Smokey's Security Weblog

veritas odium parit

Out-of-band Microsoft Security Bulletin Advance Notification for July 2009

Published: July 24, 2009

Microsoft Security Bulletin Advance Notification issued: July 24, 2009
Microsoft Security Bulletins to be issued: July 28, 2009

This is an advance notification of two out-of-band security bulletins that Microsoft is intending to release on July 28, 2009. One bulletin will be for the Microsoft Visual Studio product line; application developers should be aware of updates available affecting certain types of applications. The second bulletin contains defense-in-depth changes to Internet Explorer to address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical. Customers who are up to date on their security updates are protected from known attacks related to this out-of-band release.

This bulletin advance notification will be replaced with an update to the Microsoft Security Bulletin Summary for July 2009 on July 28, 2009. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins as mentioned already before:

1. One Security Bulletin for Visual Studio

2. One Security Bulletin for Internet Explorer

While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications. The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported.

Customers who are up to date on their security updates are protected from known attacks related to this Out of Band release.

A reminder that this information is subject to change and that when we do release the security bulletins, we’ll let you know through the MSRC weblog.

Signed: Microsoft Corp. – Mike Reavey

Sources of this Out-of-band Microsoft Security Bulletin and more info:

Microsoft TechNet
Microsoft Security Response Center (MSRC)


July 25, 2009 Posted by | Advisories, Alerts, Downloads, Friends, Recommended External Security Related Links | , , , , | Leave a comment

Alert: Microsoft DirectShow vulnerability used in 0-Day drive-by-download attacks

The Tech Herald | Jul 6 2009

CSIS Security is reporting the discovery of a new vulnerability within Microsoft DirectShow. The 0-Day attack is a part of a massive website hijacking operation, where exploited domains are injected with code that attempts to exploit the DirectShow vulnerability as well as other known flaws.

According to CSIS, the attacks start by compromising a legitimate website, where malicious JavaScript is embedded into the site’s code. Once the compromised page loads, the injected JavaScript forces the user to visit a sub-domain on At the time this article was published, The Tech Herald could not confirm that the sub-domain listed by CSIS was still malicious, as it was unavailable. However, is online, and should be considered suspect if not blacklisted altogether.

The 0-Day vulnerability, which is a stack overflow in DirectShow MPEG2TuneRequest, can be mitigated by setting the kill bit on msVidCtl.dll. CSIS has provided the solution on their site. [Google Translated] However, this is just one of several vulnerabilities the drive-by-download attack is attempting to exploit. Once the system is compromised, a keylogger is installed, as well as a “cocktail of malicious code” CSIS said.

Microsoft Windows 2000, 2003, and XP are listed as vulnerable. No word on if Vista or Windows 7 are at risk. We have asked Microsoft for comment and will update this story as more news comes in.

For now, CSIS is reporting that thousands of sites are using this new attack, and the ultimate landing points are starting to grow in number thanks to the exploit code being published online.

SANS is offering the best advice to IT this morning, “Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available.”

Update: Microsoft have released an advisory for the exploit:

Microsoft Security Advisory (972890)
Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
Published: July 06, 2009

Version: 1.0

Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.

We are aware of attacks attempting to exploit the vulnerability.

Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.

Customers may prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually using the instructions in the Workaround section or automatically using the solution found in Microsoft Knowledge Base Article 972890. By preventing the Microsoft Video ActiveX Control from running in Internet Explorer, there is no impact to application compatibility.

Microsoft is currently working to develop a security update for Windows to address this vulnerability and will release the update when it has reached an appropriate level of quality for broad distribution.

Mitigating Factors:

•  Customers who are using Windows Vista or Windows Server 2008 are not affected because the ability to pass data to this control within Internet Explorer has been restricted.

• By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.

•  By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

•  In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

•  An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

July 6, 2009 Posted by | Advisories, Alerts, Anti-Spyware, Anti-Virus, Friends, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , | Leave a comment

McAfee VirusScan false-positive glitch fells PCs worldwide

TheRegister | 3rd July 2009

“IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attack their core system files. In some cases, this caused the machines to display the dreaded blue screen of death.

Details are still coming in, but forums here and here show that it’s affecting McAfee customers in Germany, Italy, and elsewhere. A UK-based Reg reader, who asked to remain anonymous because he was not authorized by his employer to speak to the press, said the glitch simultaneously leveled half of a customer’s 140 machines after they updated the latest virus signature file.

“Literally half of the machines were down with this McAfee anti-virus message IDing valid programs as having this trojan,” the IT consultant said. “Literally half the office switched off their PCs and were just twiddling their thumbs.”

When the consultant returned to his office he was relieved that his own laptop, which also uses VirusScan, was working normally. Then, suddenly, when it installed the latest McAfee DAT file, his computer was also smitten. The anti-virus program identified winvnc.exe and several other legitimate files as malware and attempted to quarantine them. With several core system files out of commission, the machine was rendered an expensive paperweight.

A McAfee representative in the US didn’t immediately respond to phone calls seeking comment. Friday is a holiday for many US employees in observance of Saturday’s Independence Day.

Based on anecdotes, the glitch appears to be caused when older VirusScan engines install DAT 5664, which McAfee seems to have pushed out in the past 24 hours. Affected systems then begin identifying a wide variety of legitimate – and frequently crucial – system files as malware. Files belonging to Microsoft Internet Explorer, drivers for Compaq computers, and even the McAfee-associated McScript.exe were being identified as a trojan called PWS!, according to the posts and interviews.”

Fix/solution: McAfee Support Forum

July 4, 2009 Posted by | Advisories, Alerts, Anti-Virus, Friends, Malware, Recommended External Security Related Links | , , , , , , , , , , | 1 Comment