From security em unicamp.br Mon Jul 26 12:06:20 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 26 Jul 2010 12:06:20 -0300 Subject: [SECURITY-L] CAIS-Alerta: Resumo dos Boletins de Segurana Microsoft - Julho 2010 Message-ID: <20100726150620.GA88787@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Resumo dos Boletins de Segurança Microsoft - Julho 2010 To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 13 Jul 2010 18:04:09 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, A Microsoft publicou 04 boletins de segurança em 13 de Julho que abordam ao todo 04 vulnerabilidades em produtos da empresa. A exploração destas vulnerabilidades permitem execução remota de código. No momento da publicação deste resumo há exploração ativa de uma das vulnerabilidades do boletim: MS10-042 (CVE-2010-1885). SEVERIDADE . Crítica - MS10-042: Vulnerabilidade no Help e Centro de Suporte do Microsoft Windows Vulnerabilidade que permite a execução remota de código - MS10-043: Vulnerabilidade no Canonical Display Driver (cdd.dll) Vulnerabilidade que permite a execução remota de código - MS10-044: Vulnerabilidade nos controles ActiveX do Microsoft Office Access Vulnerabilidade que permite a execução remota de código . Importante - MS10-045: Vulnerabilidade no Microsoft Office Outlook Vulnerabilidade que permite a execução remota de código . Moderada - Nenhum boletim . Baixa - Nenhum boletim O sistema de classificação de severidade das vulnerabilidades adotado pelo CAIS neste resumo é o da própria Microsoft. O CAIS recomenda que se aplique, minimamente, as correções para vulnerabilidades classificadas como crítica e importante. No caso de correções para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomendações de mitigação sejam seguidas. . Crítica - Vulnerabilidades cuja exploração possa permitir a propagação de um worm sem a necessidade de interação com o usuário. . Importante - Vulnerabilidades cuja exploração possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuários ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploração é mitigada significativamente por fatores como configuração padrão, auditoria ou dificuldade de exploração. . Baixa - uma vulnerabilidade cuja exploração seja extremamente difícil ou cujo impacto seja mínimo. CORREÇÕES DISPONÍVEIS Recomenda-se atualizar os sistemas para as versões disponíveis em: . Microsoft Update https://www.update.microsoft.com/microsoftupdate/ . Windows Server Update Services http://www.microsoft.com/windowsserversystem/updateservices/default.mspx MAIS INFORMAÇÕES . Microsoft Security Bulletin Summary for July 2010 http://www.microsoft.com/technet/security/bulletin/ms10-jul.mspx . SANS ISC Handler's Diary 2010-07-13 - July 2010 Microsoft Black Tuesday Summary http://isc.sans.edu/diary.html?storyid=9166 . MS10-042: Vulnerability in Help and SupportCenter Could Allow Remote Code Execution (2229593) http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx . MS10-043: Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276) http://www.microsoft.com/technet/security/Bulletin/MS10-043.mspx . MS10-044: Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335) http://www.microsoft.com/technet/security/bulletin/MS10-044.mspx . MS10-045: Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212) http://www.microsoft.com/technet/security/bulletin/ms10-045.mspx . Microsoft TechCenter de Segurança http://technet.microsoft.com/pt-br/security/ . Microsoft Security Response Center - MSRC http://www.microsoft.com/security/msrc/ . Microsoft Security Research & Defense - MSRD http://blogs.technet.com/srd/ . Segurança Microsoft http://www.microsoft.com/brasil/security/ Identificador CVE (http://cve.mitre.org): CVE-2010-0266, CVE-2010-0814, CVE-2010-1881, CVE-2010-1885, CVE-2009-3678 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os Alertas do CAIS também são oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBTDzU0Okli63F4U8VAQFTKAP+P7R2CyAy7CyygZh7p02iL73MaRxT20GA 9hMDauPKGTa8wOk6h+5JVAs3xWuA28D224/A5uMziLI7SH+3faiAg5I+SbEOR0zh PBtIfOwe1UUzaX7fkprRIU3r35cjadE8ZJBvOuzrQ1wPNQezA1c8Kqy2xuBYu3T7 brEY+nQooY4= =G6LE -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Jul 26 12:06:43 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 26 Jul 2010 12:06:43 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA10-194A -- Microsoft Updates for Multiple Vulnerabilities Message-ID: <20100726150642.GB88787@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA10-194A -- Microsoft Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 13 Jul 2010 17:20:22 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-194A Microsoft Updates for Multiple Vulnerabilities Original release date: July 13, 2010 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Office Overview Microsoft has released updates to address vulnerabilities in Microsoft Windows and Microsoft Office. I. Description The Microsoft Security Bulletin Summary for July 2010 describes multiple vulnerabilities in Microsoft Windows and Microsoft Office. Microsoft has released updates to address the vulnerabilities. One of the bulletins released, MS10-042, addresses a previously identified vulnerability in the Windows Help and Support Center that is actively being exploited. This vulnerability was also described in US-CERT Vulnerability Note VU#578319. II. Impact A remote, unauthenticated attacker could execute arbitrary code or cause a vulnerable system or application to crash. III. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for July 2010. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for July 2010 - * Microsoft Security Bulletin MS10-042 - * US-CERT Vulnerability Note VU#578319 - * Microsoft Windows Server Update Services - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA10-194A Feedback VU#578319" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History July 13, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTDzX2T6pPKYJORa3AQIMqAf8DAtXkaZDApO+QDMfycnnbMhgGHEcxT4/ rgdllq0xLXfTY7YlMUZiamqtJGcqibjlYJ6Hs62j7wXDjU7dhge9vKFij6AY6ZxY fXss0Qa63RmslfHQNYoF34kfgtbrRLahbF7iBpNysXN7gHi/DC0WZ/AWCFxoxWvf NhuFz/8h3BDFc6JprPMo+R2Y/YIegJAeds12awMxCkJh9iEuBLSoTrZ70IJBDObd 5NO5U/mwpCOJDedCCOiEZGKqfrrSXffpaunheuniTBSXJMzkYm9/jaqQ19Zb/+bb 9C4paLvLoH5rByEO7NWPzBlrFNr4WPUSlUf0UQEYcvWRZiCZoO/q/g== =+OxL -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Jul 26 12:07:04 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 26 Jul 2010 12:07:04 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA10-194B -- Oracle Updates for Multiple Vulnerabilities Message-ID: <20100726150703.GC88787@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA10-194B -- Oracle Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 13 Jul 2010 17:38:09 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-194B Oracle Updates for Multiple Vulnerabilities Original release date: July 13, 2010 Last revised: -- Source: US-CERT Systems Affected * Oracle Database 11g Release 2, version 11.2.0.1 * Oracle Database 11g Release 1, version 11.1.0.7 * Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4 * Oracle Database 10g, version 10.1.0.5 * Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV * Oracle TimesTen In-Memory Database, versions 7.0.5.1.0, 7.0.5.2.0, 7.0.5.3.0, 7.0.5.4.0 * Oracle Secure Backup version 10.3.0.1 * Oracle Application Server, 10gR2, version 10.1.2.3.0 * Oracle Identity Management 10g, version 10.1.4.0.1 * Oracle WebLogic Server 11gR1 releases (10.3.1, 10.3.2 and 10.3.3) * Oracle WebLogic Server 10gR3 release (10.3.0) * Oracle WebLogic Server 10.0 through MP2 * Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3 * Oracle WebLogic Server 8.1 through SP6 * Oracle WebLogic Server 7.0 through SP7 * Oracle JRockit R28.0.0 and earlier (JDK/JRE 5 and 6) * Oracle JRockit R27.6.6 and earlier (JDK/JRE 1.4.2, 5 and 6) * Oracle Business Process Management, versions 5.7.3, 6.0.5, 10.3.1, 10.3.2 * Oracle Enterprise Manager Grid Control 10g Release 5, version 10.2.0.5 * Oracle Enterprise Manager Grid Control 10g Release 1, version 10.1.0.6 * Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2 * Oracle E-Business Suite Release 11i, versions 11.5.10, 11.5.10.2 * Oracle Transportation Manager, Versions: 5.5.05.07, 5.5.06.00, 6.0.03 * PeopleSoft Enterprise Campus Solutions, version 9.0 * PeopleSoft Enterprise CRM, versions 9.0 and 9.1 * PeopleSoft Enterprise FSCM, versions 8.9, 9.0 and 9.1 * PeopleSoft Enterprise HCM, versions 8.9, 9.0 and 9.1 * PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50 * Oracle Sun Product Suite Overview The Oracle products and components listed above are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - July 2010 addresses 59 vulnerabilities in various Oracle products and components, including 21 vulnerabilities in Sun products. The Advisory provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - July 2010. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update Advisory - July 2010 - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA10-194B Feedback " in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History July 13, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTDzcAT6pPKYJORa3AQJQaQf/acWQGr1haaBqZfcM1+NBPBqeX9SajIk4 30wo+jCNHI4gQa2EmQj6AkZe1pgQn8k4UohQJFffDDQBoXSyJvZ2PXrL1/GvI/FG LLemUn5SyeSvSpPO15vtfWYHqX/sDjA/OD7D0o5gA7GFpiL21GrrfFrKR8PVlrxH oBxxdVN9q+/A04C8hDmH/lm/Q7vNC3P+UH7uJDOOJ+/58dEMi4OS8te3X3kClmhH ZXZWYu+kPJuRD8h/xKLRO9dXjRB6H9GclRnqUUTH3VLArR+mn2K/dM+hceF8DujO odrNm0rSsVKHfbIJWE1oxGAlcytLpSdo+pmZhKxajgR8++bhVrDF8g== =jzlQ -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Tue Jul 27 09:11:39 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 27 Jul 2010 09:11:39 -0300 Subject: [SECURITY-L] CAIS-Alerta: Placas-me de servidores Dell infectadas com Spyware Message-ID: <20100727121139.GA95450@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Placas-mãe de servidores Dell infectadas com Spyware To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Fri, 23 Jul 2010 14:34:12 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS está repassando um alerta sobre uma possível infecção nos sistemas embarcados de gerência dos servidores Dell PowerEdge modelos R310, R410, R510 e T410. Foi anunciado no fórum de suporte técnico da Dell [1] que algumas placas - -mãe que foram substituídas em alguns servidores PowerEdge poderiam estar infectadas com o worm W32.Spybot [2]. Segundo a Dell, este worm foi encontrado na memória flash da placa mãe e não no firmware da mesma. Segundo a resposta da Dell no fórum, a empresa está contactando via telefone todos os clientes que receberam placas-mãe do lote que pode ter sido infectado. Até o momento da publicação deste alerta a empresa Dell não havia se pronunciado oficialmente sobre o problema, respondendo a questões relativas a este incidente somente pelo fórum ou pelo e-mail anunciado no fórum para este caso [3]. No fórum, a empresa afirma que os clientes que receberam o lote de placas-mãe suspeito já foram contactados e que o restante das placas em estoque já foram trocadas. Baseado neste incidente, o CAIS alerta também para a possibilidade de recebimento de e-mails fraudulentos (Scams) propondo o download de ferramenta para correção deste problema. SISTEMAS AFETADOS . Servidores de rack Dell PowerEdge modelo R310 . Servidores de rack Dell PowerEdge modelo R410 . Servidores de rack Dell PowerEdge modelo R510 . Servidores de rack Dell PowerEdge modelo T410 CORRECOES DISPONIVEIS Recomenda-se entrar em contato com seu representante Dell. MAIS INFORMACOES [1] PowerEdge R410 replacement motherboard contains malware?! http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx [2] W32.Spybot.Worm http://www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99 [3] E-mail de contato com a Dell: US_EEC_escalations em dell.com . Dell PowerEdge R410 replacement motherboard firmware contains malware http://isc.sans.edu/diary.html?storyid=9223 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes oferecidas pelos fabricantes. Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBTEnSmukli63F4U8VAQGkuAQAoD2TyHG1l1waiijslo0cwTx9/hiN7WJ9 Au4Ey9R+sV7ncgF3tbsJGyMMQIjf0QW2HB9TBW8psuRbr7Q96PGWaVyyD1HImrJ0 HLSyAUfDKKqfp6wHtk8+lxpA0oqBLHzz9AcZuh7C8SRztytllRk3eyFp8dRuhacE T3+Hz3W6Rbs= =I8pR -----END PGP SIGNATURE----- ----- End forwarded message -----