5.0.2) and the Mozilla browser suite (1.7.13) this week. This will be the last versionof the browser suite.
-----------------
Critical vulnerabilites in Apple Java Virtual Machine. Apple has released the Java 2 Standard Edition 5.0 Release 4 update, which addresses five flaws in the Java Virtual machine. "The most serious flaw could be exploited to gain access to vulnerable systems. The flaws addressed in the update affect Mac OS X version 10.4.5 and the corresponding server edition."