|
Shavlik Technologies on November Patch Tuesday Releases
by Jason Miller |
|
“Microsoft has released six new security bulletins in November’s Patch Tuesday. Administrators are getting a bit of a break after last month’s mammoth security bulletin release.
MS09-065 is the first bulletin administrators should address. This bulletin affects the Windows Kernel and can lead to remote execution on a target system. This bulletin addresses three vulnerabilities. One of the vulnerabilities was disclosed to Microsoft, but it was also disclosed publically. This could lead to a quick turn around on exploits for this vulnerability. This vulnerability affects the way the Windows Kernel parses Embedded OpenType fonts. These are typical on websites. If a user visits a specially crafted website, an attacker can take control of the system. The internet is one of the most popular attack vectors, so this should be patched as soon as possible on your workstations.
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
 |
The Seven Deadly Myths of Software Security | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
MS09-063 affects Windows Vista and 2008 only. The vulnerability affects a service that is on by default on those systems: Web Services on Devices API (WSDAPI). An evil attacker can send a specially crafted network packet to a target system. If successful, the attacker can take complete control of the system. It is interesting that a new service that helps with the “user experience” can cause so much harm. The WSDAPI service allows users to easily find devices such as printers and cameras on their network. This vulnerability is also not publically known at this time.
The next two security bulletins address vulnerabilities in Microsoft Excel and Microsoft Word. MS09-067 addresses eight vulnerabilities in which none are publically known for Microsoft Excel. MS09-068 affects Microsoft Word and addresses one vulnerability that is not publically known. To exploit these vulnerabilities for both bulletins, a user must open a specially crafted Excel/Word document. This could be done through a website or through an email attachment. If opened, the malicious document could lead to remote code execution on the target system. Both bulletins affect Office for Mac as well.
MS09-064 is an interesting vulnerability. If this was released six years ago, this vulnerability would be rated extremely critical. This bulletin addresses a vulnerability that only affects Windows 2000, specifically the License Logging Server. This service is on by default on Windows 2000 systems. An attacker can send a specially crafted packet to the target system that can result in remote code execution on the target system. As Windows 2000 is an aging technology, this may not affect too many organizations. It is important to note any computer running Windows 2000 today is typically a server. This could make this bulletin extremely critical as it could be a primary device on your network.
MS09-066 affects corporate networks as it addresses a vulnerability in Active Directory. A successful exploit can result in denial of service on the system. This vulnerability will be difficult to exploit though. All operating systems other than Windows 2000 require valid credentials to send a specially crafted packet. If an attacker already had valid credentials, they would do more damage than a denial of service attack on a server. For Windows 2000 servers, like MS09-064, these machines should be patched immediately. A specially crafted packet sent to a Windows 2000 machine can result in an unresponsive machine that requires an unscheduled reboot.”
Tags: Microsoft, Vulnerabilities, Windows Vista
This entry was posted on Tuesday, November 10th, 2009 at 12:10 PM and is filed under Community Manager, Patch Tuesday, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
|
| Impact of Design On Trust We attended RSA 2010 this week where VeriSign was a Platinum Sponsor. Executive Chairman, Jim Bidzos, gave a Keynote Address on the 'Internet and Trust' explaining that without trust, people are less likely to freely share information or transact online.... Launch of VeriSign Trust Seal With the launch of the VeriSign TrustTM Seal last week, we introduced a new section to the Website dedicated to the Trust Seal. The Seal enables Websites to communicate that they are a trusted site to do business with and... New Video Player Experience Videos on www.verisign.com have a new look and feel. Users will experience an improved delivery of videos that are optimized for their available bandwidth. During playback when hovering over the video, users now have the ability to quickly share (e-mail,... |
|
| PayPal UK Launch Security Key - Guest Posting from PayPal I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly. Facebook scam - Part 2 This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info. Survey finds passwords are not secure - well d'uh! I don't think the vendor community has been crying wolf about the problems that stronger authentication solves, more like highlighting that this problem is here and growing. Well the discussion I have had recently with many different organisations across many different industries are now resulting in more and more consumer projects in this area |
|
| Open Identity Exchange: enabling all the VISAs of identity The Open Identity Exchange was launched this morning at the RSA conference in San Francisco. It is a significant step for federated identity as it will enable US government web sites such as the NIH to embrace open identity standards... Rethinking Internet Trust and Reputation Today, we are launching the VeriSign Trust Seal, a new service for small and medium businesses with an online presence. It is a big day for everyone at VeriSign who has been working really hard on the new service the... Google Hacked or Why the Cyber World Could Get M.A.D** As the world already knows, Google and a few other prominent US companies got severely hacked around Christmas time last year. Sophos has an interesting analysis of the exploit. Web malware and a zero day vulnerability in IE6 were... |
|
