From security em unicamp.br Tue Jun 5 09:37:16 2012 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 5 Jun 2012 12:37:16 +0000 Subject: [SECURITY-L] [certbr-anuncios] Lancada a versao 4.0 da Cartilha de Seguranca para Internet Message-ID: <20120605123716.GA45794@unicamp.br> -------- Original Message -------- Subject: [certbr-anuncios] Lancada a versao 4.0 da Cartilha de Seguranca para Internet Date: Mon, 4 Jun 2012 13:34:54 -0300 From: CERT.br To: certbr-anuncios em listas.cert.br Lançada a versão 4.0 da Cartilha de Segurança para Internet. Com conteúdo atualizado, com temas como redes sociais e celulares, a Cartilha apresenta no Capítulo 1 uma introdução sobre a importância de uso da Internet, os riscos e os cuidados necessários. Do Capítulo 2 ao 6 os riscos são apresentados de forma mais detalhada, enquanto que do Capítulo 7 ao 13 o foco principal são os cuidados a serem tomados e os mecanismos de segurança existentes. Além disso, a cartilha agora é ilustrada e traz inovações técnicas importantes, como o licenciamento Creative Commons (CC BY-NC-ND 3.0) e a disponibilização em HTML5. Em breve, também será possível acessá-la pelo formato de livro eletrônico (ePub). Veja a Cartilha completa em: http://cartilha.cert.br/ Atenciosamente, -- CERT.br http://www.cert.br/ _______________________________________________ certbr-anuncios mailing list certbr-anuncios em listas.cert.br https://listas.cert.br/mailman/listinfo/certbr-anuncios ----- End forwarded message ----- From security em unicamp.br Tue Jun 5 10:10:13 2012 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 5 Jun 2012 13:10:13 +0000 Subject: [SECURITY-L] US-CERT Alert TA12-156A -- Microsoft Windows Unauthorized Digital Certificates Message-ID: <20120605131013.GB45794@unicamp.br> ----- Forwarded message from US-CERT Alerts ----- From: US-CERT Alerts Subject: US-CERT Alert TA12-156A -- Microsoft Windows Unauthorized Digital Certificates To: technical-alerts em us-cert.gov Date: Mon, 4 Jun 2012 18:03:45 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA12-156A Microsoft Windows Unauthorized Digital Certificates Original release date: June 04, 2012 Last revised: -- Source: US-CERT Systems Affected All supported versions of Microsoft Windows, including: * Windows XP and Server 2003 * Windows Vista and Server 2008 * Windows 7 and Server 2008 R2 * Windows 8 Consumer Preview * Windows Mobile and Phone Overview X.509 digital certificates issued by the Microsoft Terminal Services licensing certificate authority (CA) can be illegitimately used to sign code. This problem was discovered in the Flame malware. Microsoft has released updates to revoke trust in the affected certificates. Description Microsoft Security Advisory (2718704) warns of active attacks using illegitimate certificates issued by the the Microsoft Terminal Services licensing certificate authority (CA). There appear to be problems with some combination of weak cryptography and certificate usage configuration. From an MSRC blog post: We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft. From another MSRC blog post: What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsofts internal PKI infrastructure. The following details about the affected certificates were provided in Microsoft Security Advisory (2718704): Certificate: Microsoft Enforced Licensing Intermediate PCA Issued by: Microsoft Root Authority Thumbprint: 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c \ 52 b2 4e 70 Certificate: Microsoft Enforced Licensing Intermediate PCA Issued by: Microsoft Root Authority Thumbprint: 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 \ b5 f8 dc 08 Certificate: Microsoft Enforced Licensing Registration Authority CA (SHA1) Issued by: Microsoft Root Certificate Authority Thumbprint: fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 \ d7 4d ee 97 Impact An attacker could obtain a certificate that could be used to illegitimately sign code as Microsoft. The signed code could then be used in a variety of attacks in which the code would appear to be trusted by Windows. An attacker could offer software that appeared to be signed by a valid and trusted Microsoft certificate chain. As noted in an MSRC blog post, "...some components of the [Flame] malware have been signed by certificates that allow software to appear as if it was produced by Microsoft." Solution It is important to act quickly to revoke trust in the affected certificates. Any certificates issued by the Microsoft Terminal Services licensing certificate authority (CA) could be used for illegitimate purposes and should not be trusted. Apply updates Apply the appropriate versions of KB2718704 to add the affected certificates to the Untrusted Certificate Store. Updates will reach most users via automatic updates and Windows Server Update Services (WSUS). Revoke trust in affected certificates Manually add the affected certificates to the Untrusted Certificate Store. The Certifcates MMC snap-in and Certutil command can be used on Windows systems. References * US-CERT Current Activity: Unauthorized Microsoft Digital Certificates - * Microsoft Security Advisory (2718704) - * Unauthorized digital certificates could allow spoofing - * Microsoft certification authority signing certificates added to the Untrusted Certificate Store - * Microsoft releases Security Advisory 2718704 - * Windows Server Update Services - * Certutil - * How to: View Certificates with the MMC Snap-in - Revision History June 04, 2012: Initial release ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA12-156A Feedback INFO#461124" in the subject. ____________________________________________________________________ Produced by US-CERT, a government organization. ____________________________________________________________________ This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify This document can also be found at http://www.us-cert.gov/cas/techalerts/TA12-156A.html For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBT80kYHdnhE8Qi3ZhAQItEQf+LtKD3ZFVSQXiS0S6qId/oXVl/+mMdIqo uI71CA9Pkm/fKhMW17nOJvKZ+51jPRsWMfEJ4WVZJGvIos26GRkiRmwErfXGf4gn XI4xFt4J5VEuKRJbYeey5JtKUywMEb2urxceooMOhbbi1Y0+iAVY4QnRm0jwxCgM ojl6bNbEK8Pb2mGD8XQCwRSuwbKgifaIKlbyuNMZvNEvSvCS9Fpmw8pJzSYbZMr8 gKj4G2us/1C1dlNcje3AGNH2LAsvfHg9IagK60XhtX6tuZQ7x+EVRzxYuuAm14Ra RgVm8QsTQJ3TmqG/a3xH0NDb0vEmZd7cWR30GgYEuwtYc7LYTqVORQ== =cMSk -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jun 13 09:53:55 2012 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 13 Jun 2012 12:53:55 +0000 Subject: [SECURITY-L] US-CERT Alert TA12-164A -- Microsoft Updates for Multiple Vulnerabilities Message-ID: <20120613125355.GB20734@unicamp.br> ----- Forwarded message from US-CERT Alerts ----- From: US-CERT Alerts Subject: US-CERT Alert TA12-164A -- Microsoft Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 12 Jun 2012 15:18:07 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA12-164A Microsoft Updates for Multiple Vulnerabilities Original release date: June 12, 2012 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft .NET Framework * Microsoft Office * Microsoft Visual Basic for Applications * Microsoft Dynamics AX Overview Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for June 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Additional details for MS12-042 can be found in US-CERT vulnerability note VU#649219. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for June 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References * Microsoft Security Bulletin Summary for June 2012 - * US-CERT Vulnerability Note VU#649219 - * Microsoft Windows Server Update Services - * Microsoft Update - * Microsoft Update Overview - * Turn Automatic Updating On or Off - Revision History June 12, 2012: Initial release ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA12-164A Feedback VU#787731" in the subject. ____________________________________________________________________ Produced by US-CERT, a government organization. ____________________________________________________________________ This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify This document can also be found at http://www.us-cert.gov/cas/techalerts/TA12-164A.html For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBT9eLNXdnhE8Qi3ZhAQKLmwf/SQl1w4qK42hmN+AhwYfgR7xOjZu/gffY vT5jrHYMgfuFOnGnzXfUNAFjb0ZMrnqfiWGorcUHqZT1/PY8WZdtZLaL1TquYRS4 rZkNQagmuxOLJAMCrNLfuKDpkMAkTpIRx0TbBd462CmOpZhB/CqPiE/jmwPYlHOR 7DSphzxOMQy924+1G77cAn1yQT3wJcrclaM3wKKUXPTtkEC3a5faqItq4SBVbe1n Wy+wOYtuRxTy7jprs9f/gmhGqVCYgxaYKM6AwuTwdWi4Pu++09ShnzZEOEnLpHfB slLL99n8duON31DhfyuZSRSjxLHA/2xJZYgdHsrJayafAcQ8wBbZiA== =DJil -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Jun 18 09:22:14 2012 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 18 Jun 2012 12:22:14 +0000 Subject: [SECURITY-L] CAIS-Alerta: Resumo dos Boletins de Segurana Microsoft - Junho/2012 Message-ID: <20120618122214.GB40845@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Resumo dos Boletins de Segurança Microsoft - Junho/2012 To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Fri, 15 Jun 2012 17:00:12 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, A Microsoft publicou 7 boletins de segurança em 12 de junho que abordam ao todo 25 vulnerabilidades em produtos da empresa. A exploração destas vulnerabilidades permitem execução remota de código e elevação de privilégio. Até o momento da publicação deste alerta há exploração ativa de uma das vulnerabilidades, MS12037. SEVERIDADE . Crítica - MS12-036 - Vulnerabilidade no Microsoft Remote Desktop pode permitir a execução remota de código - MS12-037 - Atualização cumulativa de segurança para Microsoft Internet Explorer - MS12-038 - Vulnerabilidade no .NET Framework pode permitir execução remota de código . Importante - MS12-039 - Vulnerabilidades no Lync Cloud podem permitir a execução remota de código - MS12-040 - Vulnerabilidade no Microsoft Dynamics AX Enterprise Portal Could pode permitir a elevação de privilégio - MS12-041 - Vulnerabilidades nos drivers kernel-mode do Windows podem permitir a elevação de privilégio - MS12-042 - Vulnerabilidades no Windows Kernel Could podem permitir a elevação de privilégio . Moderada - Nenhum boletim . Baixa - Nenhum boletim O sistema de classificação de severidade das vulnerabilidades adotado pelo CAIS neste resumo é o da própria Microsoft. O CAIS recomenda que se aplique, minimamente, as correções para vulnerabilidades classificadas como crítica e importante. No caso de correções para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomendações de mitigação sejam seguidas. . Crítica - Vulnerabilidades cuja exploração possa permitir a propagação de um worm sem a necessidade de interação com o usuário. . Importante - Vulnerabilidades cuja exploração possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuários ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploração é mitigada significativamente por fatores como configuração padrão, auditoria ou dificuldade de exploração. . Baixa - uma vulnerabilidade cuja exploração seja extremamente difícil ou cujo impacto seja mínimo. CORREÇÕES DISPONÍVEIS Recomenda-se atualizar os sistemas para as versões disponíveis em: . Microsoft Update https://www.update.microsoft.com/microsoftupdate/ . Windows Server Update Services http://www.microsoft.com/windowsserversystem/updateservices/default.mspx MAIS INFORMAÇÕES . Resumo do Boletim de Segurança da Microsoft de junho 2012 http://technet.microsoft.com/en-us/security/bulletin/ms12-jun . Microsoft TechCenter de Segurança http://technet.microsoft.com/pt-br/security/ . Microsoft Security Response Center - MSRC http://www.microsoft.com/security/msrc/ . Microsoft Security Research&Defense - MSRD http://blogs.technet.com/srd/ . Segurança Microsoft http://www.microsoft.com/brasil/security/ . MS12-036 - Vulnerabilidade no Microsoft Remote Desktop pode permitir a execução remota de código http://technet.microsoft.com/en-us/security/bulletin/ms12-036 . MS12-037 - Atualização cumulativa de segurança para Microsoft Internet Explorer http://technet.microsoft.com/en-us/security/bulletin/ms12-037 . MS12-038 - Vulnerabilidade no .NET Framework pode permitir execução remota de código http://technet.microsoft.com/en-us/security/bulletin/ms12-038 . MS12-039 - Vulnerabilidades no Lync Cloud podem permitir a execução remota de código http://technet.microsoft.com/en-us/security/bulletin/ms12-039 . MS12-040 - Vulnerabilidade no Microsoft Dynamics AX Enterprise Portal Could pode permitir a elevação de privilégio http://technet.microsoft.com/en-us/security/bulletin/ms12-040 . MS12-041 - Vulnerabilidades nos drivers kernel-mode do Windows podem permitir a elevação de privilégio http://technet.microsoft.com/en-us/security/bulletin/ms12-041 . MS12-042 - Vulnerabilidades no Windows Kernel Could podem permitir a elevação de privilégio http://technet.microsoft.com/en-us/security/bulletin/ms12-042 Identificador CVE (http://cve.mitre.org): CVE20120159, CVE20120173, CVE20120217, CVE20121515, CVE20121523, CVE20121849, CVE20121855, CVE20121857, CVE20121858, CVE20121858, CVE20121864, CVE20121865, CVE20121866, CVE20121867, CVE20121868, CVE20121873, CVE20121874, CVE20121875, CVE20121876, CVE20121877, CVE20121878, CVE20121879, CVE20121880, CVE20121881, CVE20123402 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os Alertas do CAIS também são oferecidos no formato RSS/RDF e no Twitter: http://www.rnp.br/cais/alertas/rss.xml Siga @caisrnp Atenciosamente, Equipe do CAIS/RNP ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBT9uUcukli63F4U8VAQGtEgQAtsMC+m3dCox7oXEQE38m3I60Sm091pDo H1TOtnhnU7rZRUNvcfUXWD6VSFN9HKJtBKpXLcEHQEuCD4F5asvzJnOOnKggnycH FalZ2PmJx9NPo3/Ln69N9/USrwhqKEHMH/PBZn4ykUFts3Y31nhlY2Btc4cTPIUZ LTWdcU8Sk50= =LgjS -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Jun 25 11:14:41 2012 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 25 Jun 2012 14:14:41 +0000 Subject: [SECURITY-L] US-CERT Alert TA12-174A - Microsoft XML Core Services Attack Activity Message-ID: <20120625141441.GA35653@unicamp.br> ----- Forwarded message from US-CERT Alerts ----- From: US-CERT Alerts Subject: US-CERT Alert TA12-174A - Microsoft XML Core Services Attack Activity To: technical-alerts em us-cert.gov Date: Fri, 22 Jun 2012 17:42:42 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Awareness System Technical Cyber Security Alert TA12-174A Microsoft XML Core Services Attack Activity Original release date: June 22, 2012 Last revised: -- Source: US-CERT Systems Affected Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 are affected. Microsoft Internet Explorer, Microsoft Office 2003, and Microsoft Office 2007 are affected due to their use of XML Core Services. Overview Microsoft Security Advisory (2719615) warns of active attacks using a vulnerability in Microsoft XML Core Services. Microsoft Internet Explorer and Microsoft Office can be used as attack vectors. Description Microsoft Security Advisory (2719615), a Google Online Security blog post, Sophos, and other sources report active attacks exploiting a vulnerability in Microsoft XML Core Services (CVE-2012-1889). Attack scenarios involve exploits served by compromised web sites and delivered in Office documents. Reliable public exploit code is available, and attacks may become more widespread. Impact By convincing a victim to view a specially crafted web page or Office document, an attacker could execute arbitrary code and take any action as the victim. Solution As of June 22, 2012, a comprehensive update is not available. Consider the following workarounds. Apply Fix it Apply the Fix it solution described in Microsoft Knowledge Base Article 2719615. This solution uses the Application Compatibility Database feature to make runtime modifications to XML Core Services to patch the vulnerability. Disable scripting Configure Internet Explorer to disable Active Scripting in the Internet and Local intranet zones as described in Microsoft Security Advisory (2719615). See also Securing Your Web Browser. Use the Enhanced Mitigation Experience Toolkit (EMET) EMET is a utility to configure Windows runtime mitigation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP). These features, particularly the combination of system-wide DEP and ASLR, make it more difficult for an attacker to successfully exploit a vulnerability. Configure EMET for Internet Explorer as described in Microsoft Security Advisory (2719615). References * Microsoft Security Advisory (2719615) - * Microsoft Security Advisory: Vulnerability in Microsoft XML Core Services could allow remote code execution - * NVD Vulnerability Summary for CVE-2012-1889 - * Microsoft XML vulnerability under active exploitation - * European aeronautical supplier's website infected with "state-sponsored" zero-day exploit - * Securing Your Web Browser - * Application Compatibility Database - Revision History June 22, 2012: Initial release ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA12-174A Feedback VU#783993" in the subject. ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA12-174A Feedback VU#783993" in the subject. ____________________________________________________________________ Produced by US-CERT, a government organization. ____________________________________________________________________ This product is provided subject to this Notification: http://www.us-cert.gov/privacy/notification.html Privacy & Use policy: http://www.us-cert.gov/privacy/ This document can also be found at http://www.us-cert.gov/cas/techalerts/TA12-174A.html For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBT+TZH3dnhE8Qi3ZhAQIjggf+O+mOYAEj9Lhq05KCWunmNoLREdH8ura3 DVnvdz+PBgQwxJXCl2fxCvJ56nPnxgKoDvtKWHDdFePfmS1+Tmp9/DnXoEY8tFCd SlqYoL+jUuxJGQk4oxbTP/U2Gcu1GSOgpc4sj5WGiuHFQa1iDEJ+rSG2myUqyIEu B5HsYiqOGHXyynXWxdr5W9/37owlfXWJeazs2aviqGIKq/5uz78NHy/RHMnphOhI qCZzRnHHkyHeS0JojqCnJjNeDoLMaMUzdEzRsZt4bY0YgonRJnRSaEgPlKGvvfSo nIeTdyDIZQVsN6H0yjSaN+whlS30BFiasDtLw50omazYdkSv2jJHCg== =7lRz -----END PGP SIGNATURE----- ----- End forwarded message -----