From security em unicamp.br Tue Jul 7 15:32:17 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 7 Jul 2009 15:32:17 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA09-187A -- Microsoft Video ActiveX Control Vulnerability Message-ID: <20090707183216.GC54900@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA09-187A -- Microsoft Video ActiveX Control Vulnerability To: technical-alerts em us-cert.gov Date: Mon, 6 Jul 2009 17:14:12 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-187A Microsoft Video ActiveX Control Vulnerability Original release date: July 06, 2009 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows XP * Microsoft Windows Server 2003 Overview An unpatched vulnerability in the Microsoft Video ActiveX control is being used in attacks. I. Description Microsoft has released Security Advisory (972890) to describe attacks on a vulnerability in the Microsoft Video ActiveX control. Because no fix is currently available for this vulnerability, please see the Security Advisory and US-CERT Vulnerability Note VU#180513 for workarounds. II. Impact A remote, unauthenticated attacker could execute arbitrary code with the privileges of the victim user. III. Solution Apply workarounds Microsoft has provided workarounds for this vulnerability in Security Advisory (972890). Additional details and workarounds are provided in US-CERT Vulnerability Note VU#180513. The most effective workaround for this vulnerability is to set kill bits for the Microsoft Video ActiveX control, as outlined in the documents noted above. Other workarounds include disabling ActiveX, as specified in the Securing Your Web Browser document, and upgrading to Internet Explorer 7 or later, which can help mitigate the vulnerability with its ActiveX opt-in feature. IV. References * US-CERT Vulnerability Note VU#180513 - * Microsoft Security Advisory (972890) - * Securing Your Web Browser - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-187A Feedback VU#180513" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History July 06, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSlJnyXIHljM+H4irAQJuxAgAmY94zTKwprhMdsYJ8/6z5Td2APg0Keyt wR/ihBM423Lp9NXRNkZQkxk+Fv+whjShJnB6yDBWpDDe9RNlguuAzqGd3L6q7B54 TOjfGcn1b61n6DMrKjx20bJvOOrMT3JHgePXwWjF8iDo8AnHYdv+ARwt2KvyRbxg Ve4wWRB6tkJtX8cqJwjvYjW2ayo9tjV9sV5+qUSdyhHOvT6jSc/C8JBF4NzE0jx0 R0vfXhfA1QIqz9XjdpdWG7iyAXxa51k92XTHa3ohIQGWDI2qzN8RFHh9xUuCVZWx UgoRdnc1oKc7lsw6Po9oW4PPQzGVxbzTAqP94eWN0zSTIpw4u75pQA== =fhVj -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Jul 27 14:48:24 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 27 Jul 2009 14:48:24 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA09-195A -- Microsoft Updates for Multiple Vulnerabilities Message-ID: <20090727174822.GB39493@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA09-195A -- Microsoft Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 14 Jul 2009 17:35:30 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-195A Microsoft Updates for Multiple Vulnerabilities Original release date: July 14, 2009 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows and Windows Server * Microsoft DirectShow * Microsoft Virtual PC and Server * Microsoft Office Publisher * Microsoft Internet Security and Acceleration (ISA) Server Overview Microsoft has released updates that address vulnerabilities in Microsoft Windows, Windows Server, DirectShow, Virtual PC and Server, Office Publisher, and ISA Server. I. Description As part of the Microsoft Security Bulletin Summary for July 2009, Microsoft has released updates that address several vulnerabilities in Microsoft Windows, Windows Server, DirectShow, Windows Virtual PC and Server, Office Publisher, and ISA Server. Microsoft indicates that two of these vulnerabilities, CVE-2009-1537 and CVE-2008-0015, are being actively exploited. II. Impact A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a vulnerable application to crash. III. Solution Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for July 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for July 2009 - * Microsoft Windows Server Update Services - * New vulnerability in quartz.dll Quicktime parsing - * CVE-2009-1537 - * VU#180513 - Microsoft Video ActiveX control stack buffer overflow - * TA09-187A - Microsoft Video ActiveX Control Vulnerability - * CVE-2008-0015 - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-195A Feedback VU#631820" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History July 14, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSlz5hHIHljM+H4irAQJAAQf/alOhtn6chnXPtgR7M4oI32H3UWHWj0B3 9GKVVMVcg4gR7g/C14hYk4E42djFDTG2t2I/0MjfkaIfMW0olvrGnzxNOh6b8koB 0Orp/BwoMeNNg5xQzSynH4jvU565HDbmPznedJ5h7GxJOqhpO5V2UiHqpRh/A3BS bz2Kxs2v87Hek+2+K/Y6VE80cvx3zk55c/J4gD4HsYXvTKpFh/isZ2bV6VvkZZRO FmJF7N1t9La7xuY1bQB7eIrmKcHBTVV1j/cpWnRPse1cQ1B9R0pB+IykSCxIIw7W 9ZEyPoigjYX1MJUfVj/OkI0pUTDF+6iCEcwvTQu+QnM8BJGpIbyC5A== =xm9M -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Jul 27 15:01:59 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 27 Jul 2009 15:01:59 -0300 Subject: [SECURITY-L] CAIS-Alerta: Resumo dos Boletins de Seguranca Microsoft - Julho 2009 Message-ID: <20090727180159.GD39493@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Resumo dos Boletins de Seguranca Microsoft - Julho 2009 To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Wed, 15 Jul 2009 17:37:06 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, A Microsoft publicou 6 boletins de seguranca em 14 de julho, que aborda ao todo 9 vulnerabilidades que afetam produtos Microsoft. A exploracao destas vulnerabilidades permite desde a elevacao de privilegios de um usuario ate' a execucao remota de codigo. No momento da publicacao deste resumo ha' exploracao ativa das vulnerabilidades descritas nos boletins MS09-028 e MS09-032. Lembramos que a aplicacao imediata das atualizacoes divulgadas nos boletins MS09-028 (Microsoft DirectShow) e MS09-032 (ActiveX Kill Bits) e' critica para clientes Microsoft Windows. Ambas as vulnerabilidades tem sido exploradas ativamente. SEVERIDADE . Critica - MS09-028: Vulnerabilidades no Microsoft DirectShow Vulnerabilidades que permitem a execucao remota de codigo - MS09-029: Vulnerabilidades em Embedded OpenType Font Engine Vulnerabilidades que permitem a execucao remota de codigo - MS09-032: Vulnerabilidades no ActiveX Kill Bits Atualizacao de seguranca cumulativa . Importante - MS09-030: Vulnerabilidade no Microsoft Office Publisher Vulnerabilidade que permite a execucao remota de codigo - MS09-031: Vulnerabilidade no Microsoft ISA Server 2006 Vulnerabilidade que pode causar a elevacao de privilegios de um usuario - MS09-033: Vulnerabilidade em Virtual PC e Virtual Server Vulnerabilidade que pode causar a elevacao de privilegios de um usuario . Moderada - Nenhum boletim . Baixa - Nenhum boletim O sistema de classificacao de severidade das vulnerabilidades adotado pelo CAIS neste resumo e' o da propria Microsoft. O CAIS recomenda que se aplique, minimamente, as correcoes para vulnerabilidades classificadas como Criticas e Importantes. No caso de correcoes para vulnerabilidades classificadas como Moderadas o CAIS recomenda que ao menos as recomendacoes de mitigacao sejam seguidas. . Critica - Vulnerabilidades cuja exploracao possa permitir a propagacao de um worm sem a necessidade de interacao com o usuario. . Importante - Vulnerabilidades cuja exploracao pode resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuarios ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploracao e' mitigada significativamente por fatores como configuracao padrao, auditoria ou dificuldade de exploracao. . Baixa - uma vulnerabilidade cuja exploracao seja extremamente dificil ou cujo impacto seja minimo. CORRECOES DISPONIVEIS Recomenda-se fazer a atualizacao para as versoes disponiveis em: . Microsoft Update https://www.update.microsoft.com/microsoftupdate/ . Windows Server Update Services http://www.microsoft.com/windowsserversystem/updateservices/default.mspx MAIS INFORMACOES . Microsoft Security Bulletin Summary for July 2009 https://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx . SANS ISC Handler's Diary 2009-07-14: Microsoft July Black Tuesday Overview http://isc.sans.org/diary.html?storyid=6790 . MS09-028: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633) http://www.microsoft.com/technet/security/Bulletin/MS09-028.mspx . MS09-029: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371) http://www.microsoft.com/technet/security/Bulletin/MS09-029.mspx . MS09-030: Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (969516) http://www.microsoft.com/technet/security/Bulletin/MS09-030.mspx . MS09-031: Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953) http://www.microsoft.com/technet/security/Bulletin/MS09-031.mspx . MS09-032: Cumulative Security Update of ActiveX Kill Bits (973346) http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx . MS09-033: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856) http://www.microsoft.com/technet/security/Bulletin/MS09-033.mspx . Microsoft Security Vulnerability Research & Defense http://blogs.technet.com/swi/ . Microsoft Brasil Security http://www.microsoft.com/brasil/security . Technet Brasil - Central de Seguranca http://www.technetbrasil.com.br/seguranca . Windows Live OneCare http://safety.live.com/site/pt-BR/default.htm Identificador CVE (http://cve.mitre.org): CVE-2008-0015, CVE-2009-0231, CVE-2009-0232, CVE-2009-0566, CVE-2009-1135, CVE-2009-1537, CVE-2009-1538, CVE-2009-1539, CVE-2009-1542 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes oferecidas pelos fabricantes. Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBSl4+Dekli63F4U8VAQE8CwP/dFe+Ja1uVmY78ZjpRxm7pdQr24D0v/QF hpdGqZ960MQWiBztw3sMAMBDcoE+pu651ohGPLTcWTe5HdyHWBvQWWSOjWPljatR ZSpMrqIX4JNxKHdQ0AB/RmKid0IZDrwrxWwrpufAFkqpPKmNT4i1dzkNvLC34CKr PMbt6mS06TY= =jYHB -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Jul 27 15:32:30 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 27 Jul 2009 15:32:30 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA09-204A -- Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products Message-ID: <20090727183230.GF39493@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA09-204A -- Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products To: technical-alerts em us-cert.gov Date: Thu, 23 Jul 2009 14:14:22 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-204A Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products Original release date: July 23, 2009 Last revised: -- Source: US-CERT Systems Affected * Adobe Flash Player 10.0.22.87 and earlier 10.x versions * Adobe Flash Player 9.0.159.0 and earlier 9.x versions * Adobe Reader and Acrobat 9.1.2 and earlier 9.x versions Overview Adobe has released Security advisory APSA09-03, which describes a vulnerability affecting Adobe Flash. Other Adobe applications that include the Flash runtime, such as Adobe Reader 9, are also affected. I. Description Adobe Security Advisory APSA09-03 describes a vulnerability affecting the Adobe Flash player. Flash player version 10.0.22.87 and earlier 10.x versions as well as Flash player version 9.0.159.0 and earlier 9.x versions are affected. An attacker could exploit this vulnerability by convincing a user to visit a website that hosts a specially crafted SWF file. The Adobe Flash browser plugin is available for multiple web browsers and operating systems, any of which could be affected. An attacker could also create a PDF document that has an embedded SWF file to exploit the vulnerability. This vulnerability is being actively exploited. II. Impact This vulnerability allows a remote attacker to execute arbitrary code as the result of a user viewing a web page or opening a PDF document. III. Solution These vulnerabilities can be mitigated by disabling the Flash plugin or by using the NoScript extension for Mozilla Firefox or SeaMonkey to whitelist websites that can access the Flash plugin. For more information about securely configuring web browsers, please see the Securing Your Web Browser document. US-CERT Vulnerability Note VU#259425 has additional details, as well as information about mitigating the PDF document attack vector. Thanks to Department of Defense Cyber Crime Center/DCISE for information used in this document. IV. References * Vulnerability Note VU#259425 - * Security advisory for Adobe Reader, Acrobat and Flash Player - * Securing Your Web Browser - * NoScript - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-204A Feedback VU#259425" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History July 23, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSminMXIHljM+H4irAQJL/Af+OIfCigCk+Fq8RRD5OgNDE/hHMOLaTw9E PX03+Om4N7tMTuuQvrTBhnZeZANGJwevmVwRGrsQ84PgRLwnEJAd6+MIm44zN4CS hq5G1yQfC8dTBeYGDwrxWmMDFKZaLMapIqtdEfUxUMxUEJcm4q2slcl82n3/VRGN wp7issDRg2uDuQQ5G5pLlHS8JchndHWbmFTt501XV0LGf7NiHAYq4hQ650AuVbJK o2u/LM6OGbFf1NYSfRSSPo0TzQ5D31BEjPnkcZWtvOykJM42cvLppCVg2fnCqgrc 4jnhTtdxn9RUKVeLHeEpC0dWMrOTvqnu2BSc92XNAHpryts8fbp/ew== =8pdb -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Jul 27 15:32:54 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 27 Jul 2009 15:32:54 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade crtica no runtime Adobe Flash (TA09-204A) Message-ID: <20090727183254.GG39493@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade cr�tica no runtime Adobe Flash (TA09-204A) To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Thu, 23 Jul 2009 18:29:43 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS est� repassando o alerta do US-CERT, intitulado "Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products (TA09-204A)", que trata de uma nova vulnerabilidade, ainda n�o corrigida, que afeta o runtime Adobe Flash. Um atacante pode tirar vantagem desta vulnerabilidade ao convencer um usu�rio a visitar um site com um arquivo do tipo SWF especialmente preparado. O atacante pode explorar a vulnerabilidade da mesma forma utilizando um arquivo PDF especialmente preparado. A explora��o desta vulnerabilidade permite a execu��o remota de c�digo arbitr�rio. Adobe Flash � um plugin muito popular, essencial em servi�os como YouTube, visualiza��o de arquivos Microsoft PowerPoint no Google Gmail, jogos online, banners publicit�rios, entre tantas outras aplica��es. O plugin Adobe Flash � dispon�vel para diversos navegadores e sistemas operacionais, o que aumenta consideravelmente o impacto desta vulnerabilidade. Esta vulnerabilidade est� sendo ativamente explorada. SISTEMAS AFETADOS . Adobe Flash Player 10.0.22.87 e vers�es 10.x anteriores . Adobe Flash Player 9.0.159.0 e vers�es 9.x anteriores . Adobe Reader e Acrobat 9.1.2 e vers�es 9.x anteriores Para descobrir qual vers�o de Adobe Flash Player est� instalada no navegador que voc� utiliza por favor visite este site: http://www.adobe.com/products/flash/about/ . CORRE��ES DISPON�VEIS N�o h� corre��es para esta vulnerabilidade. Mesmo as vers�es mais atuais de Adobe Flash Player e Adobe Reader s�o vulner�veis. Sugerimos algumas medidas paliativas: . Flashblock - extens�o para o navegador Mozilla Firefox que impede que conte�do Flash seja carregado automaticamente. https://addons.mozilla.org/en-US/firefox/addon/433 . NoScript - extens�o para o navegador Mozilla Firefox que controla a execu��o de scripts em sites. Esta extens�o tamb�m controla a execu��o do plugin Flash Player. http://noscript.net/ . Uso de leitores PDF alternativos - sugerimos Foxit Reader, dispon�vel em http://www.foxitsoftware.com/pdf/reader/ MAIS INFORMA��ES . TA09-204A: Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products http://www.us-cert.gov/cas/techalerts/TA09-204A.html . VU#259425: Adobe Flash vulnerability affects Flash Player and other Adobe products http://www.kb.cert.org/vuls/id/259425 . APSA09-03: Security advisory for Adobe Reader, Acrobat and Flash Player http://www.adobe.com/support/security/advisories/apsa09-03.html . SA35949: Adobe Reader/Acrobat SWF Content Arbitrary Code Execution http://secunia.com/advisories/35949/ . SANS ISC Handler's Diary 2009-07-22: YA0D (Yet Another 0-Day) in Adobe Flash player http://isc.sans.org/diary.html?storyid=6847 Identificador CVE (http://cve.mitre.org): CVE-2009-1862 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as �ltimas vers�es e correc�es oferecidas pelos fabricantes. Os Alertas do CAIS tamb�m s�o oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBSmjWU+kli63F4U8VAQFcFwP+PGyiNdkRnLiSMxBJeAm0gMKqzKI4jQGn 36ePLSZB0tav46cJqcDvmE5ixRKI8UIaWl+R7kcxIQhN3EFEvPwsWBc8JxXRjWRq UqKdRGKp+RVJ0o+bQV4mCEwwMlbt+/SgUWzHfHDPqiQ1rWj44dWhiHaszP0CoUKe xX5i2aJrRUY= =n019 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jul 29 08:08:28 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 29 Jul 2009 08:08:28 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA09-209A -- Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities Message-ID: <20090729110827.GA48413@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA09-209A -- Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 28 Jul 2009 17:56:44 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-209A Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities Original release date: July 28, 2009 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows and Windows Server * Microsoft Internet Explorer * Microsoft Visual Studio and C++ Redistributable Package * ActiveX controls from multiple vendors Overview Microsoft has released out-of-band updates to address critical vulnerabilities in Microsoft Internet Explorer running on most supported versions of Windows. The updates also help mitigate attacks against ActiveX controls developed with vulnerable versions of the Microsoft Active Template Library (ATL). I. Description Microsoft has released updates for critical vulnerabilities in Internet Explorer. The updates also include mitigations for attacks against vulnerable ActiveX controls that were created using vulnerable versions of the Active Template Library (ATL). Vulnerabilities present in the ATL can cause vulnerabilities in the resulting ActiveX controls and COM components. For example, the ATL typographical error described in this Security Development Lifecycle blog post caused the Microsoft Video ActiveX control stack buffer overflow (VU#180513, CVE-2008-0015). Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable. For example, Adobe and Cisco are affected. II. Impact By convincing a user to view a specially crafted HTML document (e.g., a Web page, HTML email message, or HTML attachment), an attacker may be able to execute arbitrary code. III. Solution System Administrators To address the vulnerabilities in Internet Explorer and mitigate attacks against vulnerable ATL-based ActiveX controls, apply the updates described in Microsoft Security Bulletin MS09-034. Further details about the ATL mitigations are available in a Microsoft Security Research & Defense blog post. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Developers To stop creating vulnerable controls, update the ATL as described in Microsoft Security Bulletin MS09-035. To address vulnerabilities in existing controls, recompile the controls using the updated ATL. Further discussion about the ATL vulnerabilities can be found in the Security Development Lifecycle blog. IV. References * Vulnerability Note VU#456745 - * Vulnerability Note VU#180513 - * Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution - * Microsoft Security Bulletin MS09-34 - * Microsoft Security Bulletin MS09-35 - * Protect Your Computer: Active Template Library, Security Updates - * Microsoft Security Advisory 973882, Microsoft Security Bulletins MS09-034 and MS09-035 Released - * Black Hat USA Spotlight: ATL Killbit Bypass - * ATL - * ATL, MS09-035 and the SDL - * Internet Explorer Mitigations for ATL Data Stream Vulnerabilities - * Microsoft Windows Server Update Services - * Impact of Microsoft ATL vulnerability on Adobe Products - * Cisco Security Advisory: Active Template Library (ATL) Vulnerability - * CVE-2008-0015 - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-209A Feedback VU#456745" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History July 28, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSm9zYHIHljM+H4irAQK3fQf/exOIYdDpE9QN9m3mOjZN23BJrZ1TsdEt tXKZRgudnomA/R6rGCXeVZZu0aRqB8tjQyeLgQU+2bqjXPYioa9BWM1EcPAWILa8 h3UWb6HWOzqSnEbHPAQ8+YgJUqcoKbA1FD4rYIj0rI2tJcfRx4JsHtLwaozMP/dJ xvBXCIKGF86iL5k638Ki9Q1cXaHjCSIpzPcq5RaOw9n5PQk+UzSjiTxDM0Kvu2HB rWLgn95VpFz0ZulR0+7+qkg4e44o0MKOUhJ4pa23sNgM5ZIE9wGhYZYIeHoqDVm8 g3u4sCCBPupjQw+bfeGBz8kHQaue1is1sgsKrm2DITeUizKSSCmcMA== =U5EB -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jul 29 08:09:53 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 29 Jul 2009 08:09:53 -0300 Subject: [SECURITY-L] BIND Security Advisory Message-ID: <20090729110952.GB48413@unicamp.br> ---------- Forwarded message ---------- From: Keith Mitchell Date: Tue, Jul 28, 2009 at 5:37 PM Subject: [dns-operations] BIND Security Advisory To: dns-operations em mail.dns-oarc.net [Apologies for any duplicate postings, but this is kind of critical] See also https://www.isc.org/node/474 BIND Dynamic Update DoS CVE: CVE-2009-0696 CERT: VU#725188 Posting date: 2009-07-28 Program Impacted: BIND Versions affected:BIND 9 (all versions) Severity: High Exploitable: remotely Summary: BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message. Description: Urgent: this exploit is public. Please upgrade immediately. Receipt of a specially-crafted dynamic update message may cause BIND 9 servers to exit. This vulnerability affects all servers ? it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround. dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type ?ANY? and where at least one RRset for this FQDN exists on the server. db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed exiting (due to assertion failure). Workarounds: � �None. (Some sites may have firewalls that can be configured with packet filtering techniques to prevent nsupdate messages from reaching their nameservers.) Active exploits: An active remote exploit is in wide circulation at this time. Solution: Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions can be downloaded from: � �http://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz � �http://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz � �http://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz Acknowledgement: Matthias Urlichs ----- End forwarded message ----- From security em unicamp.br Wed Jul 29 16:58:37 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 29 Jul 2009 16:58:37 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidades no Microsoft Internet Explorer (MS09-034) Message-ID: <20090729195837.GA49898@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidades no Microsoft Internet Explorer (MS09-034) To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Wed, 29 Jul 2009 11:58:38 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS est� repassando o alerta da Microsoft, intitulado "MS09-034 - Cumulative Security Update for Internet Explorer (972260)", que trata de tr�s vulnerabilidades em diversas vers�es do navegador Internet Explorer. Esta atualiza��o de seguran�a resolve tr�s vulnerabilidades no Internet Explorer. Estas vulnerabilidades permitem a execu��o remota de c�digo se um atacante conseguir convencer um usu�rio de um sistema vulner�vel a abrir uma p�gina especialmente preparada. Esta atualiza��o est� relacionada com a vulnerabilidade descrita no Microsoft Security Advisory (973882), que descreve uma vulnerabilidade no Microsoft Active Template Library (ATL). ATL � um conjunto de classes C++ baseadas em template, usada no desenvolvimento de objetos Component Object Model (COM). Este boletim de seguran�a foi divulgado fora do ciclo mensal de boletins de seguran�a por se tratarem de vulnerabilidades de severidade cr�tica, relacionadas com as vulnerabilidades no ATL e o boletim de seguran�a MS09-032 (ActiveX Kill Bits), publicado em 14 de julho. Por estas raz�es o CAIS recomenda a aplica��o imediata da atualiza��o. CORRE��ES DISPON�VEIS Recomenda-se atualizar os sistemas para as vers�es dispon�veis em: . Microsoft Internet Explorer 5.01 Service Pack 4 http://www.microsoft.com/downloads/details.aspx?FamilyID=50ffc8f4-7ab7-4e64-9965-5767db5f53cd . Microsoft Internet Explorer 6 Service Pack 1 http://www.microsoft.com/downloads/details.aspx?FamilyID=93bd1baa-e2fb-4e8c-9dd7-738efef32282 . Internet Explorer 6 - Windows XP Service Pack 2 http://www.microsoft.com/downloads/details.aspx?FamilyID=22bed634-5227-4a22-8df5-801f3e2e232a - Windows XP Service Pack 3 http://www.microsoft.com/downloads/details.aspx?FamilyID=22bed634-5227-4a22-8df5-801f3e2e232a - Windows XP Professional x64 Edition Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=35ab0c5e-df3d-4873-8139-d1d98b3ac350 - Windows Server 2003 Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=44852619-58ad-48f2-bc55-e8e1c72b1ba9 - Windows Server 2003 x64 Edition Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=bd7f36c6-c5c5-4f19-ab59-39f1aaba7fe2 - Windows Server 2003 com SP2 para Sistemas baseados em Itanium http://www.microsoft.com/downloads/details.aspx?familyid=cdb70acf-77c3-40a4-b6a3-0fbc0fc0d7fc . Internet Explorer 7 - Windows XP Service Pack 2 http://www.microsoft.com/downloads/details.aspx?FamilyID=c874c8f8-0449-42b1-8d8b-901040069568 - Windows XP Service Pack 3 http://www.microsoft.com/downloads/details.aspx?FamilyID=c874c8f8-0449-42b1-8d8b-901040069568 - Windows XP Professional x64 Edition Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=113cc76a-c434-42ff-b594-4834989ad5ba - Windows Server 2003 Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=f4112c25-9e6f-473a-bdbc-3df6dd66e6af - Windows Server 2003 x64 Edition Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=a594ee0d-ec8f-47df-9125-89d0bbf2115d - Windows Server 2003 com SP2 para Sistemas baseados em Itanium http://www.microsoft.com/downloads/details.aspx?FamilyID=adb6bad2-9931-4ede-856e-bb43bb0f6071 - Windows Vista http://www.microsoft.com/downloads/details.aspx?familyid=d3be9a13-1a5b-4b74-9649-449df923f573 - Windows Vista Service Pack 1 http://www.microsoft.com/downloads/details.aspx?familyid=d3be9a13-1a5b-4b74-9649-449df923f573 - Windows Vista Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=d3be9a13-1a5b-4b74-9649-449df923f573 - Windows Vista x64 Edition http://www.microsoft.com/downloads/details.aspx?familyid=2b23cd74-6cf1-413b-82a7-b602347e3ce6 - Windows Vista x64 Edition Service Pack 1 http://www.microsoft.com/downloads/details.aspx?familyid=2b23cd74-6cf1-413b-82a7-b602347e3ce6 - Windows Vista x64 Edition Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=2b23cd74-6cf1-413b-82a7-b602347e3ce6 - Windows Server 2008 para Sistemas 32 bits http://www.microsoft.com/downloads/details.aspx?familyid=92e3af41-71b0-4a28-afc7-123733180ead - Windows Server 2008 para Sistemas 32 bits Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=92e3af41-71b0-4a28-afc7-123733180ead - Windows Server 2008 para Sistemas baseados em x64 http://www.microsoft.com/downloads/details.aspx?familyid=1958ec40-3b7b-43a9-9fdc-742735dcf516 - Windows Server 2008 para Sistemas baseados em x64 Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=1958ec40-3b7b-43a9-9fdc-742735dcf516 - Windows Server 2008 para Sistemas baseados em Itanium http://www.microsoft.com/downloads/details.aspx?familyid=470387ac-6d75-4b7e-8ca5-376b67a8bd4d - Windows Server 2008 para Sistemas baseados em Itanium Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=470387ac-6d75-4b7e-8ca5-376b67a8bd4d . Internet Explorer 8 - Windows XP Service Pack http://www.microsoft.com/downloads/details.aspx?familyid=0acc8aaa-0ae1-412a-9f2b-dc7c707cae00 - Windows XP Service Pack 3 http://www.microsoft.com/downloads/details.aspx?familyid=0acc8aaa-0ae1-412a-9f2b-dc7c707cae00 - Windows XP Professional x64 Edition Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=29c8d9e6-2cb8-42b6-b0a6-2510fdb49eab - Windows Server 2003 Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=f4ae65a7-142f-4953-a542-315dac2ac606 - Windows Server 2003 x64 Edition Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=3bc0e17b-898b-4f29-aa29-607527e1c1cd - Windows Vista http://www.microsoft.com/downloads/details.aspx?familyid=b05a19f7-7412-4c2b-ad11-34396e54ca43 - Windows Vista Service Pack 1 http://www.microsoft.com/downloads/details.aspx?familyid=b05a19f7-7412-4c2b-ad11-34396e54ca43 - Windows Vista Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=b05a19f7-7412-4c2b-ad11-34396e54ca43 - Windows Vista x64 Edition http://www.microsoft.com/downloads/details.aspx?familyid=900e9a05-2f71-42de-b603-47e4ac061bcb - Windows Vista x64 Edition Service Pack 1 http://www.microsoft.com/downloads/details.aspx?familyid=900e9a05-2f71-42de-b603-47e4ac061bcb - Windows Vista x64 Edition Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=900e9a05-2f71-42de-b603-47e4ac061bcb - Windows Server 2008 para Sistemas 32 bits http://www.microsoft.com/downloads/details.aspx?familyid=30f99bda-9107-4969-90af-2a30e12acdae - Windows Server 2008 para Sistemas 32 bits Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=30f99bda-9107-4969-90af-2a30e12acdae - Windows Server 2008 para Sistemas baseados em x64 http://www.microsoft.com/downloads/details.aspx?familyid=acd3667b-6676-4010-b23b-e8372dd55f93 - Windows Server 2008 para Sistemas baseados em x64 Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=acd3667b-6676-4010-b23b-e8372dd55f93 - Windows Server 2008 para Sistemas baseados em Itanium http://www.microsoft.com/downloads/details.aspx?familyid=d223766f-2728-451d-98dd-c250ca52a76f - Windows Server 2008 para Sistemas baseados em Itanium Service Pack 2 http://www.microsoft.com/downloads/details.aspx?familyid=d223766f-2728-451d-98dd-c250ca52a76 MAIS INFORMA��ES . MS09-034: Cumulative Security Update for Internet Explorer (972260) http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx . Microsoft Security Advisory (973882): Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/973882.mspx . MS09-032: Cumulative Security Update of ActiveX Kill Bits (973346) http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx . Microsoft TechCenter de Seguran�a http://technet.microsoft.com/pt-br/security/ . Microsoft Security Response Center - MSRC http://www.microsoft.com/security/msrc/ . Microsoft Security Research & Defense - MSRD http://blogs.technet.com/srd/ . Seguran�a Microsoft http://www.microsoft.com/brasil/security/ Identificador CVE (http://cve.mitre.org): CVE-2009-1917, CVE-2009-1918, CVE-2009-1919 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as �ltimas vers�es e corre��es oferecidas pelos fabricantes. Os Alertas do CAIS tamb�m s�o oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBSnBjpekli63F4U8VAQE7sQQAlK9HH09plPkQwIDiuCkqc8dFDecoDZLD D6K2hEpZP2acJjVJ96Jgc5/ltn89Soo/ME0OZ315s2T7oguY/1JDGUcUd9CVo7H9 shqwGDEvXW1pccCdaxGJQQE/SPpax74csLS002FwHuBu5xmexfZjA4HYyNo2Xt2k Re212bkFmY8= =yyT4 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jul 29 16:59:04 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 29 Jul 2009 16:59:04 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidades no Microsoft Visual Studio (MS09-035) Message-ID: <20090729195903.GB49898@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidades no Microsoft Visual Studio (MS09-035) To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Wed, 29 Jul 2009 11:59:47 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS est� repassando o alerta da Microsoft, intitulado "MS09-035 - Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)", que trata de tr�s vulnerabilidades em diversas vers�es no Microsoft Visual Studio. Microsoft Visual Studio � um Integrated Development Environment (IDE), um pacote usado para desenvolvimento de software. Esta atualiza��o est� relacionada com a vulnerabilidade descrita no Microsoft Security Advisory (973882), que descreve uma vulnerabilidade no Microsoft Active Template Library (ATL). ATL � um conjunto de classes C++ baseadas em template, usada no desenvolvimento de objetos Component Object Model (COM). Estas vulnerabilidades permitem a execu��o remota de c�digo se um atacante conseguir convencer um usu�rio a carregar um componente ou controle constru�do com vers�es vulner�veis de ATL. Este boletim de seguran�a foi divulgado fora do ciclo mensal de boletins de seguran�a por se tratarem de vulnerabilidades de severidade moderada, relacionadas com as vulnerabilidades no ATL e o boletim de seguran�a MS09-032 (ActiveX Kill Bits), publicado em 14 de julho. Por estas raz�es o CAIS recomenda a aplica��o imediata da atualiza��o. CORRE��ES DISPON�VEIS Recomenda-se atualizar os sistemas para as vers�es dispon�veis em: . Microsoft Visual Studio .NET 2003 Service Pack 1 http://www.microsoft.com/downloads/details.aspx?FamilyID=63ce454e-f69c-44e3-89fb-eb23c2e2154e . Microsoft Visual Studio 2005 Service Pack 1 http://www.microsoft.com/downloads/details.aspx?FamilyID=7c8729dc-06a2-4538-a90d-ff9464dc0197 . Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools http://www.microsoft.com/downloads/details.aspx?FamilyID=43f96f2a-69c6-4c5e-b72c-0edfa35f4fc2 . Microsoft Visual Studio 2008 http://www.microsoft.com/downloads/details.aspx?familyid=8f9da646-94dd-469d-baea-a4306270462c . Microsoft Visual Studio 2008 Service Pack 1 http://www.microsoft.com/downloads/details.aspx?familyid=294de390-3c94-49fb-a014-9a38580e64cb . Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package http://www.microsoft.com/downloads/details.aspx?familyid=766a6af7-ec73-40ff-b072-9112bab119c2 . Microsoft Visual C++ 2008 Redistributable Package http://www.microsoft.com/downloads/details.aspx?familyid=8b29655e-9da4-4b6b-9ac5-687ca0770f93 . Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package http://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5-4b0a-a8f5-770a549fd78c MAIS INFORMA��ES . MS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx . Microsoft Security Advisory (973882): Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/973882.mspx . MS09-032: Cumulative Security Update of ActiveX Kill Bits (973346) http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx . Microsoft TechCenter de Seguran�a http://technet.microsoft.com/pt-br/security/ . Microsoft Security Response Center - MSRC http://www.microsoft.com/security/msrc/ . Microsoft Security Research & Defense - MSRD http://blogs.technet.com/srd/ . Seguran�a Microsoft http://www.microsoft.com/brasil/security/ Identificador CVE (http://cve.mitre.org): CVE-2009-0901, CVE-2009-2493, CVE-2009-2495 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as �ltimas vers�es e corre��es oferecidas pelos fabricantes. Os Alertas do CAIS tamb�m s�o oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBSnBj6+kli63F4U8VAQFLLgP9G52jHvVKD1iwHhEcNl21IjiFKxdE+Brz 6odRDgI7NNeVrmq1thdGr5l5L47wh85q/v8pS9nJZFGtT4KiRA1xoIJYhlYxO9as p9tPUA2iswJgrgWsR129JQejmUAJQvIddj/NB0wOZVwco0OCcBIGDjhO6gPC+Giz IyumJtFNHXw= =2NyF -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Jul 30 15:35:16 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 30 Jul 2009 15:35:16 -0300 Subject: [SECURITY-L] *** IMPORTANTE: CAIS-Alerta: Vulnerabilidade crtica no ISC BIND 9 (VU#725188) Message-ID: <20090730183515.GA54190@unicamp.br> Prezados Administradores, Estamos repassando o alerta do CAIS sobre uma s�ria vulnerabilidade no BIND. Ontem, j� encaminhamos outros boletins. Orientamos a leitura desse boletim e recomendamos atualiza��o IMEDIATA do BIND. Atenciosamente, Computer Security Incident Response Team - CSIRT Information and Communication Technology Office State University of Campinas - Unicamp mailto:security em unicamp.br http://www.security.unicamp.br GnuPG Public Key: http://www.security.unicamp.br/security.asc ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade cr�tica no ISC BIND 9 (VU#725188) To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Wed, 29 Jul 2009 17:59:04 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS est� repassando o alerta do US-CERT, intitulado "ISC BIND 9 vulnerable to denial of service via dynamic update request (VU#725188)", que trata de uma vulnerabilidade no ISC BIND 9. BIND � a implementa��o de DNS (Domain Name System) do Internet Systems Consortium - ISC. � a implementa��o mais popular do protocolo, presente em diversas distribui��es GNU/Linux, UNIX e produtos comerciais. A vulnerabilidade est� no tratamento de requisi��es DNS do tipo "dynamic update". Um atacante remoto e n�o autenticado que explore esta vulnerabilidade pode causar uma condi��o de nega��o de servi�o (DoS - Denial of Service) ao causar o t�rmino dos processos do servidor BIND 9 no sistema afetado. No momento j� existe c�digo que explora esta vulnerabilidade (exploit) circulando na Internet. O fato de causar uma condi��o de DoS agrava este cen�rio. Por estas raz�es o CAIS recomenda a atualiza��o imediata de BIND. SISTEMAS AFETADOS . ISC BIND release 9.4 - vers�es anteriores a 9.4.3-P3 . ISC BIND release 9.5 - vers�es anteriores a 9.5.1-P3 . ISC BIND release 9.6 - vers�es anteriores a 9.6.1-P1 No momento � conhecido que produtos dos seguintes fornecedores que implementam BIND 9 s�o afetados por esta vulnerabilidade: . BlueCat Networks, Inc. . FreeBSD, Inc. . Internet Systems Consortium . Nominum . Ubuntu O documento VU#725188 (document revision 23) do US-CERT, que descreve a vulnerabilidade em quest�o, relaciona diversos outros forcenedores com status "desconhecido" na se��o "Systems Affected" (Sistemas Afetados). Desta forma, � poss�vel que mais fornecedores sejam afetados por esta vulnerabilidade. CORRE��ES DISPON�VEIS Recomenda-se a atualiza��o para as vers�es dispon�veis em: . Internet Systems Consortium BIND https://www.isc.org/software/bind N�o h� medidas paliativas oficiais para contornar esta vulnerabilidade, seja por meio de altera��es de configura��o ou filtros de pacotes. Por esta raz�o o CAIS recomenda a atualiza��o imediata de BIND 9. Por favor consulte o site do fornecedor da implementa��o de ISC BIND 9 que sua organiza��o possui. Para uma lista mais atualizada de produtos afetados por favor consulte a refer�ncia VU#725188, dispon�vel na se��o "Mais informa��es". MAIS INFORMA��ES . VU#725188: ISC BIND 9 vulnerable to denial of service via dynamic update request http://www.kb.cert.org/vuls/id/725188 . BIND Dynamic Update DoS https://www.isc.org/node/474 . SANS ISC Handler's Diary 2009-07-29: BIND 9 DoS attacks in the wild http://isc.sans.org/diary.html?storyid=6886 Identificador CVE (http://cve.mitre.org): CVE-2009-0696 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as �ltimas vers�es e corre��es oferecidas pelos fabricantes. Os Alertas do CAIS tamb�m s�o oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBSnC4HOkli63F4U8VAQFmCAP/eTxx4KWXsZV4d8WG5RYMTcNuYnA254Gx FnxiJ+n0Bt9eRdGslPuoYavRAg93yBpiY/ynlY1qWEPNm0bg1Rb6Keb+ob0LNBNE bDldmbNOYEeJ5yAEXe84AA5aU8woDbQC6MJhgeLVWL+NOAhFBYobjYNwoKdqzGKO CPV53O1aEYk= =N43P -----END PGP SIGNATURE----- ----- End forwarded message -----