http://isc.sans.org en-us Tue, 09 Feb 2010 22:28:04 +0000 Tue, 09 Feb 2010 19:28:42 GMT (C) SANS Institute 2010 isc rss feed maker 30 handlers@sans.org (ISC Handlers) http://isc.sans.org/images/status.gif http://isc.sans.org http://isc.sans.org/diary.html?storyid=8197&rss http://isc.sans.org/diary.html?storyid=8197&rss


#
Affected
Contra Indications
Known Exploits
Microsoft rating
ISC rating(*)


clients
servers





MS10-003
Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (Windows and OS X) (Replaces MS09-062)


Office

CVE-2010-0243
KB 978214
no known exploits.
Severity:Important

Exploitability: 1
Critical
Important



MS10-004
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (Windows and OS X)


Powerpoint

CVE-2010-0029

CVE-2010-0030

CVE-2010-0031

CVE-2010-0032

CVE-2010-0033

CVE-2010-0034
KB 975416
no known exploits.
Severity:Critical

Exploitability: 2,1,1,1,1,1
Critical
Important



MS10-005
Vulnerability in Microsoft Paint Could Allow Remote Code Execution


Microsoft Paint

CVE-2010-0028
KB 978706
no known exploits.
Severity:Moderate

Exploitability: 2
Critical
Moderate


MS10-006
Vulnerabilities in SMB Client Could Allow Remote Code Execution (Replaces MS06-030 MS08-068 )


SMB

CVE-2010-0016

CVE-2009-0017
KB 978251
no known exploits.
Severity:Critical

Exploitability: 2,1
Critical
Critical



MS10-007
Vulnerability in Windows Shell Handler Could Allow Remote Code Execution


ShellExecute API

CVE-2010-0027
KB 975713
no known exploits.
Severity:Critical

Exploitability: 1
Critical
Important



MS10-008
Cumulative Security Update of ActiveX Kill Bits (Replaces MS09-055)


ActiveX

CVE-2010-0252
KB 978262
no known exploits.
Severity:Critical

Exploitability: ?
Critical
Important



MS10-009
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution


IPv6

CVE-2010-0239

CVE-2010-0240

CVE-2010-0241

CVE-2010-0242
KB 974145
no known exploits.
Severity:Critical

Exploitability: 2,2,2,3
Critical
Critical



MS10-010
Hyper-V Instruction Set Validation Vulnerability


Hyper-V

CVE-2010-0026
KB 977894
no known exploits.
Severity:Important

Exploitability: 3
Important
Important



MS10-011
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privileges


CSRSS

CVE-2010-0023
KB 978037
no known exploits.
Severity:Important

Exploitability: 1
Important
Important



MS10-012
Vulnerabiliites in SMB Server Could Allow Remote Code Execution (Replaces MS09-001)


SMB Server

CVE-2010-0020

CVE-2010-0021

CVE-2010-0022

CVE-2010-0231
KB 971468
no known exploits.
Severity:Important

Exploitability: 2,2,3,1
Important
Critical



MS10-013
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution MS09-038 (Replaces MS09-038 MS09-028 )


DirectShow

CVE-2010-0250
KB 977935
no known exploits.
Severity:Critical

Exploitability: 1
Critical
Important



MS10-014
Vulnerability in Kerberos Could Allow Denial of Service


Kerberos

CVE-2010-0035
KB 977290
no known exploits.
Severity:Important

Exploitability: 3
Important
Important



MS10-015
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege


Windows Kernel

CVE-2010-0232

CVE-2010-0233
KB 977165
exploit available
Severity:Important

Exploitability: 1,2
Important
Important





We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.


The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them



------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter

IPv6 Fundamentals: IPv6 Security Training

]]> Tue, 09 Feb 2010 19:28:42 GMT http://isc.sans.org/diary.html?storyid=8194&rss http://isc.sans.org/diary.html?storyid=8194&rss Tue, 09 Feb 2010 00:43:23 GMT http://isc.sans.org/diary.html?storyid=8188&rss http://isc.sans.org/diary.html?storyid=8188&rss Cheers,

Adrien de Beaupr

EWA-Canada.com]]> Tue, 09 Feb 2010 00:23:31 GMT http://isc.sans.org/diary.html?storyid=8185&rss http://isc.sans.org/diary.html?storyid=8185&rss


Lesson one to me, always check things out.
Do the research and analysis before crying wolf. Fortunately no harm done. This has to be balanced against the requirement for timeliness of information flow along a contact tree. In this case I erred on the side of alerting quickly.



A quick look at the C code and it does appear to run an exploit. The hex at the beginning could be shell code. Part of it looks like this:



char jmpcode[] =

x72x6Dx20x2Dx72x66x20x7ex20x2Fx2Ax20x32x3ex20x2f

x64x65x76x2fx6ex75x6cx6cx20x26



Which starts to looks familiar when run through an online Hex to ASCII decode:



?????r?m? ?-?r?f? ?~? ?/?*? ?2?? ?/??????d?e?v?/?n?u?l?l? ??



When you strip out and clean it up it looks like this:



rm -rf ~ /* 2 /dev/null



That can't be good. On a lot of Linux or Mac OS X systems, if run as root, your hard drive would be pretty active as it tries to delete everything, if not root it just deletes your home directory. Other chunks of the 'code' are a perl script to join IRC.



Lesson two, just because it looks like shell code, a buffer overflow, or assembly language, doesn't mean it is.



Lesson three is also fairly obvious, make certain you know what the code does before you run it.



Back to the blog post for a second, assuming that the poster didn't know what it was, and thought it was in fact a 0day in OpenSSH, perhaps they could have performed a bit of checking prior to posting online. Although it could also have been posted as a prank or practical joke.



Lesson four, just because something is posted online does not mean anyone has actually checked the facts or performed QA on the code.
The last point would be to first inspect the code, then to run it only in a throw away VM or sandbox.



Thanks to Sander for the original alert, and to Niels and others at OpenSSH for pointing out that this is an old 'sploit, and the underlying shell script.
Cheers,

Adrien de Beaupr

EWA-Canada.com]]> Mon, 08 Feb 2010 14:58:46 GMT http://isc.sans.org/diary.html?storyid=8179&rss http://isc.sans.org/diary.html?storyid=8179&rss Affected versions:
LANDesk management Gateway Appliance 4.0-1.48 4.2-1.8

-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org]]> Sat, 06 Feb 2010 20:30:23 GMT http://isc.sans.org/diary.html?storyid=8176&rss http://isc.sans.org/diary.html?storyid=8176&rss
Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter]]> Sat, 06 Feb 2010 02:04:59 GMT http://isc.sans.org/diary.html?storyid=8173&rss http://isc.sans.org/diary.html?storyid=8173&rss According to Oracle, This vulnerability may be remotely exploitable without authentication. A knowledgeable and malicious remote user can exploit this vulnerability which can result in impacting the availability, integrity and confidentiality of the targeted system. Oracle strongly recommends testing and apply this fix as soon as possible. Additional information is available here.
The list of affected product:
Oracle WebLogic Server 11gR1 releases (10.3.1 and 10.3.2)

Oracle WebLogic Server 10gR3 release (10.3.0)

Oracle WebLogic Server 10.0 through MP2

Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3

Oracle WebLogic Server 8.1 through SP6

Oracle WebLogic Server 7.0 through SP7
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org]]> Sat, 06 Feb 2010 01:17:54 GMT http://isc.sans.org/diary.html?storyid=8170&rss http://isc.sans.org/diary.html?storyid=8170&rss
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org]]> Sat, 06 Feb 2010 00:32:09 GMT http://isc.sans.org/diary.html?storyid=8167&rss http://isc.sans.org/diary.html?storyid=8167&rss ---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
SEC503:Intrusion Detection In-Depth coming to central OHbeginning 22 Feb, http://www.sans.org/mentor/details.php?nid=20864]]> Sat, 06 Feb 2010 00:23:40 GMT