Microsoft

Scheduled November bulletin release day, Tuesday, Nov. 11, 2008.

The Microsoft Security Response Center (MSRC)

Preliminary information, subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release two security bulletins:

• One Microsoft Security Bulletin affecting Microsoft Windows/Microsoft Office rated as Critical, and one affecting Windows rated as Important. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

We are also planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.

The November edition of the monthly security bulletin webcast will be held on Wednesday, Nov. 12, 2008 at 11 a.m., Pacific Standard Time.

Register for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032374642&Culture=en-US

{ 0 comments }

The Microsoft Security Intelligence Report has been released.
Microsoft Malware Protection Center

The Microsoft Security Intelligence Report (SIR) provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Using data derived from hundreds of millions of Windows users, and some of the busiest online services on the Internet, this report also provides a detailed analysis of the threat landscape and the changing face of threats and countermeasures and includes updated data on privacy and breach notifications.

Not surprisingly a high percentage of users chose to ignore potentially unwanted software (PUPS) they had installed themselves, 90.1% for Bearshare. We see a lot of P2P file sharing programs on infected computers in the forums.

The full report contains 150 pages.
SIR Volume 5 (January through June 2008) and Key Findings Summary
Key Findings Summary 18 pages.
Microsoft Security Intelligence Report volume 5 Executive Summary

{ 0 comments }

The Microsoft Security Response Center (MSRC)

It’s been almost five days since we originally released MS08-067, and our tracking shows that security deployments remain strong. We’re also still unaware of any application compatibility issues with this update.

Like we’ve said, we’re continuing to watch the threat environment. Yesterday, we said that our analysis of public exploit code that was available showed it would always result in a denial of service. Today, we’ve identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067. This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000 systems. Our investigation has shown that it does not affect customers who have installed the update. We’ve just published Microsoft Security Advisory 958963 to let customers know about this new development.

http://blogs.technet.com/msrc/archive/2008/10/27/microsoft-security-advisory-958963.aspx

Certifiedbug. October 24, 2008.
Microsoft Security Bulletin MS08-067 Critical Update

{ 0 comments }

Microsoft Professional Developers Conference, October 27-29.
http://www.microsoftpdc.com/
http://www.microsoftpdc.com/Agenda/

“All-star bloggers” group liveblogging at PDC 2008.
http://www.istartedsomething.com/20081020/all-star-bloggers-group-liveblogging-at-pdc-2008/

Bill Pytlovany is attending, “The first 20 people who ask will receive a free 1 GB WinPatrol Flash wristband.”
http://billpstudios.blogspot.com/2008/10/meet-me-in-los-angeles-at-pdc.html

{ 0 comments }

Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Executive Summary

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Out-of-band update, extremely urgent to patch ASAP.
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Edit
Get Protected, Now!
http://blogs.technet.com/mmpc/archive/2008/10/23/get-protected-now.aspx

MS08-067 and the SDL
http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx

Note:
Threat Expert’s Blog called Gimmiv.A a worm.  A worm may follow but at this stage the attack is a trojan as shown in their own reports.

Sunbelt Blog. The trojan itself isn’t a worm but a dll dropped by Gimmiv is.

{ 0 comments }

Microsoft releases an updated version of the Windows Malicious Software Removal Tool on the second Tuesday of each month, and as needed in response to security threats.

The free tool searches for specific infections and is available through Microsoft Update, Windows Update and the Microsoft Download Center. Operating systems covered are Windows Vista, Windows XP, Windows 2000, and Windows Server 2003.

KB890830 64 bit version for Vista x64, Windows XP x64 and Windows 2003 x64 computers.

“Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment”.
http://support.microsoft.com/kb/891716

MSRT is not a replacement for an anti-virus program, make sure you have one installed.

Microsoft® Malware Protection Center article by Oleg Petrovsky, Uprooting Win32/Rustock

Edit:
How to troubleshoot an error when you run the Microsoft Windows Malicious Software Removal Tool
http://support.microsoft.com/kb/891717

Rustock is a challenge to remove, if you experience difficulties try running MSRT in ‘Safe Mode’.

How to Start Vista in Safe Mode
Windowshelp-Microsoft

A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/kb/315222

{ 0 comments }

IE Blog.

Design criteria such as standard compliance, performance, reliability and security framed the design of IE8 as whole, for new as well as existing features. As a result, CSS expressions are no longer supported in IE8 standards mode. This change was announced previously on the IE blog, however, this post will provide a few more details about that decision. The following FAQ will give a quick overview of the feature, the rationale behind our design decision and what it may mean for your own site.

http://blogs.msdn.com/ie/archive/2008/10/16/ending-expressions.aspx

{ 0 comments }

Email spoofing basically is when someone forges the header information making the email appear to have originated from somewhere other than the real source.

One such spoof is doing the rounds falsely claiming to be from Steve Lipner at Microsoft urging recipients to install an attached update.

The email is not from Microsoft, the malicious attachment contains Backdoor:Win32/Haxdoor, and of course you should not open it.

The Microsoft Security Response Center (MSRC)

First and foremost, we never, ever, ever send attachments with our security notification e-mails. And, as a matter of company policy, Microsoft will never send you an executable attachment. If you get an e-mail that claims to be a security notification with an attachment, delete it. It is always a spoof. You can think of our security notification e-mails as a notification for you to go the security bulletin to get the updates from the link in the bulletin to the Microsoft Download Center http://www.microsoft.com/downloads. You should always get our security updates from the links in the bulletins or through our deployment tools such as Microsoft Update or Windows Update, Windows Software Update Services (WSUS) or Systems Center Configuration Manager.

Article: Microsoft Security E-mail Spoofs with Malware

{ 0 comments }

Scheduled October bulletin release day, Tuesday, Oct. 14, 2008.

The Microsoft Security Response Center (MSRC)

Preliminary information, subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release:

• Four Microsoft Security Bulletins rated as Critical, six rated Important, and one rated Moderate. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

We are also planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.

We also want to announce the availability of the Exploitability Index in upcoming security bulletin summaries and the official release of Microsoft Active Protections Program, which were both announced at Black Hat in August. The Exploitability Index provides additional information to help customers prioritize deployment of monthly security bulletins while the Microsoft Active Protections Program provides vulnerability information to security software providers in advance of Microsoft’s monthly security bulletin releases. Both the Exploitability Index and Microsoft Active Protection Program provide additional support to customers and partners to defend against emerging online threats.

As always, we’ll be holding the October edition of the monthly security bulletin webcast on Wednesday, Oct. 15, 2008 at 11 a.m., Pacific Standard Time. We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well at the same URL. In addition, we’ll also be posting the text of the questions and answers from each month’s webcast. You can see a full listing of the posted questions and answers on this page.

You can register for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032374639&Culture=en-US

Update 1: Microsoft Security Advisory 951306

{ 0 comments }