From security em unicamp.br Wed Feb 10 15:31:46 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 10 Feb 2010 15:31:46 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA10-040A -- Microsoft Updates for Multiple Vulnerabilities Message-ID: <20100210173146.GA29527@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA10-040A -- Microsoft Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 9 Feb 2010 15:51:03 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-040A Microsoft Updates for Multiple Vulnerabilities Original release date: Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows and Windows Server * Microsoft Internet Explorer * Microsoft Office Overview Microsoft has released updates to address vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office. I. Description Microsoft has released multiple security bulletins for critical vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office. These bulletins are described in the Microsoft Security Bulletin Summary for February 2010. II. Impact A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a vulnerable application or system to crash. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for February 2010. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for February 2010 - * Microsoft Windows Server Update Services - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA10-040A Feedback VU#799780" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History February 09, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBS3HJuS/E9ke+6HGsAQIQNwf/V+/EBGMhBjl8LTZGaISAa79KsKQD5QNI uTKpHc0BQzgT5cYy3c2Q4ht53uYWp9VEsVRPpmlxxvMTBBS+9Ig8CM76Wcnw5UY3 DwUaKj+VdoJQ6/aUFpRAvfSOjS+CaJ9N4Arogowa7/r/86GEoLBkLq0pcA97MbF8 theX1eGDWgXH41SVS9PaZdRfE1Z+dYLbbXXLbvk1aUP8zUrx2XYTTHtErFCV7KAf SxLA4fDA628v9J+PndlHI45Kc2MfwEm/9kk98zcQCJdRrhSQLHSxpTGVE9GQjAn2 kCsUQg8PKNy8E9ALL17Inc/moULRxjqVFBUlAy0w+rX9Z9bW2pfPfg== =1aMo -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Fri Feb 12 13:37:51 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 12 Feb 2010 13:37:51 -0200 Subject: [SECURITY-L] CAIS-Alerta: Resumo dos Boletins de Segurana Microsoft - Fevereiro 2010 Message-ID: <20100212153750.GA37523@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Resumo dos Boletins de Segurança Microsoft - Fevereiro 2010 To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Fri, 12 Feb 2010 11:59:50 -0200 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, A Microsoft publicou 13 boletins de segurança em 09 de Fevereiro, que abordam ao todo 25 vulnerabilidades em produtos da empresa. A exploração destas vulnerabilidades permite desde a negação de serviço (DoS) até a execução remota de código. No momento da publicação deste resumo há informações sobre códigos maliciosos (exploits) disponíveis publicamente que exploram as vulnerabilidades relacionadas ao boletim MS10-015 (Windows Kernel). SEVERIDADE . Crítica - MS10-006: Vulnerabilidades no cliente SMB Vulnerabilidades que permitem a execução remota de código - MS10-007: Vulnerabilidade no Windows Shell Handler Vulnerabilidade que permite a execução remota de código - MS10-008: Vulnerabilidade no ActiveX Kill Bits Atualização de segurança acumulativa - MS10-009: Vulnerabilidades no Windows TCP/IP Vulnerabilidades que permitem a execução remota de código - MS10-013: Vulnerabilidade no Microsoft DirectShow Vulnerabilidade que permite a execução remota de código . Importante - MS10-003: Vulnerabilidade no Microsoft Office (MSO) Vulnerabilidade que permite a execução remota de código - MS10-004: Vulnerabilidades no Microsoft Office PowerPoint Vulnerabilidades que permitem a execução remota de código - MS10-010: Vulnerabilidade no Windows Server 2008 Hyper-V Vulnerabilidade que permite a negação de serviço (DoS) - MS10-011: Vulnerabilidade no Subsistema Run-Time Windows Client/Server Vulnerabilidade que permite a elevação de privilégios de um usuário - MS10-012: Vulnerabilidades em SMB Server Vulnerabilidades que permitem a execução remota de código - MS10-014: Vulnerabilidade em Kerberos Vulnerabilidade que permite a execução remota de código - MS10-015: Vulnerabilidades no Kernel Windows Vulnerabilidades que permitem a elevação de privilégios de um usuário . Moderada - MS10-005: Vulnerabilidade no Microsoft Paint Vulnerabilidade que permite a execução remota de código . Baixa - Nenhum boletim O sistema de classificação de severidade das vulnerabilidades adotado pelo CAIS neste resumo é o da própria Microsoft. O CAIS recomenda que se aplique, minimamente, as correções para vulnerabilidades classificadas como crítica e importante. No caso de correções para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomendações de mitigação sejam seguidas. . Crítica - Vulnerabilidades cuja exploração possa permitir a propagação de um worm sem a necessidade de interação com o usuário. . Importante - Vulnerabilidades cuja exploração possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuários ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploração é mitigada significativamente por fatores como configuração padrão, auditoria ou dificuldade de exploração. . Baixa - uma vulnerabilidade cuja exploração seja extremamente difícil ou cujo impacto seja mínimo. CORREÇÕES DISPONÍVEIS Recomenda-se atualizar os sistemas para as versões disponíveis em: . Microsoft Update https://www.update.microsoft.com/microsoftupdate/ . Windows Server Update Services http://www.microsoft.com/windowsserversystem/updateservices/default.mspx MAIS INFORMAÇÕES . Microsoft Security Bulletin Summary for February 2010 https://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx . SANS ISC Handler's Diary 2010-02-09 - February 2010 Black Tuesday Overview http://isc.sans.org/diary.html?storyid=8197 . MS10-003: Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214) http://www.microsoft.com/technet/security/bulletin/MS10-003.mspx . MS10-004: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416) http://www.microsoft.com/technet/security/Bulletin/MS10-004.mspx . MS10-005: Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706) http://www.microsoft.com/technet/security/bulletin/ms10-005.mspx . MS10-006: Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251) http://www.microsoft.com/technet/security/Bulletin/MS10-006.mspx . MS10-007: Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713) http://www.microsoft.com/technet/security/bulletin/MS10-007.mspx . MS10-008: Cumulative Security Update of ActiveX Kill Bits (978262) http://www.microsoft.com/technet/security/bulletin/ms10-008.mspx . MS10-009: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145) http://www.microsoft.com/technet/security/Bulletin/MS10-009.mspx . MS10-010: Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894) http://www.microsoft.com/technet/security/bulletin/MS10-010.mspx . MS10-011: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037) http://www.microsoft.com/technet/security/Bulletin/MS10-011.mspx . MS10-012: Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468) http://www.microsoft.com/technet/security/Bulletin/MS10-012.mspx . MS10-013: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935) http://www.microsoft.com/technet/security/bulletin/MS10-013.mspx . MS10-014: Vulnerability in Kerberos Could Allow Denial of Service (977290) http://www.microsoft.com/technet/security/bulletin/MS10-014.mspx . MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) http://www.microsoft.com/technet/security/Bulletin/MS10-015.mspx . Microsoft TechCenter de Segurança http://technet.microsoft.com/pt-br/security/ . Microsoft Security Response Center - MSRC http://www.microsoft.com/security/msrc/ . Microsoft Security Research & Defense - MSRD http://blogs.technet.com/srd/ . Segurança Microsoft http://www.microsoft.com/brasil/security/ Identificador CVE (http://cve.mitre.org): CVE-2010-0016, CVE-2010-0017, CVE-2010-0020, CVE-2010-0021, CVE-2010-0022, CVE-2010-0023, CVE-2010-0026, CVE-2010-0027, CVE-2010-0028, CVE-2010-0029, CVE-2010-0031, CVE-2010-0032, CVE-2010-0033, CVE-2010-0034, CVE-2010-0035, CVE-2010-0231, CVE-2010-0232, CVE-2010-0233, CVE-2010-0239, CVE-2010-0240, CVE-2010-0241, CVE-2010-0242, CVE-2010-0243, CVE-2010-0250 CVE-2010-0252 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os Alertas do CAIS também são oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBS3Ve6ukli63F4U8VAQEW5QQAu1a9nhOBBPCqYPOMj/50nV+2moM6vtfT 4deO3G0EatyhuLd/KAWz5reD9MJ6t/lOYrWJu1e+ByUIsLjb7Rmz9nkY3lqcH3Kn 4njxf6pokfq1zXOxFvBvfUWVh+Ky/r10Cecrz8VaGJVkYLLDpWT8SwP4iN+JeL0j QDMM/9NXP+8= =8iPF -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Feb 25 08:28:36 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 25 Feb 2010 08:28:36 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA10-055A -- Malicious Activity Associated with "Aurora" Internet Explorer Exploit Message-ID: <20100225112835.GA61207@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA10-055A -- Malicious Activity Associated with "Aurora" Internet Explorer Exploit To: technical-alerts em us-cert.gov Date: Wed, 24 Feb 2010 19:31:00 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-055A Malicious Activity Associated with "Aurora" Internet Explorer Exploit Original release date: Last revised: -- Source: US-CERT Systems Affected * Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 * Microsoft Internet Explorer 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows 7, and Windows Server 2008 R2 Overview Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media. Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts. I. Description Through analysis of the malware used in this incident, McAfee discovered one of the malware samples exploited a vulnerability in Microsoft Internet Explorer (IE). The vulnerability exists as an invalid pointer reference within IE and, if successfully exploited, allows for remote code execution. Microsoft has released Security Bulletin MS10-002, which provides updates for Internet Explorer that address this and other vulnerabilities. US-CERT is providing technical indicators that can be incorporated into an organizations security posture to detect and mitigate any malicious activity. Please see for further detail. The following signatures can be deployed to assist in detecting malicious activity associated with this incident: Primary Malware Beacon alert tcp any any -> any any (msg:"Targeted Malware Communication Beacon Detected"; flow:to_server,established; dsize:20; content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff|"; depth:20; sid:7777777; rev:1;) Secondary Malware Beacon alert tcp any any <> any any (msg:"ORC:DIS:BEACON_380DFF"; content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; sid:99980060; rev:1;) Note: US-CERT has not verified or tested these signatures and recommends proper testing prior to deployment. II. Impact By convincing a user to view a specially crafted HTML document or Microsoft Office document, an attacker may be able to execute arbitrary code with the privileges of the user. III. Solution The Internet Explorer vulnerability used in these attacks is addressed with the updates provided in Microsoft Security Bulletin MS10-002. Other recommendations include: * As a best practice, limit end-user permissions on systems by granting minimal administrative rights. * Enable Data Execution Prevention (DEP) for IE 6 Service Pack 2 or IE 7. IE 8 automatically enables DEP. * Inspect network traffic history for communication with external systems associated with the attack. * Examine computers for specific files or file attributes related to the attack. IV. References * How Can I Tell if I Was Infected By Aurora? - * How do I know if my organization has been infected? - * McAfee Labs Tools Aurora Stinger 10.0.1.765 - * Operation Aurora Hit Google, Others - * Vulnerability in Internet Explorer Could Allow Remote Code Execution - * Microsoft Security Bulletin MS10-002 - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA10-055A Feedback VU#492515" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History February 24, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBS4XBny/E9ke+6HGsAQIqbwgAoL3VP5PBhWiwuwcxDZ+1qoxl9md/0SYn wCrWIaVn3gRVAFgOCkOwNOU3b5ZCZoiEA7X8Ez74XzpctpStO5tAGXu6cVYViUWK ASJIRprfSkaNHJ2BDi/uqPPFKshsHW0oZhYnz3yzbjOa8h5TLWIap8Bs4VxjZH+Z uwu71vgzuCXA/CXaTJEDGkhKUyhtNf675+oYTR4bpTFhMIyDi3ywtV51acpdCKNi atUw4Z03U2HDwg5erCeKDI+pym58acDKumOOVDqBAWlwsDZ4j81U9bg4PEHHpCMZ H07EVTyCQ2moau/cTpwVMxhLMdh5dVoRmK1AnC4Pms8eV7FOlbJ3KQ== =AtB/ -----END PGP SIGNATURE----- ----- End forwarded message -----