From security em unicamp.br Wed Jul 13 11:10:28 2011 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 13 Jul 2011 11:10:28 -0300 Subject: [SECURITY-L] [technical-alerts@us-cert.gov: US-CERT Technical Cyber Security Alert TA11-193A -- Microsoft Updates for Multiple Vulnerabilities] Message-ID: <20110713141028.GC42479@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA11-193A -- Microsoft Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 12 Jul 2011 14:45:33 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA11-193A Microsoft Updates for Multiple Vulnerabilities Original release date: July 12, 2011 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Office Overview There are multiple vulnerabilities in Microsoft Windows and Office. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for July 2011 describes multiple vulnerabilities in Microsoft Windows and Office. Microsoft has released updates to address the vulnerabilities. II. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. III. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for July 2011. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for July 2011 - * Microsoft Windows Server Update Services - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA11-193A Feedback VU#938739" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2011 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History July 12, 2011: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBThyVKT6pPKYJORa3AQL2tgf/SuTW8ObdgThMs3IhDkVJ0tBNGuL8q9zQ pqOedeeqKf77KNPBUDfA3M1ejooTHDsIe1d1mdatCP+HlAALZ51wdWhiY7tV3teQ GHcdRwEhlOGjS5lOg3Ina96i55p/Z4Ul+piFAP3C5zfJ1bayTsEqeBiQGNWqWtcK c7bKjBG+wPZmjfTr5MJUTnNrouMLe4HlrviMLACB0ePqH0VoKQ8GpHNFhLea4fKP m++hNhL7qCxCHPxokslZFQet2Pk+yOl1eDo+KJ/HjLmebmz7CSw39AU0e3vAmIe9 usj4N0wqLVfWfvyd6IAvAIA1dsb34yu3a7ve7O468y7Tvfd1ZLU28w== =l1yx -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jul 13 11:11:04 2011 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 13 Jul 2011 11:11:04 -0300 Subject: [SECURITY-L] [cais@cais.rnp.br: CAIS-Alerta: Resumo dos Boletins de Segurana Microsoft - Julho/2011] Message-ID: <20110713141104.GD42479@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Resumo dos Boletins de Segurança Microsoft - Julho/2011 To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Wed, 13 Jul 2011 09:41:06 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, A Microsoft publicou 4 boletins de segurança em 12 de julho que abordam ao todo 22 vulnerabilidades em produtos da empresa. A exploração destas vulnerabilidades permitem execução remota de código e elevação de privilégios de usuários locais conectados. No momento da publicação deste resumo há exploração ativa de uma das vulnerabilidades do boletim, MS11-055. SEVERIDADE . Crítica - MS11-053 - Vulnerabilidade no suporte a Bluetooth do Microsoft Windows que permite execução remota de código. . Importante - MS11-054 - Vulnerabilidade nos drivers kernel-mode do Microsoft Windows que permitem elevação de privilégios de usuários locais conectados. - MS11-055 - Vulnerabilidade no Microsoft Visio que permite execução remota de código. - MS11-056 - Vulnerabilidades no Microsoft Windows CSRSS (Client/Server Run-time Subsystem) que permitem elevação de privilégios de usuários locais conectados. . Moderada - Nenhum boletim . Baixa - Nenhum boletim O sistema de classificação de severidade das vulnerabilidades adotado pelo CAIS neste resumo é o da própria Microsoft. O CAIS recomenda que se aplique, minimamente, as correções para vulnerabilidades classificadas como crítica e importante. No caso de correções para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomendações de mitigação sejam seguidas. . Crítica - Vulnerabilidades cuja exploração possa permitir a propagação de um worm sem a necessidade de interação com o usuário. . Importante - Vulnerabilidades cuja exploração possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuários ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploração é mitigada significativamente por fatores como configuração padrão, auditoria ou dificuldade de exploração. . Baixa - uma vulnerabilidade cuja exploração seja extremamente difícil ou cujo impacto seja mínimo. CORREÇÕES DISPONÍVEIS Recomenda-se atualizar os sistemas para as versões disponíveis em: . Microsoft Update https://www.update.microsoft.com/microsoftupdate/ . Windows Server Update Services http://www.microsoft.com/windowsserversystem/updateservices/default.mspx MAIS INFORMAÇÕES . Microsoft Security Bulletin Summary for July 2011 http://www.microsoft.com/technet/security/bulletin/ms11-jul.mspx . Microsoft TechCenter de Segurança http://technet.microsoft.com/pt-br/security/ . Microsoft Security Response Center - MSRC http://www.microsoft.com/security/msrc/ . Microsoft Security Research & Defense - MSRD http://blogs.technet.com/srd/ . Segurança Microsoft http://www.microsoft.com/brasil/security/ . SANS ISC Handler's Diary - July 2011 Microsoft Black Tuesday Overview http://isc.sans.org/diary.html?storyid=11191 . MS11-053 - Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (2566220) http://www.microsoft.com/technet/security/Bulletin/MS11-053.mspx . MS11-054 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917) http://www.microsoft.com/technet/security/bulletin/ms11-054.mspx . MS11-055 - Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847) http://www.microsoft.com/technet/security/Bulletin/MS11-055.mspx . MS11-056 - Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938) http://www.microsoft.com/technet/security/bulletin/ms11-056.mspx Identificador CVE (http://cve.mitre.org): CVE-2010-3148, CVE-2011-1265, CVE-2011-1281, CVE-2011-1282, CVE-2011-1283, CVE-2011-1284, CVE-2011-1870, CVE-2011-1874, CVE-2011-1875, CVE-2011-1876, CVE-2011-1877, CVE-2011-1878, CVE-2011-1879, CVE-2011-1880, CVE-2011-1881, CVE-2011-1882, CVE-2011-1883, CVE-2011-1884, CVE-2011-1885, CVE-2011-1886, CVE-2011-1887, CVE-2011-1888 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os Alertas do CAIS também são oferecidos no formato RSS/RDF e no Twitter: http://www.rnp.br/cais/alertas/rss.xml Siga @cais_rnp Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBTh2Sgekli63F4U8VAQHQcwP+PwZs3hBGVsdOquYmUs5QcMqNnwCjKQkg uQWAKhgd52UaIhnS/gc5IVEMWzLnGa6Ekx4InZs+2VbB8eDrC0JMqHimryYnrPi5 wCevDAjAnLtNt0reTR6kBtKUF/FpdY87evXva4DUnngxnf72RPuMgtbcVM5aLbVO n6jI8uhov4o= =0nGm -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jul 20 09:19:47 2011 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 20 Jul 2011 09:19:47 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA11-200A -- Security Recommendations to Prevent Cyber Intrusions Message-ID: <20110720121947.GA15668@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA11-200A -- Security Recommendations to Prevent Cyber Intrusions To: technical-alerts em us-cert.gov Date: Tue, 19 Jul 2011 17:18:29 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA11-200A Security Recommendations to Prevent Cyber Intrusions Original release date: July 19, 2011 Last revised: -- Source: US-CERT Overview US-CERT is providing this Technical Security Alert in response to recent, well-publicized intrusions into several government and private sector computer networks. Cyber thieves, hacktivists, pranksters, nation-states, and malicious coders for hire all pose serious threats to the security of both government and private sector networks. A comprehensive security program provides the best defense against the full spectrum of threats that our computer networks face today. Network administrators and technical managers should not only follow the recommended security controls information systems outlined in NIST 800-53 but also consider the following measures. These measures include both tactical and strategic mitigations and are intended to enhance existing security programs. Recommendations * Deploy a Host Intrusion Detection System (HIDS) to help block and identify common attacks. * Use an application proxy in front of web servers to filter out malicious requests. * Ensure that the "allow URL_fopen" is disabled on the web server to help limit PHP vulnerabilities from remote file inclusion attacks. * Limit the use of dynamic SQL code by using prepared statements, queries with parameters, or stored procedures whenever possible. Information on SQL injections is available at . * Follow the best practices for secure coding and input validation; use the secure coding guidelines available at: and . * Review US-CERT documentation regarding distributed denial-of-service attacks: and . * Disable active scripting support in email attachments unless required to perform daily duties. * Consider adding the following measures to your password and account protection plan.* Use a two factor authentication method for accessing privileged root level accounts. * Use minimum password length of 15 characters for administrator accounts. * Require the use of alphanumeric passwords and symbols. * Enable password history limits to prevent the reuse of previous passwords. * Prevent the use of personal information as password such as phone numbers and dates of birth. * Require recurring password changes every 60-90 days. * Deploy NTLMv2 as the minimum authentication method and disable the use of LAN Managed passwords. * Use minimum password length of 8 characters for standard users. * Disable local machine credential caching if not required through the use of Group Policy Object (GPO). For more information on this topic see Microsoft Support articles 306992 and 555631. * Deploy a secure password storage policy that provides password encryption. * If an administrator account is compromised, change the password immediately to prevent continued exploitation. Changes to administrator account passwords should only be made from systems that are verified to be clean and free from malware. * Implement guidance and policy to restrict the use of personal equipment for processing or accessing official data or systems (e.g., working from home or using a personal device while at the office). * Develop policies to carefully limit the use of all removable media devices, except where there is a documented valid business case for its use. These business cases should be approved by the organization with guidelines for there use. * Implement guidance and policies to limit the use of social networking services at work, such as personal email, instant messaging, Facebook, Twitter, etc., except where there is a valid approved business case for its use. * Adhere to network security best practices. See for more information. * Implement recurrent training to educate users about the dangers involved in opening unsolicited emails and clicking on links or attachments from unknown sources. Refer to NIST SP 800-50 for additional guidance. * Require users to complete the agency's "acceptable use policy" training course (to include social engineering sites and non-work related uses) on a recurring basis. * Ensure that all systems have up-to-date patches from reliable sources. Remember to scan or hash validate for viruses or modifications as part of the update process. ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA11-200A Feedback INFO#706140" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2011 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History July 19, 2011: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTiXz1j6pPKYJORa3AQKUOwf+Ij8XMOYEWhPi6aZz+/Ke7DJ/e0oF3DGb 06j7yl5y6pobCu5p80W+gDN6V0A3j2Z0OddFqiqV/TnBQWiyv8Bxx5okcfE01dDk mNAuFZWqELD3l4sgeNwbZp56z5LLi8NB40Bwgquama9u/98gYHSN5xTQBqBVlV2i HMDlU2KCqXCN9XIbxpE/z3By4ADvRh6uIulRjJUnGnTWFMBQpc/YmPy+j4WZRpJz AjVY6V/V2Qe9DGM/A+K0CURqYUtaXOtB9t8OtC4WeyPIZ6GjKAjj3MQ0n8KI+YFW gBVFbTWmSwRnsX/+LWgAUGPKOrgYQnAKo0Hf4K0vsW4T1039w1sewA== =Iaax -----END PGP SIGNATURE----- ----- End forwarded message -----