Archive for February, 2008

ITsafe Warning 08-003

Thursday, February 14th, 2008

Title
=====

ITsafe Warning 08-003

What is it?
===========

Microsoft Security Bulletin Summary for February 2008.

What does it do?
================

Download the February security updates, including updates for Microsoft Windows, Microsoft Office, and Internet Explorer.

How do I fix it?
================

Update your copy of the software with the download available from the supplier.

For more information about updating Microsoft software see advice on the Website of our partners at Get Safe Online:

- http://www.getsafeonline.org/nqcontent.cfm?a_id=1148

Details of Specific Problem
===========================

The technical issues are described by the supplier and at the CVE website, and can be found from:

- TechNet February 2008 Security Bulletin Summary.

Notes
=====

ITsafe Warnings are issued by e-mail when significant risks have been identified that are likely to affect the majority of ITsafe users.

ITsafe Team

Making IT safe for You

http://www.itsafe.gov.uk

The UK Government Alerting and Advisory Service for Information and Communications Technologies (ICT) Security

February’s Patch Tuesday

Tuesday, February 12th, 2008

Today is the second Patch Tuesday of 2008 and here's what Microsoft have waiting for us on the download servers:

Critical:

  • Microsoft Security Bulletin MS08-007
    Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (946026)
    This critical security update resolves one privately reported vulnerability in the WebDAV Mini-Redirector. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • Microsoft Security Bulletin MS08-008
    Vulnerability in OLE Automation Could Allow Remote Code Execution (947890)
    This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page. The vulnerability could be exploited through attacks on Object Linking and Embedding (OLE) Automation. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Microsoft Security Bulletin MS08-009
    Vulnerability in Microsoft Word Could Allow Remote Code Execution (947077)
    This critical security update resolves one privately reported vulnerability in Microsoft Word that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Microsoft Security Bulletin MS08-010
    Cumulative Security Update for Internet Explorer (944533)
    This critical security update resolves three privately reported and one publicly reported vulnerabilities. The most serious of the vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Microsoft Security Bulletin MS08-012
    Vulnerabilities in Microsoft Office Publisher Could Allow Remote Code Execution (947085)
    This critical security update resolves two privately reported vulnerabilities in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Microsoft Security Bulletin MS08-013
    Vulnerability in Microsoft Office Could Allow Remote Code Execution (947108)
    This critical security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file with a malformed object inserted into the document. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Important:

  • Microsoft Security Bulletin MS08-003
    Vulnerability in Active Directory Could Allow Denial of Service (946538)
    This important security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. The vulnerability could allow a denial of service condition. On Windows Server 2003 and Windows XP Professional an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart.
  • Microsoft Security Bulletin MS08-004
    Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)
    This important update resolves a privately reported vulnerability in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.
  • Microsoft Security Bulletin MS08-005
    Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)
    This important update resolves a privately reported vulnerability in Internet Information Services (IIS). A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Microsoft Security Bulletin MS08-006
    Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830)
    This important update resolves a privately reported vulnerability in Internet Information Services (IIS). A remote code execution vulnerability exists in the way that IIS handles input to ASP Web pages. An attacker who successfully exploited this vulnerability could then perform actions on the IIS server with the same rights as the Worker Process Identity (WPI). The WPI is configured with Network Service account privileges by default. IIS servers with ASP pages whose application pools are configured with a WPI that uses an account with administrative privileges could be more seriously impacted than IIS servers whose application pool is configured with the default WPI settings.
  • Microsoft Security Bulletin MS08-011
    Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution (947081)
    This important security update resolves three privately reported vulnerabilities in the Microsoft Works File Converter. These vulnerabilities could allow remote code execution if a user opens a specially crafted Works (.wps) file with an affected version of Microsoft Office, Microsoft Works, or Microsoft Works Suite. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Also:

  • Microsoft has released seven non-security, high-priority updates on Microsoft Update.
  • Microsoft has released two non-security, high-priority updates for Windows on Windows Update.

Windows Vista SP1

Monday, February 11th, 2008

Over the past few days I've been deeply engaged in exploring Microsoft latest and biggest update for Windows Vista so far - Vista Service Pack 1 (SP1).  Vista users will have to wait a few weeks for this update but I've been lucky enough to get my hands on an advanced copy.

So, what's the deal with SP1?  Well, think of it as a big bug fix.  Microsoft has taken some/much/all of the feedback it received from Vista users over the months that it's been out (now over a year for consumers, while businesses have been able to get their hands on it since November 2006) and put together a pack that fixes a whole raft of bugs, issues, flaws, faults, annoyances and so on.  Vista SP1 also brings the core of the OS (the kernel) in line with that of Windows Server 2008. 

Vista SP1 discsSo, what's SP1 like?  Well, I've now installed it on a number of systems and I've not experienced a single problems.  The service pack takes a good hour to install on some systems and requires a number of reboots, but beyond that the process is flawless.  After installation, tests I've carried out on systems seems to indicate that overall a system with SP1 installed on it is faster than one without.  Real world operations such as copying and moving files, and working with compressed folders are faster and smoother.  Also, boot up and navigating network shares is measurably faster.

Vista SP1Microsoft has also changed what happens to people identified as not running genuine copies of Vista SP1.  With the release version of Vista, users faced two states:

  • Reduced Functionality Mode (RFM) - This is a state where the user can only access Internet Explorer for 60 minutes at a time before being logged out.  Users can also boot into Safe Mode and access documents.  Ultimately though, Microsoft is pushing the user to get the system properly activated.  This state can be reached if the product activation period expires.
  • Non-Genuine State (NGS) - This state occurs when an activated copy of Vista fails a Web-based validation check (for example, when the user attempts to download software from the Microsoft site).  In this case, features such as the Aero UI and ReadyBoost are completely disabled.  Other features such as Windows Update offer limited functionality.

The new system is one based on nag screens and the like.

  • A nag screen to activate at logon that cannot be dismissed for 15 seconds.
  • Every hour the desktop background is switched to black (it can be changed back, but after an hour it’s set to black again).
  • Activation dialogs and balloon dialogs appear regularly.
  • Optional Windows Updates aren’t delivered.

Microsoft has also closed off a number of hacks used by Vista pirates to defeat the activation process, although this hasn't been successful in preventing all the hacks from working.

Microsoft has also made it a little harder for new Vista users to lose their logon password by asking users to provide a hint during the initial setup of Windows.

I'll keep you posted as I get more information.

Another good information source is Ed Bott's SP1 FAQ.

Not all Apple MagSafe adaptors are created equally

Monday, February 11th, 2008

The MagSafe adaptor (or, more specifically, the connector) is one aspect of Apple notebooks that I really like.  If you've not seen one it's a power connector that attaches to the notebook using a magnetic connector.  This provides a robust and easy to hook up power feed while at the same time offering protection against your notebook hitting the floor should someone trip on the cable.

It's a simple and elegant solution, but there is a hidden complexity - not all adaptors are the same.  In fact, in the US there seems to be five different MacBook/macBook Pro/MacBook Air adaptors.  These are documented on the Apple website.

MacBook adaptor

If you have multiple Apple notebooks, you want to keep track of which adaptor fits each Mac.

(Hat tip to David Morgenstern - The Apple Core)

Firefox 2.0.0.12 – Felled hours after release

Sunday, February 10th, 2008

Hours after Firefox 2.0.0.12 is released, a serious vulnerability is discovered.

You probably thought otherwise after they just released version 2.0.0.12. a couple of hours ago, that had a fix for numerous other vulnerabilities. But guess what? we are going to see 2.0.0.13 pretty soon I guess. I snared at Mozilla before: don't patch vulnerabilities for fifty percent, take the time and fix the cause. Because directory traversal through plugins is all nice and such, we don't need it. We can trick Firefox itself in traversing directories back. I found another information leak that is very serious because we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory, and this without any mandatory settings or plugins.

I guess we'll be seing 2.0.0.13 soon.