Archive for the ‘Microsoft’ Category
Computer worm linked to rise in scanning for RDP
August 28th, 2011 | 
Author: A computer worm codenamed Morto, has been reported to be rapidly spreading in the wild, targeting Microsoft Windows servers and workstations with Remote Desktop Protocol (RDP) enabled on them.This has been attributed to the general increase in scanning activity seen over the internet for port 3389/tcp, used by the RDP protocol.
The worm seems to scan for machines with open RDP ports and attempt to brute force the administrators user account, in a dictionary type attack. It is reportedly also able to propagate itself over the network, through shared drives on the infected machine.
A few tips to be on the lookout for this infection:
=====================================
1.Ensure public facing Windows servers, not requiring remote administration have RDP disabled on them.
2. It is unclear at the moment if the worm is designed to exploit the recent reported RDP vulnerability, MS11-065, so ensuring servers and workstations have this patch applied is crucial.
3. If you have netflow monitoring capabilities, you can look for vast numbers of outgoing RDP connections (assuming incoming connections for this protocol are denied by default and configured on a case by case basis) as infected machines have shown activity of numerous bursts of RDP connections generated by the system service, svchost.exe.
4. If you have identified an infected machines, you can confirm by ensuring these connection burst by issuing the netstat -an command. As suggested in the report highlighted above, you can also look for the file names a.dll, sens32.dll.
5. Most antivirus products are expected to release signatures to able to detect this, ensure all machines have the latest signature updates.
Posted in 
Microsoft Security Updates Summary – August 2011
A summary of Microsoft’s security patches released on 09-Aug-2011.
| Bulletin Number | Products Affected | Description | Exploits | Platforms Affected |
| MS11-057 | Internet Explorer | A vulnerability exists in the session rights are managed for a logged in user, which could allow remote code execution. | Publicly available exploit. | Client - Critical Server - Important |
| MS11-058 | Microsoft DNS | A vulnerability exists in the way NAPTR (Naming Authority Pointer) queries are handled, which could allow remote code execution. | No Known Exploits | Client - N/A Server - Critical |
| MS11-059 | Windows DAC | The DAC (Data Access component) used by products such as Excel etc. could be exploited to execute arbitrary code, due to flaw in the way it assigns permissions to libraries loaded. This could be exploited by when a specially crafted is opened via a network share (e.g.) | No Known Exploits | Client - Important Server - Low |
| MS11-060 | Microsoft Visio | Multiple vulnerabilities exist which could allow remote attacker to execute arbitrary code. | No Known Exploits | Client - Critical Server - Important |
| MS11-061 | Remote Desktop Web Access | A XSS (Cross site-scripting) vulnerability has been reported in Remote desktop web access. | No Known Exploits | Client - Low Server - Important |
| MS11-062 | Remote Access Service (RAS) | A vulnerability exists in the way NDISTAPI handles input validation before passing on environment variables to the kernel. | No Known Exploits | Client - Important Server - Low |
| MS11-063 | Client-Server Run time Sub-System | An input validation vulnerability exists in the Client-Server Runtime Sub-system. | No Known Exploits | Client - Important Server - Low |
| MS11-064 | TCP/IP stack | A vulnerability exists in the TCP/IP stack implementation of the Windows kernet in the way it handles specially crafted ICMP packets/ malformed URL’s etc. which could lead to Denial of Service. | No Known Exploits | Client - Important Server - Important |
| MS11-065 | Remote Desktop Protocol (RDP) | A vulnerability exisits in RDP which could allow remote attackers to carry out denial of service type attacks. | Publicly available exploit and is currently actively being exploited. | Client - Low Server - Important |
| MS11-066 | ASP .NET | A vulnerability exists in the chart control function of ASP .NET which could be exploited using specially crafted files within an ASP application. | No Known Exploits | Client - N/A Server - Important |
| MS11-067 | Report Viewer | A XSS (Cross Site-scripting) vulnerability has been reported affecting the report viewer function in Windows. | No Known Exploits | Client - Important Server - Low |
| MS11-068 | Windows Kernel | A vulnerability in Windows Kernel could be exploited to force it to reboot when attempting to access meta data of files over web/file sharing (e.g.). | No Known Exploits | Client - Low Server - Low |
| MS11-069 | .NET Framework | Access to System.NET.Sockets function in the .NET framework is not restricted enough which could be exploited to intercept traffic and cause denial of service. | No Known Exploits | Client - Important Server - Important |
Microsoft Security Updates Summary – July 2011
A summary of Microsoft’s security patches released on 12-Jul-2011.
| Bulletin Number | Products Affected | Description | Exploits | Platforms Affected |
| MS11-053 | Bluetooth Drivers | A vulnerability exists in the way memory allocation which could be exploited by remote attackers and gain control over the machine. | No Known Exploits | Client - Critical Server - Important |
| MS11-054 | Kernel Mode Drivers | Multiple vulnerabilities exist in Kernel mode drivers which could allow privilege escalation. | No Known Exploits | Client - Important Server - Low |
| MS11-055 | Microsoft Office – Visio | A vulnerability in search path libraries which could allow arbitrary code execution | No Known Exploits | Client - Important Server - Low |
| MS11-055 | Client-Server Run time Sub-System | Multiple vulnerabilities exist in the CSRSS which could allow privilege escalation or denial of service type condition. | No Known Exploits | Client - Important Server - Low |
Microsoft Security Updates Summary – June 2011
A summary of Microsoft’s security patches released on 14-Jun-2011.
| Bulletin Number | Products Affected | Description | Exploits | Platforms Affected |
| MS11-037 | MHTML (MIME Encapsulated HTML) | The MHTML protocol handler is vulnerable to XSS type attacks which could cause information disclosure. | Publicly disclosed | Client - Important Server - Low |
| MS11-038 | OLE-WMF | Windows Metafile processing by OLE libraries is vulnerable to arbitrary code execution which could be exploited in the context of the logged in users privileges. | No Known Exploits | Client - Critical Server - Important |
| MS11-039 | .NET – Silverlight | A input validation flaw in .NET and silverlight implementations could allow arbitrary code execution which could be exploited in the context of the logged in user. | No Known Exploits | Client - Critical Server - Important |
| MS11-040 | Forefront Threat Management Gateway | A vulnerability in Microsoft Forefront Threat management gateway could allow arbitrary code execution in the context of the service. | No known exploits. | Client - Critical Server - Important |
| MS11-041 | Open Type Font(OTF) | An input validation vulnerability in parsing OTF fonts could allow arbitrary code execution and affects 64-bit kernel OS. This can be remotely exploited through webdav, filesharing, email messages etc. | No Known exploits | Client - Critical Server - Important |
| MS11-042 | Distributed File System (DFS) | Multiple vulnerabilities in the input validation mechanism could allow arbitrary code execution. This could be exploited to potentially cause DoS (Denial of Service). | No Known exploits | Client - Critical Server - Critical |
| MS11-043 | SMB | An input validation vulnerability in parsing SMB responses exists which could allow arbitrary code execution. | No Known exploits | Client - Critical Server - Important |
| MS11-044 | .NET | An input validation vulnerability exists in the JIT (Just in Time) compiler implementation which could allow arbitrary code execution and bypass restrictive security functions such as Code access security. | Publicly disclosed vulnerability | Client - Critical Server - Critical |
| MS11-045 | Microsoft Excel | Multiple vulnerabilities exist in Excel which could allow arbitrary code execution and can be exploited in the context of the logged in user.
The Mac OSX version is also affected by this. |
No Public exploits | Client - Critical Server - Important |
| MS11-046 | AFD (Ancillary function driver) | An input validation vulnerability exists in the AFD which could allow privilege escalation and excution of arbitrary code in the kernel in the context of the logged in user. | Publicly disclosed vulnerability | Client - Critical Server - Critical |
| MS11-047 | Hyper-V | A vulnerability in Hyper-V allows an authenticated user of a guest system could cause a denial of service type condition on the host system. | No known exploits. | Client - Low Server - Important |
| MS11-048 | SMB Server | An input parsing vulnerability could cause a Denial of Service (DoS) type condition. | No Known exploits | Client - Low Server - Important |
| MS11-049 | XML Editor | A vulnerability exists in XML editor which could disclose information if user by external nested XML entities. This editor is mainly used packages such as SQL server, Visual Studio, Infopath etc. | No Known exploits | Client - Important Server - Important |
| MS11-050 | Active directory Certificate services – Web enrolment. | A reflected XSS vulnerability exists in the web enrolment component of the Active directory certificate services. | No Known exploits | Client - N/A Server - Important |
| MS11-051 | Internet Explorer – VML | The Vector markup language implementation in MSIE is vulnerable to memory corruption which could allow arbitrary code execution and can be exploited in the context of the logged in user. IE9 is not affected by this vulnerability. | No known exploits | Client - Critical Server - Important. |
Exchange, EWS and items you thought were private…
A little known fact of calendaring in exchange is that appointments marked private are not really so, as the private part is enforced by the client(!). This was re-enforced recently at a local university where they developed an in house system to display peoples calendars on a web page. They discovered that on any calendar which the user had read access (reviewer) rights to they could read all appointments, even those marked as private. The app has now been modified to enforce these “private” appointments, but it is something to keep in mind especially as exchange web services gets more prevalent.
In Microsoft’s TechNet documentation:
“IMPORTANT: You should not rely on the Private feature to prevent other people from accessing the details of your appointments, contacts, or tasks. To make sure that other people cannot read the items that you marked as private, do not grant them Reviewer (can read items) permission to your Calendar, Contacts, or Tasks folder. A person who is granted Reviewer (can read items) permission to access your folders could use programmatic methods or other e-mail programs to view the details of a private item. Use the Private feature only when you share folders with people whom you trust.”
From: http://office.microsoft.com/en-us/outlook-help/allow-someone-else-to-manage-your-mail-and-calendar-HA010075081.aspx#BM4
Microsoft security updates summary – March 2011
A summary of Microsoft’s security patches released on 08-March-2011.
| Bulletin Number | Products Affected | Description | Exploits | Platforms Affected |
| MS11-015 | Windows Media Player | This security update addresses vulnerabilities in Direct Show affecting Windows Media player and Media Center which could be exploited using specially crafted digital video recording (.dvr) format which could allow remote code execution. | Publicly available exploit | Client - Critical Server - Important |
| MS11-016 | Microsoft Groove | This addresses a vulnerability reported in Microsoft groove which could be exploited if a specially crafted file is in the same network share or directory as the groove file which could lead to privilege escalation. | Proof of Concept available | Client - Important Server - important |
| MS11-017 | Remote Desktop | This addresses a vulnerability reported in all versions of Remote desktop which could be exploited using a specially crafted library file placed in the same location as the .rdp file when opened. This could allow an attacker to execute code remotely. | No Known exploits | Client - Important Server - Important |