- Threat Outbreak Alert: Misleading Proof of Deposit E-Mail Messages on July 11, 2012
- Threat Outbreak Alert: Fake Portuguese Contract Confirmation E-mail Messages on July 12, 2012
- Threat Outbreak Alert: Fake Personal Photo Attachment E-mail Messages on July 12, 2012
- Threat Outbreak Alert: Fake Import Assistant E-mail Messages on July 13, 2012
- Threat Outbreak Alert: Fake Western Union Money Transfer Transaction E-mail Messages on July 12, 2012
- Threat Outbreak Alert: Fake Hotel Reservation Confirmation Details E-mail Messages on July 12, 2012
- Threat Outbreak Alert: Fake USPS Parcel Delivery Failure Notification E-mail Messages on July 13, 2012
- Threat Outbreak Alert: Fake German Account Statement Notification E-mail Messages on July 21, 2012
- Threat Outbreak Alert: Fake Purchase Order Notification E-mail Messages on July 11, 2012
- Threat Outbreak Alert: Fake Order Reminder Notification E-mail Messages on July 11, 2012
- MS12-044 – Critical : Cumulative Security Update for Internet Explorer (2719177) – Version: 1.0
Severity Rating: Critical
Revision Note: V1.0 (July 10, 2012): Bulletin published.
Summary: This security update resolves two privately reported vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. - MS12-050 – Important : Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502) – Version: 1.1
Severity Rating: Important
Revision Note: V1.1 (July 10, 2012): Downgraded the severity rating for the SharePoint Search Scope Vulnerability, CVE-2012-1860, from Important to Moderate for all affected software. This is an informational change only.
Summary: This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft SharePoint and Windows SharePoint Services. The most severe vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes the user to a targeted SharePoint site. - MS12-016 – Critical : Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026) – Version: 1.3
Severity Rating: Critical
Revision Note: V1.3 (July 10, 2012): Microsoft revised this bulletin to communicate a minor detection change for KB2633880 for Microsoft .NET Framework 2.0 Service Pack 2 to correct an offering issue. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted web page using a web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. - MS12-049 – Important : Vulnerability in TLS Could Allow Information Disclosure (2655992) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (July 10, 2012): Bulletin published.
Summary: This security update resolves a publicly disclosed vulnerability in TLS. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. All cipher suites that do not use CBC mode are not affected. - MS12-036 – Critical : Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939) – Version: 1.2
Severity Rating: Critical
Revision Note: V1.2 (July 10, 2012): Removed MS11-065 as a bulletin replaced by the KB2685939 update for Windows XP Service Pack 3, Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition Service Pack 2, and Windows Server 2003 with SP2 for Itanium-based Systems. This is an informational change only. There were no changes to the detection logic or the update files.
Summary: This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. - MS12-048 – Important : Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (July 10, 2012): Bulletin published.
Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file or directory with a specially crafted name. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. - MS12-045 – Critical : Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (2698365) – Version: 1.0
Severity Rating: Critical
Revision Note: V1.0 (July 10, 2012): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. - MS12-047 – Important : Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (July 10, 2012): Bulletin published.
Summary: This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. - MS12-043 – Critical : Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479) – Version: 1.0
Severity Rating: Critical
Revision Note: V1.0 (July 10, 2012): Bulletin published.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website. - MS12-046 – Important : Vulnerability in Visual Basic for Applications Could Allow Remote Code Execution (2707960) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (July 10, 2012): Bulletin published.
Summary: This security update resolves one publicly disclosed vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a user opens a legitimate Microsoft Office file (such as a .docx file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. - TA12-192A: Microsoft Updates for Multiple Vulnerabilities
Original release date: July 10, 2012 | Last revised: —
Systems Affected
- Microsoft Windows
- Microsoft Internet Explorer
- Microsoft Office
- Microsoft Developer Tools
- Microsoft Server Software
Overview
Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.
Description
The Microsoft Security Bulletin Summary for July 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.
Impact
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Solution
Apply updates
Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for July 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.
References
- Microsoft Security Bulletin Summary for July 2012
- Microsoft Windows Server Update Services
- Microsoft Update
- Microsoft Update Overview
- Turn Automatic Updating On or Off
Revision History
- July 10, 2012: Initial release
This product is provided subject to this Notification and this Privacy & Use policy.
- TA12-174A: Microsoft XML Core Services Attack Activity
Original release date: June 22, 2012 | Last revised: —
Systems Affected
Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 are affected. Microsoft Internet Explorer, Microsoft Office 2003, and Microsoft Office 2007 are affected due to their use of XML Core Services.
Overview
Microsoft Security Advisory (2719615) warns of active attacks using a vulnerability in Microsoft XML Core Services. Microsoft Internet Explorer and Microsoft Office can be used as attack vectors.
Description
Microsoft Security Advisory (2719615), a Google Online Security blog post, Sophos, and other sources report active attacks exploiting a vulnerability in Microsoft XML Core Services (CVE-2012-1889). Attack scenarios involve exploits served by compromised web sites and delivered in Office documents. Reliable public exploit code is available, and attacks may become more widespread.
Impact
By convincing a victim to view a specially crafted web page or Office document, an attacker could execute arbitrary code and take any action as the victim.
Solution
As of June 22, 2012, a comprehensive update is not available. Consider the following workarounds.
Apply Fix it
Apply the Fix it solution described in Microsoft Knowledge Base Article 2719615. This solution uses the Application Compatibility Database feature to make runtime modifications to XML Core Services to patch the vulnerability.
Disable scripting
Configure Internet Explorer to disable Active Scripting in the Internet and Local intranet zones as described in Microsoft Security Advisory (2719615). See also Securing Your Web Browser.
Use the Enhanced Mitigation Experience Toolkit (EMET)
EMET is a utility to configure Windows runtime mitigation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP). These features, particularly the combination of system-wide DEP and ASLR, make it more difficult for an attacker to successfully exploit a vulnerability. Configure EMET for Internet Explorer as described in Microsoft Security Advisory (2719615).
References
- Microsoft Security Advisory (2719615)
- Microsoft Security Advisory: Vulnerability in Microsoft XML Core Services could allow remote code execution
- NVD Vulnerability Summary for CVE-2012-1889
- Microsoft XML vulnerability under active exploitation
- European aeronautical supplier's website infected with "state-sponsored" zero-day exploit
- Securing Your Web Browser
- Application Compatibility Database
Revision History
- June 22, 2012: Initial release
This product is provided subject to this Notification and this Privacy & Use policy.
- TA12-164A: Microsoft Updates for Multiple Vulnerabilities
Original release date: June 12, 2012 | Last revised: —
Systems Affected
- Microsoft Windows
- Microsoft Internet Explorer
- Microsoft .NET Framework
- Microsoft Office
- Microsoft Visual Basic for Applications
- Microsoft Dynamics AX
Overview
Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.
Description
The Microsoft Security Bulletin Summary for June 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Additional details for MS12-042 can be found in US-CERT vulnerability note VU#649219.
Impact
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Solution
Apply updates
Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for June 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.
References
- Microsoft Security Bulletin Summary for June 2012 – <http://technet.microsoft.com/en-us/security/bulletin/ms12-jun>
- US-CERT Vulnerability Note VU#649219 – <http://www.kb.cert.org/vuls/id/649219>
- Microsoft Windows Server Update Services – <http://technet.microsoft.com/en-us/wsus/default.aspx>
- Microsoft Update – <https://www.update.microsoft.com/>
- Microsoft Update Overview – <http://www.microsoft.com/security/updates/mu.aspx>
- Turn Automatic Updating On or Off – <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off>
Revision History
- June 12, 2012: Initial release
- TA12-156A: Microsoft Windows Unauthorized Digital Certificates
Original release date: June 04, 2012 | Last revised: —
Systems Affected
All supported versions of Microsoft Windows, including:
- Windows XP and Server 2003
- Windows Vista and Server 2008
- Windows 7 and Server 2008 R2
- Windows 8 Consumer Preview
- Windows Mobile and Phone
Overview
X.509 digital certificates published by the Microsoft Terminal Services licensing certificate authority (CA) can be illegitimately used to sign code. This problem was discovered in the Flame malware. Microsoft has released updates to revoke trust in the affected certificates.
Description
Microsoft Security Advisory (2718704) warns of active attacks using illegitimate certificates published by the the Microsoft Terminal Services licensing certificate authority (CA). There appear to be problems with some combination of weak cryptography and certificate usage configuration. From an MSRC blog post:
We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.
From another MSRC blog post:
What we found is that certificates published by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate published by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure.
The following details about the affected certificates were provided in Microsoft Security Advisory (2718704):
Certificate: Microsoft Enforced Licensing Intermediate PCA
Issued by: Microsoft Root Authority
Thumbprint: 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70Certificate: Microsoft Enforced Licensing Intermediate PCA
Issued by: Microsoft Root Authority
Thumbprint: 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08Certificate: Microsoft Enforced Licensing Registration Authority CA (SHA1)
Issued by: Microsoft Root Certificate Authority
Thumbprint: fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97Impact
An attacker could obtain a certificate that could be used to illegitimately sign code as Microsoft. The signed code could then be used in a variety of attacks in which the code would appear to be trusted by Windows.
An attacker could offer software that appeared to be signed by a valid and trusted Microsoft certificate chain. As noted in an MSRC blog post, "…some components of the [Flame] malware have been signed by certificates that allow software to appear as if it was produced by Microsoft."
Solution
It is important to act quickly to revoke trust in the affected certificates. Any certificates published by the Microsoft Terminal Services licensing certificate authority (CA) could be used for illegitimate purposes and should not be trusted.
Apply updates
Apply the appropriate versions of KB2718704 to add the affected certificates to the Untrusted Certificate Store. Updates will reach most users via automatic updates and Windows Server Update Services (WSUS).
Revoke trust in affected certificates
Manually add the affected certificates to the Untrusted Certificate Store. The Certifcates MMC snap-in and Certutil command can be used on Windows systems.
References
- US-CERT Current Activity: Unauthorized Microsoft Digital Certificates – <https://www.us-cert.gov/current/#microsoft_unauthorized_digital_certificates>
- Microsoft Security Advisory (2718704) – <https://technet.microsoft.com/en-us/security/advisory/2718704>
- Unauthorized digital certificates could allow spoofing – <http://support.microsoft.com/kb/2718704>
- Microsoft certification authority signing certificates added to the Untrusted Certificate Store – <https://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx?Redirected=true>
- Microsoft releases Security Advisory 2718704 – <https://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx>
- Windows Server Update Services – <http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx>
- Certutil – <http://technet.microsoft.com/en-us/library/cc732443%28v=ws.10%29.aspx>
- How to: View Certificates with the MMC Snap-in – <http://msdn.microsoft.com/en-us/library/ms788967.aspx>
Revision History
- June 04, 2012: Initial release
- TA12-129A: Microsoft Updates for Multiple Vulnerabilities
Original release date: May 08, 2012 | Last revised: —
Systems Affected
- Microsoft Windows
- Microsoft .NET Framework
- Microsoft Office
- Microsoft Silverlight
Overview
Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.
Description
The Microsoft Security Bulletin Summary for May 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.
Impact
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Solution
Apply updates
Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for May 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.
References
- Microsoft Security Bulletin Summary for May 2012 – <http://technet.microsoft.com/en-us/security/bulletin/ms12-may>
- Microsoft Windows Server Update Services – <http://technet.microsoft.com/en-us/wsus/default.aspx>
- Microsoft Update – <https://www.update.microsoft.com/>
- Microsoft Update Overview – <http://www.microsoft.com/security/updates/mu.aspx>
- Turn Automatic Updating On or Off – <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off>
Revision History
- May 08, 2012: Initial release
- TA12-101B: Adobe Reader and Acrobat Security Updates and Architectural Improvements
Original release date: April 10, 2012 | Last revised: —
Systems Affected
- Adobe Reader X (10.1.2) and earlier 10.x versions for Windows and Macintosh
- Adobe Reader 9.5 and earlier 9.x versions for Windows, Macintosh, and UNIX
- Adobe Acrobat X (10.1.2) and earlier 10.x versions for Windows and Macintosh
- Adobe Acrobat 9.5 and earlier 9.x versions for Windows and Macintosh
Overview
Adobe has released Security Bulletin APSB12-08, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. As part of this update, Adobe Reader and Acrobat 9.x will use the system-wide Flash Player browser plug-in instead of the Authplay component. In addition, Reader and Acrobat now disable the rendering of 3D content by default.
Description
Adobe Security Bulletin APSB12-08 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Adobe Reader and Acrobat versions 9.x through 9.5, and Reader X and Acrobat X versions prior to 10.1.3.
The Adobe ASSET blog provides additional details on new security architecture changes to Adobe Reader and Acrobat. Adobe Reader and Acrobat 9.5.1 will use the Adobe Flash Player plug-in version installed on the user’s system rather than the Authplay component that ships with Adobe Reader and Acrobat. This change helps limit the number of out-of-date, vulnerable Flash runtimes available to an attacker. Adobe Reader and Acrobat 9.5.1 also now disable rendering of 3D content by default because the 3D rendering components have a history of vulnerabilities.
US-CERT recommends that Flash users upgrade to the latest version of Adobe Flash Player and turn on automatic updates.
An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. This can happen automatically as the result of viewing a webpage.
Impact
These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file.
Solution
Update Reader
Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB12-08 and update vulnerable versions of Adobe Reader and Acrobat.
In addition to updating, please consider the following mitigations.
Disable JavaScript in Adobe Reader and Acrobat
Disabling JavaScript may prevent some exploits from resulting in code execution. You can disable Acrobat JavaScript using the Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable Acrobat JavaScript).
Adobe provides a framework to blacklist specific JavaScipt APIs. If JavaScript must be enabled, this framework may be useful when specific APIs are known to be vulnerable or used in attacks.
Prevent Internet Explorer from automatically opening PDF files
The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOTAcroExch.Document.7]
"EditFlags"=hex:00,00,00,00Disable the display of PDF files in the web browser
Preventing PDF files from opening inside a web browser will partially mitigate this vulnerability. Applying this workaround may also mitigate future vulnerabilities.
To prevent PDF files from automatically being opened in a web browser, do the following:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the Preferences option.
4. Choose the Internet section.
5. Uncheck the "Display PDF in browser" checkbox.Do not access PDF files from untrusted sources
Do not open unfamiliar or unexpected PDF files, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010.
References
- Security update available for Adobe Reader and Acrobat – <https://www.adobe.com/support/security/bulletins/apsb11-30.html>
- Adobe Reader and Acrobat JavaScript Blacklist Framework – <http://kb2.adobe.com/cps/504/cpsid_50431.html>
- Background on Security Bulletin APSB12-08 – <http://blogs.adobe.com/asset/2012/04/background-on-security-bulletin-apsb12-08.html>
- Adobe Flash Player – <http://get.adobe.com/flashplayer/>
- Adobe Flash vulnerability affects Flash Player and other Adobe products – <http://www.kb.cert.org/vuls/id/259425>
- Vulnerability Notes with advice to disable 3D rendering – <http://www.kb.cert.org/vuls/bypublished?searchview&query=rt3d.dll>
Revision History
- April 10, 2012: Initial release
- TA12-101A: Microsoft Updates for Multiple Vulnerabilities
Original release date: April 10, 2012 | Last revised: —
Systems Affected
- Microsoft Windows
- Microsoft Internet Explorer
- Microsoft .NET Framework
- Microsoft Office
- Microsoft Server Software
- Microsoft SQL Server
- Microsoft Developer Tools
- Microsoft Forefront United Access Gateway
Overview
There are multiple vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Microsoft Server Software, Microsoft SQL Server, Microsoft Developer Tools, and Microsoft Forefront United Access Gateway. Microsoft has released updates to address these vulnerabilities.
Description
The Microsoft Security Bulletin Summary for April 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.
Impact
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Solution
Apply updates
Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for April 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.
References
- Microsoft Security Bulletin Summary for April 2012 – <http://technet.microsoft.com/en-us/security/bulletin/ms12-apr>
- Microsoft Windows Server Update Services – <http://technet.microsoft.com/en-us/wsus/default.aspx>
- Microsoft Update – <https://www.update.microsoft.com/>
- Microsoft Update Overview – <http://www.microsoft.com/security/updates/mu.aspx>
- Turn Automatic Updating On or Off – <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off>
Revision History
- April 10, 2012: Initial release
- TA12-073A: Microsoft Updates for Multiple Vulnerabilities
Original release date: March 13, 2012
Last revised: —
Source: US-CERTSystems Affected
- Microsoft Windows
- Microsoft Visual Studio
- Microsoft
Expression Design
Overview
There are multiple vulnerabilities in Microsoft Windows, Microsoft Visual
Studio, and Microsoft Expression Design. Microsoft has released updates to
address these vulnerabilities.I. Description
The Microsoft
Security Bulletin Summary for March 2012 describes multiple vulnerabilities
in Microsoft Windows, Microsoft Visual Studio, and Microsoft Expression Design.
Microsoft has released updates to address the vulnerabilities.II. Impact
A remote, unauthenticated attacker could execute arbitrary code, cause a
denial of service, or gain unauthorized access to your files or system.III. Solution
Apply updates
Microsoft has provided updates for
these vulnerabilities in the Microsoft
Security Bulletin Summary for March 2012, which describes any known issues
related to the updates. Administrators are encouraged to note these issues and
test for any potentially adverse effects. In addition, administrators should
consider using an automated update distribution system such as Windows Server
Update Services (WSUS). Home users are encouraged to enable automatic
updates.IV. References
- Microsoft Security Bulletin Summary for March 2012 – <https://technet.microsoft.com/en-us/security/bulletin/ms12-mar>
- Microsoft
Windows Server Update Services – <http://technet.microsoft.com/en-us/wsus/default.aspx> - Microsoft
Update – <https://www.update.microsoft.com/> - Microsoft
Update Overview – <http://www.microsoft.com/security/updates/mu.aspx> - Turn
Automatic Updating On or Off – <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off>
Feedback can be directed to US-CERT.
Produced 2012 by US-CERT, a government organization. Terms of use
March 13, 2012: Initial release
- TA12-045A: Microsoft Updates for Multiple Vulnerabilities
Original release date: February 14, 2012
Last revised: —
Source: US-CERTSystems Affected
- Microsoft Windows
- Microsoft Internet Explorer
- Microsoft
.NET Framework - Microsoft Silverlight
- Microsoft
Office - Microsoft Server Software
Overview
There are multiple vulnerabilities in Microsoft Windows, Internet Explorer,
Microsoft .NET Framework, Silverlight, Office, and Microsoft Server Software.
Microsoft has released updates to address these vulnerabilities.I. Description
The Microsoft
Security Bulletin Summary for February 2012 describes multiple
vulnerabilities in Microsoft Windows. Microsoft has released updates to address
the vulnerabilities.II. Impact
A remote, unauthenticated attacker could execute arbitrary code, cause a
denial of service, or gain unauthorized access to your files or system.III. Solution
Apply updates
Microsoft has provided updates for
these vulnerabilities in the Microsoft
Security Bulletin Summary for February 2012, which describes any known
issues related to the updates. Administrators are encouraged to note these
issues and test for any potentially adverse effects. In addition, administrators
should consider using an automated update distribution system such as Windows Server
Update Services (WSUS). Home users are encouraged to enable automatic
updates.IV. References
- Microsoft Security Bulletin Summary for February 2012 – <https://technet.microsoft.com/en-us/security/bulletin/ms12-feb>
- Microsoft
Windows Server Update Services – <http://technet.microsoft.com/en-us/wsus/default.aspx> - Microsoft
Update – <https://www.update.microsoft.com/> - Microsoft
Update Overview – <http://www.microsoft.com/security/updates/mu.aspx> - Turn
Automatic Updating On or Off – <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off>
Feedback can be directed to US-CERT.
Produced 2012 by US-CERT, a government organization. Terms of use
February 14, 2012: Initial release
- TA12-024A: "Anonymous" DDoS Activity
Original release date: January 24, 2012
Last revised: —
Source: US-CERTOverview
US-CERT has received information from multiple sources about coordinated
distributed denial-of-service (DDoS) attacks with targets that included
U.S. government agency and entertainment industry websites. The loosely
affiliated collective "Anonymous" allegedly promoted the attacks in
response to the shutdown of the file hosting site MegaUpload and in protest of
proposed U.S. legislation concerning online trafficking in rightsed
intellectual property and counterfeit goods (Stop Online Piracy Act, or SOPA,
and Preventing Real Online Threats to Economic Creativity and Theft of
Intellectual Property Act, or PIPA).I. Description
US-CERT has evidence of two types of DDoS attacks: One using HTTP GET
requests and another using a simple UDP flood.The Low Orbit Ion Cannon
(LOIC) is a denial-of-service attack tool associated with previous Anonymous
activity. US-CERT has reviewed at least two implementations of LOIC. One variant
is written in JavaScript and is designed to be used from a web browser. An
attacker can access this variant of LOIC on a website and select targets,
specify an optional message, throttle attack traffic, and monitor attack
progress. A binary variant of LOIC includes the ability to join a botnet to
allow nodes to be controlled via IRC or RSS command channels (the
"HiveMind" feature).The following is a sample of LOIC traffic
recorded in a web server log:"GET
/?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1" 200 99406
"hxxp://pastehtml.com/view/blafp1ly1.html" "Mozilla/5.0 (Windows
NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"The
following sites have been identified in HTTP referrer headers of suspected LOIC
traffic. This list may not be complete. Please do not visit any of the links as
they may still host functioning LOIC or other malicious code."hxxp://3g.bamatea.com/loic.html"
"hxxp://anonymouse.org/cgi-bin/anon-www.cgi/""hxxp://chatimpacto.org/Loic/"
"hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/"
"hxxp://event.seeho.co.kr/loic.html"
"hxxp://pastehtml.com/view/bl3weewxq.html"
"hxxp://pastehtml.com/view/bl7qhhp5c.html"
"hxxp://pastehtml.com/view/blafp1ly1.html"
"hxxp://pastehtml.com/view/blakyjwbi.html"
"hxxp://pastehtml.com/view/blal5t64j.html"
"hxxp://pastehtml.com/view/blaoyp0qs.html"
"hxxp://www.lcnongjipeijian.com/loic.html"
"hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/fnorefer"
"hxxp://www.tandycollection.co.kr/loic.html"
"hxxp://www.zgon.cn/loic.html"
"hxxp://zgon.cn/loic.html"
"hxxp://www.turbytoy.com.ar/admin/archivos/hive.html"The
following are the A records for the referrer sites as of January, 20,
2012:3g[.]bamatea[.]com
A 218[.]5[.]113[.]218
cybercrime[.]hostzi[.]com
A 31[.]170[.]161[.]36
event[.]seeho[.]co[.]kr
A 210[.]207[.]87[.]195
chatimpacto[.]org
A 66[.]96[.]160[.]151
anonymouse[.]org
A 193[.]200[.]150[.]125
pastehtml[.]com
A 88[.]90[.]29[.]58
lcnongjipeijian[.]com
A 49[.]247[.]252[.]105
www[.]rotterproxy[.]info
A 208[.]94[.]245[.]131
www[.]tandycollection[.]co[.]kr A
121[.]254[.]168[.]87
www[.]zgon[.]cn
A 59[.]54[.]54[.]204
www[.]turbytoy[.]com[.]ar
A 190[.]228[.]29[.]84The HTTP requests
contained an "id" value based on UNIX time and user-defined
"msg" value, for example:GET
/?id=1327014189930&msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20Other
"msg" examples:msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
msg=:)
msg=:D
msg=Somos%20Legion!!!
msg=Somos%20legi%C3%B3n!
msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1" 200 99406
"http://pastehtml.com/view/bl7qhhp5c.html"
msg=We%20Are%20Legion!
msg=gh
msg=open%20megaupload
msg=que%20sepan%20los%20nacidos%20y%20los%20que%20van%20a%20nacer%20que%20nacimos%20para%20vencer%20y%20no%20para%20ser%20vencidos
msg=stop%20SOPA!!
msg=We%20are%20Anonymous.%20We%20are%20Legion.%20We%20do%20not%20forgive.%20We%20do%20not%20forget.%20Expect%20us!The
"msg" field can be arbitrarily set by the attacker.As of
January 20, 20012, US-CERT has observed another attack that consists of UDP
packets on ports 25 and 80. The packets contained a message followed by variable
amounts of padding, for example:66:6c:6f:6f:64:00:00:00:00:00:00:00:00:00 |
flood.........Target selection, timing, and other attack activity
is often coordinated through social media sites or online forums.US-CERT
is continuing research efforts and will provide additional data as it becomes
available.III. Solution
There are a number of mitigation strategies available for dealing with DDoS
attacks, depending on the type of attack as well as the target network
infrastructure. In general, the best practice defense for mitigating DDoS
attacks involves advanced preparation.- Develop a checklist or
Standard Operating Procedure (SOP) to follow in the event of a DDoS attack. One
critical point in a checklist or SOP is to have contact information for your ISP
and hosting providers. Identify who should be contacted during a DDoS, what
processes should be followed, what information is needed, and what actions will
be taken during the attack with each entity. - The ISP or hosting provider
may provide DDoS mitigation services. Ensure your staff is aware of the
provisions of your service level agreement (SLA). - Maintain contact
information for firewall teams, IDS teams, network teams and ensure that it is
current and readily available. - Identify critical services that must be
maintained during an attack as well as their priority. Services should be
prioritized beforehand to identify what resources can be turned off or blocked
as needed to limit the effects of the attack. Also, ensure that critical systems
have sufficient capacity to withstand a DDoS attack. - Have current
network diagrams, IT infrastructure details, and asset inventories. This will
assist in determining actions and priorities as the attack
progresses. - Understand your current environment and have a baseline of
daily network traffic volume, type, and performance. This will allow staff to
better identify the type of attack, the point of attack, and the attack vector
used. Also, identify any existing bottlenecks and remediation actions if
required. - Harden the configuration settings of your network, operating
systems, and applications by disabling services and applications not required
for a system to perform its intended function. - Implement a bogon block list at the
network boundary. - Employ service screening on edge routers wherever
possible in order to decrease the load on stateful security devices such as
firewalls. - Separate or compartmentalize critical
services:- Separate public and private services
- Separate intranet,
extranet, and internet services - Create single purpose servers for each
service such as HTTP, FTP, and DNS
- Review the US-CERT Cyber
Security Tip Understanding
Denial-of-Service Attacks.
IV. References
- Cyber Security Tip ST04-015 – <http://www.us-cert.gov/cas/tips/ST04-015.html>
- Anonymous's
response to the seizure of MegaUpload according to CNN – <http://money.cnn.com/2012/01/19/technology/megaupload_shutdown/index.htm> - The
Internet Strikes Back #OpMegaupload – <http://anonops.blogspot.com/2012/01/internet-strikes-back-opmegaupload.html> - Twitter
Post from the author of the JavaScript based LOIC code – <http://www.twitter.com/#!/mendes_rs> - Anonymous
Operations tweets on Twitter – <http://twitter.com/#!/anonops> - @Megaupload
Tweets on Twitter – <http://twitter.com/#!/search?q=%2523Megaupload> - LOIC
DDoS Analysis and Detection – <http://blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html> - Impact
of Operation Payback according to CNN – <http://money.cnn.com/2010/12/08/news/companies/mastercard_wiki/index.htm> - OperationPayback
messages on YouTube – <http://www.youtube.com/results?search_query=operationpayback> - The
Bogon Reference – Team Cymru – <http://www.team-cymru.org/Services/Bogons/>
Feedback can be directed to US-CERT.
Produced 2012 by US-CERT, a government organization. Terms of use
January 24, 2012: Initial release
- Develop a checklist or