From security em unicamp.br Thu Apr 15 12:18:03 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 15 Apr 2010 12:18:03 -0300 Subject: [SECURITY-L] CAIS-Alerta: Resumo dos Boletins de Segurana Microsoft - Abril 2010 Message-ID: <20100415151803.GA45321@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Resumo dos Boletins de Segurança Microsoft - Abril 2010 To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br cc: Centro de Atendimento a Incidentes de Seguranca Date: Tue, 13 Apr 2010 17:07:12 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, A Microsoft publicou 11 boletins de segurança em 13 de Abril que abordam ao todo 11 vulnerabilidades em produtos da empresa. A exploração destas vulnerabilidades permitem execução remota de código, escalação de privilégios de usuários locais conectados e negação de serviços. No momento da publicação deste resumo há exploração ativa de duas das vulnerabilidades do boletim: MS10-020 (CVE-2009-3676, CVE-2010-0269, CVE-2010-0270, CVE-2010-0476, CVE-2010-0477) e MS10-022 (CVE-2010-0483). SEVERIDADE . Crítica - MS10-019: Vulnerabilidade no Windows Authenticode Verification Vulnerabilidade que permite a execução remota de código - MS10-020: Vulnerabilidade no cliente SMB do Windows Vulnerabilidade que permite a execução remota de código - MS10-025: Vulnerabilidade no Microsoft Windows Media Services Vulnerabilidade que permite a execução remota de código - MS10-026: Vulnerabilidade nos codecs MPEG Layer-3 da Microsoft Vulnerabilidade que permite a execução remota de código - MS10-027: Vulnerabilidade no Windows Media Player Vulnerabilidade que permite a execução remota de código . Importante - MS10-021: Vulnerabilidades no kernel do Windows Vulnerabilidades que permitem elevação de privilégios de um usuário local logado - MS10-022: Vulnerabilidade no Microsoft Windows VBScript Vulnerabilidade que permite a execução remota de código - MS10-023: Vulnerabilidade no Microsoft Office Publisher Vulnerabilidade que permite a execução remota de código - MS10-024: Vulnerabilidade no Microsoft Exchange e Windows SMTP Service Vulnerabilidade permite negação de serviço (DoS) - MS10-028: Vulnerabilidade no Microsoft Visio Vulnerabilidade que permite a execução remota de código . Moderada - MS10-029: Vulnerabilidade no componente ISATAP do Windows Vulnerabilidade permite spoofing de IP . Baixa - Nenhum boletim O sistema de classificação de severidade das vulnerabilidades adotado pelo CAIS neste resumo é o da própria Microsoft. O CAIS recomenda que se aplique, minimamente, as correções para vulnerabilidades classificadas como crítica e importante. No caso de correções para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomendações de mitigação sejam seguidas. . Crítica - Vulnerabilidades cuja exploração possa permitir a propagação de um worm sem a necessidade de interação com o usuário. . Importante - Vulnerabilidades cuja exploração possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuários ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploração é mitigada significativamente por fatores como configuração padrão, auditoria ou dificuldade de exploração. . Baixa - uma vulnerabilidade cuja exploração seja extremamente difícil ou cujo impacto seja mínimo. CORREÇÕES DISPONÍVEIS Recomenda-se atualizar os sistemas para as versões disponíveis em: . Microsoft Update https://www.update.microsoft.com/microsoftupdate/ . Windows Server Update Services http://www.microsoft.com/windowsserversystem/updateservices/default.mspx MAIS INFORMAÇÕES . Microsoft Security Bulletin Summary for April 2010 http://www.microsoft.com/technet/security/Bulletin/MS10-apr.mspx . SANS ISC Handler's Diary 2010-04-13 - Microsoft April 2010 Patch Tuesday http://isc.sans.org/diary.html?storyid=8626 . MS10-019: Vulnerabilities in Windows Could Allow Remote Code Execution (981210) http://www.microsoft.com/technet/security/Bulletin/MS10-019.mspx . MS10-020: Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232) http://www.microsoft.com/technet/security/Bulletin/MS10-020.mspx . MS10-025: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858) http://www.microsoft.com/technet/security/Bulletin/MS10-025.mspx . MS10-026: Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816) http://www.microsoft.com/technet/security/Bulletin/MS10-026.mspx . MS10-027: Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402) http://www.microsoft.com/technet/security/Bulletin/MS10-027.mspx . MS10-021: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683) http://www.microsoft.com/technet/security/Bulletin/MS10-021.mspx . MS10-022: Vulnerability in VBScript Could Allow Remote Code Execution (981169) http://www.microsoft.com/technet/security/Bulletin/MS10-022.mspx . MS10-023: Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160) http://www.microsoft.com/technet/security/Bulletin/MS10-023.mspx . MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) http://www.microsoft.com/technet/security/Bulletin/MS10-024.mspx . MS10-028: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094) http://www.microsoft.com/technet/security/Bulletin/MS10-028.mspx . MS10-029: Vulnerabilities in Windows ISATAP Component Could Allow Spoofing (978338) http://www.microsoft.com/technet/security/Bulletin/MS10-029.mspx . Microsoft TechCenter de Segurança http://technet.microsoft.com/pt-br/security/ . Microsoft Security Response Center - MSRC http://www.microsoft.com/security/msrc/ . Microsoft Security Research & Defense - MSRD http://blogs.technet.com/srd/ . Segurança Microsoft http://www.microsoft.com/brasil/security/ Identificador CVE (http://cve.mitre.org): CVE-2009-3676, CVE-2009-0487, CVE-2010-0024, CVE-2010-0025, CVE-2010-0234, CVE-2010-0235, CVE-2010-0236, CVE-2010-0237, CVE-2010-0238, CVE-2010-0254, CVE-2010-0256, CVE-2010-0268, CVE-2010-0269, CVE-2010-0270, CVE-2010-0476, CVE-2010-0477, CVE-2010-0478, CVE-2010-0479, CVE-2010-0480, CVE-2010-0481, CVE-2010-0482, CVE-2010-0483, CVE-2010-0486, CVE-2010-0810, CVE-2010-0812, O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os Alertas do CAIS também são oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBS8TO/+kli63F4U8VAQHgfQP9EzQlPwEsONVfjNIiyR7VjgUchIOnah9t JPS1BjcD273O7dcQA/1XX23NGYbWjeU0/GIp4AacGYGfzep6G0nROeHXVPasj56p xfHqBfYV65dzIVk1KCtHhetss1sE1HaNug4Zt7GEywfIy6ooj2szFKEQKaqkthCi C8JAJMNYhxY= =Wvcb -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Apr 15 12:18:28 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 15 Apr 2010 12:18:28 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA10-103B -- Oracle Updates for Multiple Vulnerabilities Message-ID: <20100415151828.GB45321@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA10-103B -- Oracle Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 13 Apr 2010 18:15:02 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-103B Oracle Updates for Multiple Vulnerabilities Original release date: April 13, 2010 Last revised: -- Source: US-CERT Systems Affected * Oracle Database 11g, versions 11.1.0.7 and 11.2.0.1 * Oracle Database 10g Release 2, versions 10.2.0.3 and 10.2.0.4 * Oracle Database 10g, version 10.1.0.5 * Oracle Database 9i Release 2, versions 9.2.0.8 and 9.2.0.8DV * Oracle Application Server 10gR2, version 10.1.2.3.0 * Oracle Identity Management 10g, version 10.1.4.0.1 and 10.1.4.3 * Oracle Collaboration Suite 10g, version 10.1.2.4 * Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2 * Oracle E-Business Suite Release 11i, versions 11.5.10 and 11.5.10.2 * Oracle Transportation Manager, versions 5.5.05.07, 5.5.06.00, and 6.0.03 * Oracle Agile - Engineering Data Management, version 6.1.1.0 * PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50 * Oracle Communications Unified Inventory Management version 7.1 * Oracle Clinical Remote Data Capture Option versions 4.5.3 and 4.6 * Oracle Thesaurus Management System versions 4.5.2, 4.6 and 4.6.1 * Oracle Retail Markdown Optimization version 13.1 * Oracle Retail Place In-Season version 12.2 * Oracle Retail Plan In-Season version 12.2 * Oracle Sun Products Suite Overview The Oracle products and components listed above are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - April 2010 addresses 47 vulnerabilities in various Oracle products and components, including 16 vulnerabilities in Sun Solaris. The Advisory provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2010. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update Advisory - April 2010 - * Sun Security Blog - * Sun Product Alerts related to April 2010 CPU - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA10-103B Feedback VU#591801" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History April 13, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBS8TsTz6pPKYJORa3AQLfYgf/VmfoGA7YXur4adESvwQhh/sssh0SEt3S OCs9vFecRb/SuBrYtlUVSuHQdkkeoNdJ62ByNi4NY1kRF0v/tFtr2la2cRcIpxJ/ XIMFpl5lx628iEtXwnemHpm+0BGc9j+rRwIQV/oDKP57629x7jZkiVwj53WIv8tR M8ktq9kjzUk2hoUy7GTI0dN9Z2sE/AvwJKYIAw/BVhe8vSip3Wokwij2d5I1ytGs H0WSNgYgvhocR/Y3RWdewMdG2SXwsJzOyDzQ3sGPba7JRV6oXHNipj179wMsum0y PwvgoBnYWmmV1T4IJlLgXG9QMNGSBQeqVKFotYlvwT+V18PdfKf9Sg== =NGK0 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Apr 15 12:18:53 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 15 Apr 2010 12:18:53 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA10-103C -- Adobe Reader and Acrobat Vulnerabilities Message-ID: <20100415151852.GC45321@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA10-103C -- Adobe Reader and Acrobat Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 13 Apr 2010 18:22:58 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-103C Adobe Reader and Acrobat Vulnerabilities Original release date: April 13, 2010 Last revised: -- Source: US-CERT Systems Affected * Adobe Reader 9.3.1 and earlier 9.x versions * Adobe Reader 8.2.1 and earlier versions * Adobe Acrobat 9.3.1 and earlier 9.x versions * Adobe Acrobat 8.2.1 and earlier versions Overview Adobe has released Security Bulletin APSB10-09, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. I. Description Adobe Security Bulletin APSB10-09 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Reader and Acrobat 9.3.1 and earlier 9.x versions, and 8.2.1 and earlier versions. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in is available for multiple web browsers and operating systems, which can automatically open PDF documents hosted on a website. II. Impact These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF document. III. Solution Update Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB10-09 and update vulnerable versions of Adobe Reader and Acrobat. Adobe does not offer standalone installers of Reader or Acrobat versions 9.3.2 or 8.2.2. For a fresh installation, first install Adobe Reader 9.3.0 or 8.2.0 and then use the automatic update feature or install the appropriate update referenced in APSB10-09. Disable JavaScript in Adobe Reader and Acrobat Disabling JavaScript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable Acrobat JavaScript). Adobe provides a framework to blacklist specific JavaScipt APIs. If JavaScript must be enabled, this feature may be useful when specific APIs are known to be vulnerable or used in attacks. Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF documents in the web browser Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied, it may also mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser, do the following: 1. Open Adobe Acrobat Reader. 2. Open the Edit menu. 3. Choose the Preferences option. 4. Choose the Internet section. 5. Uncheck the "Display PDF in browser" checkbox. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References * Security update available for Adobe Reader and Acrobat - * Upcoming Adobe Reader and Acrobat 9.3.2 and 8.2.2 to be Delivered by New Updater - * Adobe Reader and Acrobat JavaScript Blacklist Framework - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA10-103C Feedback VU#352598" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History April 13, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBS8TuRj6pPKYJORa3AQJfzggAj8p3s/TrJT16ceFtRzLR31QBgRq6GxYr h8WnsGlj2WR71XjH219XaWx9Mj3KBWVxbAsNPmK0tEir7KA+n4DwZCewTDYRqfYs 8N7G9MOI68Z87+7zBiZAo0j5/lQuxLWyTF9PqWbX8gCWLqJWW46cEZCqg7OGRbYt w8coxdMXU6tM3WGoWAIKwLRtpQUdubcITPTrE7RATyLJ1422B9dkTSeSCuHHZs5d eXSPYzTQ1EOwHpuA5/a/or2SjeRPLQcpxb/8WKelSqwW3hpK4zviEnPt4cYyeNqW BQY06OQMTKch/nmniuEDuiwe69m0gTw7Tw2Dm6xrg6BLBy3A6GAwkQ== =CQ6i -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Fri Apr 23 10:02:20 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 23 Apr 2010 10:02:20 -0300 Subject: [SECURITY-L] CAIS-Alerta: Falso positivo no antivrus McAfee - Abril 2010 Message-ID: <20100423130218.GA1077@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Falso positivo no antivírus McAfee - Abril 2010 To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Thu, 22 Apr 2010 17:30:07 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, A McAfee publicou um alerta relativo à uma detecção falso positiva em sistemas Windows XP SP3. Segundo o site [1] antivírus atualizados em 21 de abril de 2010 com o DAT 5958 detectarão erroneamente o arquivo w32/wecorl.a como sendo um arquivo malicioso. A exclusão ou retenção deste arquivo em quarentena pode causar tela azul seguido de mensagem para reiniciar o sistema operacional Windows XP SP3, impossibilitando o uso deste sistema operacional. A McAfee recomenda a atualização para o DAT 5959 tanto para versões enterprise [2] quanto para versões domésticas [3], para solução deste problema, mas caso tenha reiniciado o computador sem realizar esta atualização deverá seguir o seguinte procedimento: . De um computador com acesso à Internet faça o download do Recovery SuperDAT em [4] e salve este arquivo em alguma media portátil (pendrive por exemplo); . Execute o arquivo baixado nas máquinas afetadas. Caso não seja possível executar o arquivo na máquina afetada, deverá seguir os procedimentos descritos no site [5] para iniciar o Windows em modo de segurança; . Reinicie o computador normalmente; . Execute o update do produto para o DAT 5959; O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os Alertas do CAIS também são oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml [1] https://kc.mcafee.com/corporate/index?page=content&id=KB68780 [2] http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise [3] http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe [4] http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe [5] http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBS9Cx1ekli63F4U8VAQG2EAP/TRKKqkVsFvvyheDYn5w9RRtEfZlCCC15 +YH7cZn0N/li438jF8M2cCEYVY47ynk3AggbgJ31DpFyMT/egBpIFjAcqPeyUiR4 B2EjD33jQQgLscSJop7dt4IzfNLECHzmBNe27IUyYEMe05d/lUenoVrGpnKTiUEg /HdPpNHRZDE= =f3V5 -----END PGP SIGNATURE----- ----- End forwarded message -----