Microsoft Releases MS10-070 Out-Of-Band

Microsoft has released a security bulletin (MS10-070) out-of-band for the zero day vulnerability affecting ASP.NET in the .NET Framework.  Security Advisory 2416728 was released on September 17th detailing the vulnerability.  Microsoft has seen limited attacks that are bypassing workarounds, prompting an out-of-band release for this vulnerability.

This security bulletin affects all supported versions of .NET on all currently supported operating systems.  It is important to note that machines will only be vulnerable if they have a web server on the system. 

It is also important to note this patch is only available on the Microsoft download center at this time.  Although the patch has been thoroughly tested and is ready for release, the Microsoft patching products are not ready for the update at this time.  Administrators using WSUS or Windows Update will not see this patch available at this time.  Microsoft is planning on adding this patch to their patching products later this week.

In the mean time, administrators using WSUS should identify web servers that are using ASP.NET, download the patch, and apply the patch manually or use another non-Microsoft patching product to identify and patch the vulnerability.

With any zero day vulnerability that prompts an out-of-band release, it is extremely critical that you address the vulnerability as soon as possible.

 – Jason Miller

New Microsoft Security Advisory – 2416728

Microsoft released a new Security Advisory last Friday.  Security Advisory 2416728 addresses a publically disclosed vulnerability that affects all versions of the .NET Framework.  This vulnerability has had no reports of attacks at this time.

The vulnerability could allow attackers to view data through Information Disclosure.  Microsoft is currently working on a patch to fix this issue.

The SRD team at Microsoft has posted information to help determine if you have any ASP.NET application configurations that may be vulnerable to attack.  In addition, the Security Advisory has posted some workarounds to help mitigate the risk until the patch is available.

– Jason Miller

New Version Of Adobe Flash To Be Available Monday

Adobe announced they will be providing an update to the Adobe Flash Player this Monday, September 20th.  This security bulletin will address the actively exploited vulnerability in Security Advisory APSA10-03.  This bulletin will only be patching the Adobe Flash Player.  Adobe is stating “Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.”  The patch for Adobe Reader and Acrobat will come with the scheduled patch for Security Advisory APSA10-02.  This security bulletin is scheduled to be released during the week of October 4, 2010.

– Jason Miller

September 2010 Patch Tuesday Overview

Microsoft has released 9 new security bulletins addressing 11 vulnerabilities.  This is another big month for patching, and if it seems like there have been more security bulletins released by Microsoft this year, you would be correct.  Last year through September Patch Tuesday, Microsoft released 49 new security bulletins.  This year through this patch Tuesday, Microsoft has already released 69 new security bulletins.

For the September 2010 patch Tuesday, it is especially important for IT administrators to read these bulletins and determine how they affect their individual environments as today’s bulletins apply to special configurations.  The two bulletins administrators should address first and foremost are MS10-061 and MS10-062.

First, MS10-061 fixes a vulnerability in the Print Spooler Service in Windows XP.  If you are running Windows XP and sharing a printer, attackers can compromise the machine with an over-the-network print request.  This vulnerability was found in the Stuxnet malware family and it is currently being exploited in the wild.  The Stuxnet malware family has lead to a couple of patches for zero-day exploits, such as MS10-046.  MS10-046 was released out-of-band to fix the Windows LNK vulnerability.  The Stuxnet malware family prompted this release as it was exploiting the vulnerability as a zero-day.

MS10-062 fixes a vulnerability in the MPEG-4 codec on Windows operating systems.  If a user opens a specially crafted malicious media file (AVI) with a media player, an attacker can take control of the machine via remote code execution.  Viewing media formats is becoming more and more common for both work and home users.  It is not safe to assume that media viewing only occurs at home and not on your network.  Media file distribution can happen in many ways such as visiting a website that hosts malicious media files, viewing media files from a streaming server or opening the slapstick funny email attachment from your friends.

There is one last bulletin that should be on your radar as well for this month.  As with quite a few of the bulletins this month, only certain configurations of the software are affected by the vulnerabilities.  With MS10-064, Microsoft Outlook that is connected to your Microsoft Exchange Server and has Online Mode configured can result in the system being vulnerable to attacks.  In this configuration, opening a malicious RTF format document in the Outlook preview pane can lead to remote code execution.  Although in most configurations, Outlook is set to use Cached Exchange mode for email handling.

There is also some news on the Adobe patching front as well.  Yesterday Adobe announced they will be releasing a patch for their security advisory APSA10-02 during the week of October 4, 2010.  This security bulletin will address a vulnerability affecting Adobe Reader and Acrobat that is currently being exploited in the wild.  In addition, Adobe announced a new security advisory with APSA10-03. This advisory applies to a vulnerability for Adobe Flash Player, Adobe Reader and Adobe Acrobat.  This vulnerability is also being exploited in the wild.

– Jason Miller

New Adobe Vulnerability Announced

Adobe released a new security advisory affecting Adobe Reader / Acrobat versions 9.3.4 and earlier.  A critical vulnerability in the software can lead to remote code execution.  Adobe is also reporting this vulnerability is currently being exploited in the wild.  In addition, the exploit code for this vulnerability has been made publically available.

More information can be found on the Adobe Security Advisory APSA10-02 page.

The timing of a patch to fix this vulnerability is a little hazy at this time.  The Adobe Security Advisory page is stating “Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability.”.  With patch Tuesday right around the corner, we will have to see if Adobe can get a patch in place before then.

– Jason Miller

September 2010 Patch Tuesday Preview

Microsoft announced their September 2010 patch day advanced notification yesterday.  They are planning on releasing 9 security bulletins that will address 11 vulnerabilities.  This month would typically mark a lower amount of security bulletins, but we are seeing quite a few this time.  In addition to these bulletins, you should look at addressing the non-Microsoft critical security bulletins released this week if you have not done so yet.

September Patch Tuesday Overview

  • 4 bulletins are rated as Critical
  • 5 bulletins are rated as Important
  • 7 vulnerabilities can lead to Remote Code Execution
  • 2 vulnerabilities can lead to Elevation of Privilege
  • All supported Windows operating systems are affected
  • Microsoft Office (Outlook) XP, 2003, and 2007

– Jason Miller

This Week In Patching – 9/10/2010

It has been too quiet for too long on the non-Microsoft patching front.  Quite a few vendors released critical security update this week.  With patch Tuesday rapidly approaching, you should look at adding these to your patching list.

Opera 10.62

SeaMonkey 2.0.7

  • Released 9/7/2010
  • Fixes:
    10 Critical Vulnerabilities
    2 High Vulnerabilities
    1 Moderate Vulnerability
    1 Low Vulnerability

Firefox 3.6.9

  • Released 9/7/2010
  • Fixes:
    10 Critical Vulnerabilities
    1 High Vulnerability
    1 Moderate Vulnerability
    2 Low Vulnerabilities

Firefox 3.5.12

  • Released 9/7/2010
  • Fixes:
    10 Critical Vulnerabilities
    2 High Vulnerabilities
    1 Moderate Vulnerability
    1 Low Vulnerability

Thunderbird 3.0.7

  • Released 9/7/2010
  • Fixes:
    10 Critical Vulnerabilities
    2 High Vulnerabilities
    1 Moderate Vulnerability
    1 Low Vulnerability

Thunderbird 3.1.3

  • Released 9/7/2010
  • Fixes:
    10 Critical Vulnerabilities
    1 High Vulnerability
    1 Moderate Vulnerability
    2 Low Vulnerabilities

Apple Safari 5.0.2

  • Released 9/7/2010
  • Fixes:
    3 Vulnerabilities

– Jason Miller

Possible Zero Day With Internet Explorer 8

The Microsoft Security Response Center tweeted last week about a possible zero day exploit with Internet Explorer 8.  The reported vulnerability about an Internet CSS bug was publically disclosed, but there have been no reports of attacks yet.

As Microsoft is investigating this issue, we fully expect a security advisory to be released with this issue soon.  Until Microsoft fully researches the issue, there are no actions that need to be taken with this issue.

It is very important to wait for vendor confirmation with zero day exploits.  Security researchers that publically disclose vulnerabilities may not have all the information.  We have seen this recently with publically disclosed information that was not entirely correct.  Vendor confirmation will provide administrators with precise information and actions they can take to help mitigate the risk.

– Jason Miller