Microsoft Security Newsletter : September Edition

.

 

Call to Industry for collaboration to protect against online threats   To receive our next issues of Security Focus,   For more information on the Security Bulletins and Microsoft Programs, visit the Microsoft Security Center             Microsoft Active Protections Program (MAPP) is a unique collaborative effort that facilitates advanced information sharing on Microsoft product vulnerabilities with security software providers. It was launched in October 2008 by the Microsoft Security Response Center. Adobe now has joined Microsoft to share its vulnerability information with the 65 global MAPP members, offering advanced protections to hundreds of millions of people. Through programs like MAPP, Microsoft is helping protect customers from the threats of today and tomorrow. MAPP has evolved over time as a proven model helping a network of global defenders including researchers and vendors to protect customers against online crime. Coordinated vulnerability disclosure - Microsoft will now move to a new practice and philosophy of coordinated vulnerability disclosure. • Definition of coordinated vulnerability disclosure. Microsoft believes coordinated vulnerability disclosure is when newly discovered vulnerabilities in hardware, software and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves. Additional details on coordinated vulnerability disclosure can be found Here>> Microsoft is calling on the broader community - from security researchers to vendors - to move to coordinated vulnerability disclosure. The need for coordination and shared responsibility has never been greater, as the computing ecosystem faces an unprecedented level of threat from the criminal element. To overcome that element, we must work together to improve the security of the entire ecosystem - and, as always, making customer protection our highest priority. New Tools and Guidance - Microsoft has released several resources that will help you make informed decisions and manage risk. These releases demonstrate our ongoing efforts to improve customer experience by developing and sharing guidance and solutions. Microsoft urges you to leverage this freely available guidance to protect against threats and improve your security processes. • Enhanced Mitigation Experience Toolkit (EMET). EMET is a free tool that brings newer security mitigations to older Microsoft platforms and applications, both third-party and line of business applications. The tool specifically helps block targeted attacks against unfixed vulnerabilities. Watch an instructional video here • Microsoft vulnerability research (MSVR) paper. The MSVR was launched to share the lessons Microsoft has learned about building more secure software and responding to vulnerabilities in third-party products built on the Microsoft platform. Since its launch in 2008, the MSVR has worked with more than 30 vendors, helping improve both Microsoft's software, as well as third-party products, ultimately keeping more people safe online. A more detailed account on how the MSVR has improved the overall security of Microsoft and third-party products can be downloaded here • A Report: Building a Safer, More Trusted Internet Through Information Sharing. In an earlier Security Focus, I had explained that Microsoft had launched three security-related programs designed to collectively share more information with partners and customers. The three programs - MAPP, the Microsoft Exploitability Index and the MSVR - have evolved over the past years, creating a safer online environment for people around the world. For example:   o Sourcefire Inc. reported that in the race between exploit and protection, MAPP has helped to reduce the risk of attack in some cases by more than 75 percent.   o According to iDefense Labs, the Microsoft Exploitability Index has helped reduce risk by providing system administrators with the information they need to prioritize security updates.   o Since 2009, the MSVR program has identified 35 different software vulnerabilities affecting a total of 19 vendors. To date, 45 percent of those vulnerabilities have been resolved, helping better secure Microsoft's platform and the larger computing environment. The full report on the progress of these three programs can be viewed here. I hope you are also leveraging this guidance and we would love to hear about your success stories. Given the increasing criminality of the threat landscape, it's clear that a new approach to security is required. Microsoft encourages a shared sense of responsibility across the ecosystem as no one company, individual or technology can solve today's complex security challenges. As such, Microsoft calls on the industry to continue to collaborate and coordinate to combat online threats and create a safer, more trusted Internet. Sanjay Bahl is the Chief Security Officer for Microsoft Corporation (India) Pvt Ltd, and is a member of various security committees at national and International level.       Security Update               What is the purpose of this alert?     This alert is to provide you with an overview of the new security bulletins released on August 10, 2010. Security bulletins are released monthly to resolve critical product vulnerabilities. This alert also provides an overview of one new security advisory (2264072) published on August 10, 2010         New Security Bulletins Microsoft is releasing the following fourteen (14) new security bulletins for newly discovered vulnerabilities:       Bulletin ID Bulletin Title Maximum Severity Rating Vulnerability Impact Restart Requirement Affected Software MS10-047 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) Important Elevation of Privilege Requires restart Microsoft Windows MS10-048 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329) Important Elevation of Privilege Requires restart Microsoft Windows MS10-049 Vulnerabilities in SChannel Could Allow Remote Code Execution (980436) Critical Remote Code Execution Requires restart Microsoft Windows MS10-050 Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997) Important Remote Code Execution May Requires restart Microsoft Windows MS10-051 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403) Critical Remote Code Execution Requires restart Microsoft Windows MS10-052 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168) Critical Remote Code Execution May Requires restart Microsoft Windows MS10-053 Cumulative Security Update for Internet Explorer (2183461) Critical Remote Code Execution Requires restart Microsoft Windows, Internet Explorer MS10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214) Critical Remote Code Execution Requires restart Microsoft Windows MS10-055 Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665) Critical Remote Code Execution May Requires restart Microsoft Windows MS10-056 Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638) Critical Remote Code Execution May Requires restart Microsoft Office MS10-057 Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707) Important Remote Code Execution May Requires restart Microsoft Office MS10-058 Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886) Important Elevation of Privilege Requires restart Microsoft Windows MS10-059 Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799) Important Elevation of Privilege May Requires restart Microsoft Windows MS10-060 Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906) Critical Remote Code Execution May Requires restart Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight Note: The affected software information listed above is an abstract. To see the full list of affected components for a given bulletin, please visit the bulletin web page at the link provided in the left column and review the "Affected Software" section.       Summaries for new bulletin(s) may be found at http://www.microsoft.com/technet/security/bulletin/MS10-aug.mspx. Microsoft Windows Malicious Software Removal Tool Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU), and the Download Center. Information on the Microsoft Windows Malicious Software Removal Tool is available at http://support.microsoft.com/?kbid=890830. High Priority Non-Security Updates High priority, non-security updates Microsoft releases to be available on Microsoft Update (MU), Windows Update (WU), or Windows Server Update Services (WSUS) are detailed in the KB article found at http://support.microsoft.com/?id=894199.         New Security Advisory Microsoft published security advisory 2264072 - Elevation of Privilege Using Windows Service Isolation Bypass - on Tuesday, August 10, 2010. Overview: Microsoft is aware of the potential for attacks that leverage the Windows Service Isolation feature to gain elevation of privilege. This advisory discusses potential attack scenarios and provides suggested actions that can help to protect against this issue. This advisory also offers a non-security update for one of the potential attack scenarios through Windows Telephony Application Programming Interfaces (TAPI). This issue affects scenarios where untrusted code is being executed within a process owned by the NetworkService account. In these scenarios, it is possible for an attacker to elevate from running processes as the NetworkService account to running processes as the LocalSystem account on a target server. An attacker who successfully elevated to running processes as the LocalSystem account could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Recommendations: Review Microsoft Security Advisory 2264072 at the link below for an overview of the issue, details on affected components, mitigating factors, workarounds, suggested actions, frequently asked questions (FAQs), and links to additional resources. Advisory Link: Microsoft Security Advisory (2264072) - Elevation of Privilege Using Windows Service Isolation Bypass: http://www.microsoft.com/technet/security/advisory/2264072.mspx                 What is the purpose of this alert?     This alert is to notify you that Microsoft has released Security Advisory 2269637 - Insecure Library Loading Could Allow Remote Code Execution - on August 23, 2010.         Summary   Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries. This issue is caused by specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks". These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location. This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected. In addition to this guidance, Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.         Mitigating Factors     • This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security, that recommend alternate methods to load libraries that are safe against these attacks. • For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. • The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability.         Affected Software     Microsoft is investigating whether any of its own applications are affected by insecure library loading vulnerabilities and will take appropriate action to protect its customers.         Recommendations   Review Microsoft Security Advisory 2269637 for an overview of the issue, details on affected components, mitigating factors, workarounds, suggested actions, frequently asked questions (FAQs), and links to additional resources. Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.         Additional Resources     • Microsoft Advisory 2269637 - Insecure Library Loading Could Allow Remote Code Execution: http://www.microsoft.com/technet/security/advisory/2269637.mspx • KB2264107 A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm http://support.microsoft.com/kb/2264107 • Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/ • Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/ • Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/         Regarding Information Consistency     We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft's security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft's web-based security content, the information in Microsoft's web-based security content is authoritative.           Thank you, Microsoft CSS Security Team

Microsoft respects your privacy. Please read our online Privacy Statement. If you would prefer not to receive future promotional emails from Microsoft Corporation please click here to unsubscribe. These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. To set your contact preferences for Microsoft newsletters, see the communications preferences section of the Microsoft Privacy Statement. Microsoft Corporation (India) Pvt. Ltd. 9th Floor, Tower A, DLF Cyber Greens, DLF Cyber Citi, Sector 25A Gurgaon, Haryana, 122 002, INDIA

Join us for an exciting Webcast on Data center Virtualization: It’s more than a Hypervisor

If you cannot view this mailer properly, please click here. Haven't registered for the exclusive webcast series. Act now! Register and get empowered to make the most out of your technology investments. In this webcast, you get to interact with our experts Aviraj Ajgekar who will take you through the topic "Datacenter Virtualization: It's more than a Hypervisor" on September 3, 2010 between 4:00 P.M to 5:30 P.M. Register for the webcast, NOW! Microsoft respects your privacy. Please read our online Privacy Statement. If you would prefer not to receive future promotional emails from Microsoft Corporation please click here to unsubscribe. These settings will not affect any newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. To set your contact preferences for Microsoft newsletters, see the communications preferences section of the Microsoft Privacy Statement. Microsoft Corporation (India) Pvt. Ltd. 9th Floor, Tower A, DLF Cyber Greens, DLF Cyber Citi, Sector 25A Gurgaon, Haryana, 122 002, INDIA

Alert - Microsoft Security Advisory 2269637 Released

What is the purpose of this alert?

 

This alert is to notify you that Microsoft has released Security Advisory 2269637 - Insecure Library Loading Could Allow Remote Code Execution -- on August 23, 2010.

Summary

 

Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.

 

This issue is caused by specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks". These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.

 

This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected.

 

In addition to this guidance, Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.

 

Mitigating Factors

 

·        This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security, that recommend alternate methods to load libraries that are safe against these attacks.

 

·        For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

 

·        The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability.

 

Affected Software

 

Microsoft is investigating whether any of its own applications are affected by insecure library loading vulnerabilities and will take appropriate action to protect its customers.

 

Recommendations

 

Review Microsoft Security Advisory 2269637 for an overview of the issue, details on affected components, mitigating factors, workarounds, suggested actions, frequently asked questions (FAQs), and links to additional resources.

 

Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.

 

Additional Resources

 

·        Microsoft Advisory 2269637 - Insecure Library Loading Could Allow Remote Code Execution: http://www.microsoft.com/technet/security/advisory/2269637.mspx

 

·        KB2264107 A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm
http://support.microsoft.com/kb/2264107

 

·        Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/

 

·        Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/

 

·        Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/

 

Regarding Information Consistency

 

We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft's security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft's web-based security content, the information in Microsoft's web-based security content is authoritative.

 

Thank you,

Microsoft CSS Security Team