Microsoft Security Bulletin Summary for June 2009
By Robert A.
Patch Tuesday is here again. Here's the rundown of what was fixed. MS09-018 Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055) This security update resolves two privately reported vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM)...
New paper by Amit Klein (Trusteer) - Temporary user tracking in major browsers and Cross-domain information leakage and attacks
By Robert A. on Vulns
Amit Klein posted the following to the web security mailing list yesterday. "User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and...
100,000 sites deleted in hack, software company boss commits suicide
By Robert A. on IndustryNews
"The boss of Indian software firm LxLabs was found dead in a suspected suicide on Monday. Reports of the death of K T Ligesh, 32, come in the wake of the exploitation of a critical vulnerability in HyperVM, a virtualization application made by LXLabs, to wipe out data on 100,000 sites...
T-Mobile confirms hackers' info is legit
By Robert A. on IndustryNews
"The information posted over the weekend by hackers who claimed to have hacked T-Mobile is legit, T-Mobile now says. But, it's not clear that the hackers have the full access to T-Mobile systems they claim. On Saturday, hackers posted what appear to be logfiles taken from T-Mobile's networks to the Full...
T-Mobile says network was not hacked or breached
By Elinor Mills
A T-Mobile spokesman said on Tuesday that data someone posted to a security e-mail list over the weekend was legitimate T-Mobile data but not customer information, and that the phone company's network was not hacked or breached as the poster claimed.
The statement raises more questions than it answers. ...
Microsoft issues patches, including one for IE exploit
By Elinor Mills
Updated at 2:20 p.m. PDT with Adobe update released; at 12:25 p.m. PDT with Microsoft saying this is a record number of vulnerabilities addressed in Patch Tuesday; and at 11:45 a.m. PDT with comment.
Microsoft has released 10 ...
Report: Spam reduced following Pricewert shutdown
By Dong Ngo
Cutwail's spam activities on Thursday as Pricewert got shut down.
(Credit: MessageLabs)
It's been almost a week since the Federal Trade Commission had the allegedly rogue Pricewert ISP shut down, and it seems like the Internet has indeed been a safer, or I should say slightly less ...
Apple Struggling With Security & Malware
By Darknet on mac-virus
It’s inevitable as Apple products become more and more popular they will get targeted by the bad guys. Count on more viruses, malware, exploits and rootkits for Apple Operating Systems. They are a bit behind in the curve as they don’t have a formal security program and it’s unknown if they use secure development practices (they [...]
Researcher: Popular Internal IP Addressing Scheme Could Leave Enterprises Vulnerable
Flaws in popular IP addressing scheme could allow hackers to penetrate corporate networks, researcher says
Adobe Launches Its Own 'Patch Tuesday'
First quarterly patch fixes 13 "critical" bugs in Reader and Acrobat
Downloaders Changing Their Spots
In Virus and Spyware
Researchers continue to find new forms of design innovation on display in emerging Trojan downloader attacks.
Gates: Cybersecurity is a high priority for DOD
Cybersecurity threats are a growing problem for the Defense Department, say Defense Secretary Gates and Joint Chiefs Chairman Mullen.
DNI: Public trust important for cybersecurity
The Director of National Intelligence said the public needs to be convinced that cybersecurity programs will protect civil liberties.
Cybersecurity, E-Verify are big winners in DHS budget
A House subcommittee has approved a $42.6 billion spending bill for the Homeland Security Department that increases the amount allocated to cybersecurity efforts.
Microsoft Fixes Record Number Of Vulnerabilities
The company's June Patch Day included 10 security bulletins to fix 31 threats in Microsoft products.
Is Apple's iPhone 3GS Enterprise Ready?
The 3.0 software and iPhone 3GS offer incremental improvements for corporate deployments, but experts note some key elements are still missing.
T-Mobile: Stolen network data genuine, but fear not
T-Mobile confirmed on Tuesday that internal information posted on the Internet by hackers was stolen from its systems, but said it does not appear customer data is in jeopardy.
Information Commissioner offers businesses privacy advice
The Information Commissioner has published a guide advising businesses how to protect customer and employee privacy.
NASA hacker launches new extradition appeal
NASA hacker Gary McKinnion is launching another legal battle in a bid to avoid extradition to the US.
70% of Brits targeted by phishing scams
Over 70 percent of Brits have been targeted by phishing scams in the last year, says CPP.
Cybercrime costs business $600m: report
Cybercrime is taking its toll on Australian businesses, costing them more than A$600 million according to the latest report from the Australian Institute of Criminology (AIC).
Microsoft patches record number of security bugs
Adobe crashes monster patch batch
Microsoft on Tuesday patched a record number of security vulnerabilities, plugging 31 holes in its Windows operating systems, Internet Explorer browser, and other products.…
Webhost denies poor passwords led to catastrophic hack
VAServ contradicts purported attackers
The director of an internet service provider has denied public allegations that poor password management and server configurations were responsible for an attack that wiped out data for more than 100,000 websites.…
McAfee downplays service pack fail
Virus update leaves PCs unbootable
A recent McAfee service pack led to systems being rendered unbootable, according to posts on the security giant's support forums.…
McKinnon launches second extradition challenge
Belt and braces strategy
A judicial review of former Home Secretary Jacqui Smith's handling of the Gary McKinnon extradition proceedings began in London today.…
T-Mobile hack data is genuine
How deep does the rabbit hole go?
T-Mobile has confirmed that files posted on a full disclosure mailing list are genuine - but the company fails to explain whether or not cybercriminals really got full access to its systems, IDG reports.…
Millions opted into UK mobile phone directory
Are you one of them?
A public mobile phone directory for the UK will launch later this month, loaded with millions of private numbers bought from marketing departments.…
ContactPoint offers tokens for access
Restricted to three government departments, 100 local authorities
The Department for Children Schools and Families has begun to roll out the authentication process for access to the ContactPoint database.…
Effective Time and Communication Management
Category: Management & Leadership
Paper Added: June 9, 2009
Java 6 update 14 released, (Wed, Jun 10th)
Sun has updated Java to 6u14. Details can be found here: http://java ...(more)...
SysInternals Survey, (Wed, Jun 10th)
Hands-down the best tools for determining what is going on on a Windows system are Mark Russinovich' ...(more)...
Microsoft June Black Tuesday Overview, (Tue, Jun 9th)
Overview of the June 2009 Microsoft patches and their status. # ...(more)...
Adobe June Black Tuesday upgrades, (Tue, Jun 9th)
In the past it was by accident, but from now on it'll be by policy: Adobe will add to the work ...(more)...
Safari 4.0 released - contains security fixes, (Tue, Jun 9th)
Apple released yesterday an update to Safari 4.0 (which had been in beta for quite some time) The r ...(more)...
Adobe issues first quarterly patch release fixing 13 flaws
By Michael S. Mimoso
Adobe's first quarterly security patch release includes fixes for critical vulnerabilities in Adobe Reader and Adobe Acrobat.
Microsoft patches WebDAV security vulnerability in bevy of updates
By Robert Westervelt
Zero-day flaws in Microsoft Internet Information Services (IIS) Web server and Internet Explorer were among 31 vulnerabilities repaired Tuesday.
RSA council addresses growing security risks in the cloud
By Robert Westervelt
Security professionals are being pushed to quickly adopt cloud-based services, social networking and virtualization without a security strategy to address the risks.
Adobe Plugs 13 Security Holes in Critical Update
Adobe Systems embarks on a new schedule for security updates with 13 critical fixes in tow for Reader and Acrobat. In response to controversy, Adobe had pledged to issue quarterly updates and tighten its coding process during application development.
- Adobe Systems promised it was making changes to its security process, and June 9 it made good. The company issued the first of what will now be quarterly security updates for Adobe Acrobat and Reader, this time plugging 13 quot;critical quot; vulnerabilities in Windows and Macintosh versions ...
Microsoft Patches 31 Vulnerabilities from IE to Windows
Microsoft releases its June Patch Tuesday update with 10 security bulletins. The bulletins fix 31 vulnerabilities across a number of Microsoft products.
- Microsoft plugged 31 vulnerabilities June 9 in a hefty Patch Tuesday update. In all, Microsoft released 10 security bulletins. Six of them are critical and address problems in Microsoft Word, Excel, Windows, Internet Explorer and Microsoft Works converters. One of the most serious of the bul...
T-Mobile Confirms Breach, but Says Customers Safe
T-Mobile confirmed the information posted on the Full Disclosure mailing list is genuine, but says customers are not at risk. A T-Mobile spokesperson added the company is continuing to investigate.
- UPDATED: T-Mobile has confirmed it was breached, but said the attackers did not steal any data that could endanger customers. In a statement released late June 8, company officials released little in the way of details regarding how the breach took place, but reaffirmed its commitment to continu...
Winning the Malware Battle
In this eWEEK podcast hosted by Mike Vizard, the chief strategy officer for Bit9, Tom Murphy, talks about how reputation-based security services are the industry's best bet for next-generation security solutions.
Microsoft Issues Record Number of Security Updates
In New Patches
Microsoft Corp. issued a record-breaking number of software security updates today, shipping patches that plug at least 31 different security flaws in its Windows operating systems and other software. More than half of the security holes Microsoft plugged with June's patch batch earned a "critical," severity rating, meaning Redmond believes attackers could exploit the flaws to break into vulnerable systems without any help from the victims. What's more, Microsoft is warning that it expects to see publicly available reliable exploit code for most of the vulnerabilities it has issued patches for today. According to Symantec Corp., this is the largest number of vulnerabilities Microsoft has ever addressed in a single patch release (the previous record was set in Dec. 2008, when Microsoft issued 28 security updates in one go). Probably the most important of today's updates is a critical patch that addresses at least eight security holes in various versions
The Fallout from the 3FN Takedown
In Cyber Justice
The Federal Trade Commission's unprecedented recent takedown against troubled Web hosting provider 3FN.net has had an immediate -- if little noticed -- impact on the level of spam sent worldwide, and the number of infected PCs doing the spamming, according to multiple sources. Experts say the drop in spam probably is not visible to most Internet users or even operators of large networks, as the decrease is within the upper ranges of daily fluctuations in spam volumes. Still, the preliminary results indicate that a large number of spam-spewing zombie PCs were being coordinated out of severs hosted at 3FN. According to botnet expert Joe Stewart, director of malware research at Atlanta based SecureWorks, 3FN was home to a large number of command-and-control servers for the Cutwail spam botnet, one of the world's largest. As of last week, Stewart said he was tracking upwards of 400,000 spam zombies infected with Cutwail
Microsoft Update Removes Rogue Antivirus Program (PC World)
In technology
PC World - Microsoft has taken aim at a rogue antivirus program called Internet Antivirus Pro.
Microsoft, Adobe warn of critical security flaws (Reuters)
In technology
Reuters - Microsoft Corp issued software to fix a record 31 security flaws in its programs, and Adobe Systems Inc warned that glitches in its products could let hackers take control of a user's PC.
British hacker too ill for U.S. trial: lawyer (Reuters)
In us
Reuters - A British computer expert wanted by the United States for "the biggest military hack of all time" begins a final attempt on Tuesday to avoid extradition.
SB09-159: Vulnerability Summary for the Week of June 1, 2009
Vulnerability Summary for the Week of June 1, 2009
Microsoft security updates for June 2009
Learn about and download the latest computer security updates for June 2009. Read tips on protecting your computer by using anti-spyware and anti-spam programs.
June 2009 Bulletin Release
By MSRCTEAM on Security Update
Summary of Microsoft’s monthly security bulletin release for June 2009.
Today we released 10 new security bulletins. 6 of those affect Windows with two rated as critical, three rated as important and one as moderate. The remaining four all have an aggregate rating of critical and affect Internet Explorer, Microsoft Office Word, Microsoft Office Excel and Microsoft Works Converters.
In addition to these new bulletins, we are releasing the remaining updates for MS09-017 which now includes updates for Microsoft Office for Mac (versions 2004 and 2008) and Microsoft Works 8.5 and 9.0. You may recall that we released this bulletin last month with updates only for versions of PowerPoint that run on Windows. Please refer to last month’s bulletin blog post for more information.
This month we are also releasing two security advisories. The first advisory, 969898, is for a new set of ActiveX kill bits. The list of kill bits in this rollup includes an update for Microsoft Visual Basic 6.0 SP6, and ActiveX controls developed by Derivco, eBay, and HP (click the company names to view their security release for these kill bits).
The second advisory, 971888, is providing a non-security update for DNS devolution. While this is a non-security update, it changes the security configuration of systems it is applied to and that is why we are releasing it with an advisory. This advisory is also related to the WPAD issue for which we originally released Security Advisory 945731 and subsequently Security Bulletin MS09-008. With the release of this new advisory, we are closing out Security Advisory 945731. Security Advisory 971888 and the associated KB article go in to detail on DNS devolution and how the update changes the configuration. If you have any follow up questions, our live webcast tomorrow would be a great place to ask them.
Concerning open advisories going in to this month, with the release of MS09-020, Security Advisory 971492, which discusses an issue with Internet Information Services, specifically in WebDAV, is now closed. And, as we noted in our Advance Notification (ANS) blog post last week, we do not yet have an update ready for the DirectShow vulnerability discussed in Security Advisory 971778. Our security teams are working hard on this issue but the update has to meet the right quality bar before we can release it. We continue to monitor the threat landscape through our Software Security Incident Response Process (SSIRP), and will provide updates to the advisory if needed. We continue to encourage customers to review the mitigations and workarounds in the advisory and check out the “Fix It For Me” solution in Knowledgebase Article 971778. Additionally, please refer to these blog posts for more information on this issue:
- New vulnerability in quartz.dll Quicktime parsing
- Microsoft Security Advisory 971778 Vulnerability in Microsoft DirectShow Released
On the Anti-Malware front, the Microsoft Malware Protection Center (MMPC) has added one new malware family: Win32/InternetAntivirus which is a fake online scanner that leads to a rogue downloader. For details, please refer to the MMPC Blog.
In the video below, Adrian Stone from the Microsoft Security Response Center (MSRC) and I go in to a little more detail on issues customers should be thinking about when considering the deployment of this month’s updates.
More viewing and listening options:
- Windows Media Video (WMV)
- Windows Media Audio (WMA)
- Large Preview Image (PNG)
- Small Preview Image (PNG)
- iPod Video (MP4)
- MP3 Audio
- Streaming WMV (512kbps)
- High Quality WMV (2.5 Mbps)
- Zune Video (WMV)
This month’s release addresses 31 total vulnerabilities with 15 rated as “1” on our Exploitability Index, meaning there is a high likelihood that reliable exploit code may be developed in the next 30 days.
Some of these vulnerabilities are already publicly known. For example, CVE-2009-1532 addresses the first IE 8 vulnerability. This vulnerability in a pre-release version of IE 8 was first revealed in March 2009 at CanSecWest in the Pwn2Own contest. In the final release, a mitigation was put in to place to protect against ASLR+DEP .NET bypass used in the contest, so right now, there is no known way to attack this issue in the default configuration of IE 8 on Windows Vista (see the write up in our Security Research & Defense blog for details). Regardless, MS09-019 addresses the underlying vulnerability which is rated as Critical on Windows XP and Windows Vista but due to IE 8’s built in mitigations, it only rates as a “3” for Windows Vista on the Exploitability Index while Windows XP is rated as “1”.
The IE 8 vulnerability does not affect Windows 7 RC (build 7100) but does affect Windows 7 Beta. Updates for beta versions of Windows 7 will be available via KB969897.
Customers running Windows 2000 domains should pay particular attention to MS09-018 as CVE-2009-1138 affects Windows 2000 domain controllers and LDAP server. This is a remote code execution vulnerability that is reachable over the network. While this vulnerability was privately disclosed, we give it a “1” on the Exploitability Index.Finally, the three Office related updates (Excel, Word and Works Converters) all have an aggregate severity rating of Critical due to the Office 2000 platform. All other affected platforms are rated as Important. If you are still on the Office 2000 platform, please note that it reaches the end of its product lifecycle on July 14, 2009. That is the last day we would release security updates for Office 2000 if there are any to release at that time.
As always, check the Security Research and Defense blog for additional technical information on these updates. If you have questions or would like more information about this month’s release, please plan to attend our regularly scheduled security bulletin webcast tomorrow, Wednesday, June 10, 2009, at 11:00 a.m. PDT (UTC –7). Click HERE to register.
Thanks!
Jerry Bryant
FBI Arrests Man for Online Threat Against BART Cop
By Kim Zetter
FBI agents raid the home of a man suspected of posting online messages threatening the life of a California transit cop involved in a controversial shooting earlier this year.
Apple's iPhone Security Gets Better, But Still Not BlackBerry Strong
By Brian X. Chen
Apple is making a big push to net more business users with the newest iteration of the iPhone. The company touts beefed up security and more data encryption. But Cupertino's wonder device still pales in comparison to the BlackBerry.
No comments:
Post a Comment