Windows Issues Patching, ISO27002, Security Breaches, Malware Prevention

Windows Issues

Most recent Windows issues / vulnerabilities.
As you will see, many of the patches are marked bold and red. This is done to make it clear to you,
when you scan down the page, just how many critical vulnerabilities are really endangering your computer(s),
and presenting opportunities for malware writers. A casual sweep down the page tells an interesting story.

MOTIVATION: 95% of (KNOWN) malware CANNOT run on fully patched systems.
That means, however, that not only the operating system must be fully updated,
but of course also all other applications that you might have installed.

News

Out-of-Schedule Update, 30th March 2010
MS10-018 (KB981374) Internet Explorer cumulative update Critical
Intended to fix urgent issues for old browsers (IE6.0 + 7.0) this patch also partly applies to IE 8.0; so there!
Important for everyone, in reality. C: more @: TechEYE.net

Patch Tuesday, March 2010
MS10-016 (KB975561) Vulnerability in MS Windows Movie Maker could allow Remote Code Execution

Out-of-Schedule Update, 5th March 2010
(KB976002) MS Browser Choice Screen Update for EEA Users of Windows XP (NO Security Rating)
Anyway it's only for European users. (Browser link is OK now.)

Out-of-Schedule Patches, Thursday January 21
MS10-002 (KB978207) Cumulative update for IE CRITICAL
The "Google-China Syndrome" patch. Must be installed immediately.
C: more @ the Register: Google's China Syndrome

Out-of-Schedule Patches, Wednesday January 20
(KB979202) Silverlight update IMPORTANT
Security, performance and reliability enhancements.
Just interesting, this popped up real fast, as if in conjunction with the reportedly
fast-coming IE update, perhaps a coincidence.

Patch Tuesday, January 2010
MS10-001 (KB972270) Vulnerability in the Embedded OpenType Font Engine could allow Remote Code Execution

Patch Tuesday, December 2009
MS09-069 (KB974392) Vulnerability in Local Security Auth. System could allow Remote Code Execution
MS09-070 (KB971726) Vulnerability Active Directory Federation Services could allow Remote Code Execution
MS09-071 (KB974318) Vulnerability in Internet Authentication Service could allow Remote Code Execution
MS09-072 (KB976325) Cumulative Security Update for Internet Explorer (Highly) Critical
MS09-073 (KB975539) Vulnerability in Wordpad and Office Text Converters could allow Remote Code Execution
MS09-074 (KB967183) Vulnerability MS Office Project could allow Remote Code Execution

Out-of-Schedule Patches, Tuesday November 24
(KB973687) Extraneous DTD call prevention patch (1) IMPORTANT
(KB973688) Extraneous DTD call prevention patch (2) IMPORTANT
(KB976098) Revised Daylight Saving Time patch IMPORTANT

Patch Tuesday, November 2009
MS09-063 (KB973565) Vulnerability in Web Services on Devices API could allow Remote Code Execution
MS09-064 (KB974793) Vulnerability in License Logging Server could allow Remote Code Execution
MS09-065 (KB969947) Vulnerabilities Windows Kernel-mode Drivers could allow Remote Code Execution
MS09-066 (KB973309) Vulnerability in Active Directory could allow Denial of Service
MS09-067 (KB972652) Vulnerability in MS Office Excel could allow Remote Code Execution

Out-of-Schedule Patch, Tuesday, November 3, 2009
(KB976749) Update for IE 8.0 following security update 974455 (MS09-054) Important

Patch Tuesday, September 2009
MS09-045 (KB971961) Vulnerability in JScripting Engine could allow Remote Code Execution
MS09-046 (KB956844) Vuln. in DHTML Editing Component ActiveX Control could allow Remote Code Execution
MS09-047 (KB973812) Vulnerabilities in Windows Media format could allow Remote Code Execution
MS09-048 (KB967723) Vulnerabilities in Windows TCP/IP could allow Remote Code Execution
MS09-049 (KB970710) Vulnerabilities in Wireless LAN AutoConfig Service could allow Remote Code Execution

Out-of-Schedule Patch, Tuesday, August 28, 2009
(KB9701653) Cumulative Time Zone Update Important

Patch Tuesday, August 2009
MS09-036 (KB970957) Vulnerability in ASP.NET in MS Windows could allow Denial of Service
MS09-037 (KB973908) Vulnerabilities in MS Active Templ. Lib. (ATL) could allow Remote Code Execution
MS09-038 (KB971557) Vulnerabilities in Windows Media File Processing could allow Remote Code Execution
MS09-039 (KB969883) Vulnerabilities in WINS could allow Remote Code Execution
MS09-040 (KB971032) Vulnerability in Message Queuing could allow Elevation of privilege
MS09-041 (KB971657) Vulnerability in Workstation Service could allow Elevation of Privilege
MS09-042 (KB960859) Vulnerability in Telnet could allow Remote Code Execution
MS09-043 (KB957638) Vulnerabilities in MS Office Web Components could allow Remote Code Execution
MS09-044 (KB970927) Vulnerabilities in Remote Desktop Connection could allow Remote Code Execution

Urgent Out-of-Schedule Patches, Tuesday, July 28, 2009
MS09-034 (KB961051) Cumulative Security Update for Internet Explorer Critical
MS09-035 (KB96706) Vuln. in Visual Studio Active Templ. libraries could allow Remote Code Execution

Patch Tuesday, July 2009
MS09-028 (KB971633) Vulnerabilities in MS direct Show could allow Remote Code Execution
MS09-029 (KB961371) Vulnerabilities in Embedded Open Type Font Engine could allow Remote Code Execution
MS09-030 (KB969516) Vulnerabilities in MS Office Publisher Show could allow Remote Code Execution
MS09-031 (KB970953) Vulnerabilities in MS ISA Server 2006 Show could cause Elevation of Privilege
MS09-032 (KB973346) Cumulative Security Update of ActiveX Kill Bits Critical
MS09-033 (KB969856) Vulnerability in MS Virtual PC & Virtual Server could allow Elevation of privilege

Patch Tuesday, May 2009
MS09-017 (KB967340) Vulnerabilities in MS Office Excel could allow Remote Code Execution

Patch Tuesday, April 2009
MS09-009 (KB968557) Vulnerabilities in MS Office Excel could cause Remote Code Execution
MS09-010 (KB960477) Vulnerabilities in Wordpad and Office text converters could allow Remote Code Execution
MS09-011 (KB961373) Vulnerability in MS DirectShow could allow Remote Code Execution
MS09-012 (KB959454) Vulnerabilities in Windows could allow Elevation of Privilege
MS09-013 (KB960803) Vulnerabilities in Windows HTTP Services could allow Remote Code Execution
MS09-014 (KB963027) Cumulative Security Update for Internet Explorer Critical
MS09-015 (KB959426) Blended Threat Vuln. in SearchPath could allow Elevation of Privilege
MS09-016 (KB959420) Vulnerabilities in ISA Server & Forefront Threat Mgt. Gtw. could cause Elevation of Privilege

Patch Tuesday, March 2009
MS09-006 (KB961260) Vulnerabilities in Windows Kernel could allow Elevation of Privilege
MS09-007 (KB959239) Vulnerabilities in SChannel could allow Spoofing
MS09-008 (KB959420) Vulnerabilities in DNS and WINS Server could allow Spoofing

Patch Tuesday, February 2009
MS09-003 (KB959239) Vulnerabilities in MS Exchange could allow Remote Code Execution
MS09-004 (KB959420) Vulnerabilities in MS SQL could allow Remote Code Execution
MS09-005 (KB957634) Vulnerabilities in MS Office Visio could allow Remote Code Execution

Patch Tuesday, July 2008 (11th July update)
MS08-037 (KB953230+KB951748) Vulnerabilities in DNS could allow Spoofing (IMPORTANT)
Warning: Please TEST this patch thoroughly before implementing! Seems to be incompatible
with ZoneAlarm Security Suite 70-470-000 and previous version.
293 complaints at CheckPoint's site full of VERY angry, soon-to-be-ex-customers vent their
frustration with a very inept response to a serious product error. A very typical example
of a reaction of today's support collapse is 'Big_Tom's blog entry. Says it all, really. . .
That worked! Late 10th, July Checkpoint Technology found the time to put out a warning,
and later, to issue a new version, 70-483-000 which reestablishes the functionality.
MS08-038 (KB950582) Vulnerability in Windows Explorer could allow Remote Code Execution
MS08-039 (KB950762) Vulnerabilities in Pragmatic General Multicast (PGM) could allow Denial of Service
MS08-040 (KB950759) Vulnerabilities in MS-SQL Server could allow Elevation of Privilege

Patch Tuesday, June 2008
MS08-030 (KB951376) Vulnerability in Bluetooth Stack could allow Remote Code Execution
MS08-031 (KB950759) Cumulative security update for Internet Explorer (Critical)
MS08-032 (KB950760) Cumulative security update of ActiveX Kill Bits (Moderate)
MS08-033 (KB951698) Vulnerabilities in DirectX could allow Remote Code Execution
MS08-034 (KB958745) Vulnerability in WINS could allow Denial of Service
MS08-035 (KB953235) Vulnerability in Active Directory could allow Denial of Service
MS08-036 (KB950762) Vuln. in Pragmatic General Multicast (PGM) Engine could allow Denial of Service

Patch Tuesday, January 2008
MS08-001 (KB941644) Vulnerabilities in Windows TCP/IP could allow Remote Code Execution
MS08-002 (KB943485) Vulnerabilities in LSASS TCP/IP could allow Elevation of Privilege

Patch Tuesday, December 2007
MS07-064 (KB941568) Vulnerabilities in DirectXI could allow Remote Code Execution
MS07-068 (KB941569/944275) Vulnerability in WMF Format could allow Remote Code Execution
MS07-069 (KB942615) Cumulative Security Update for Internet Explorer (Critical)
MS07-063 (KB942624) Vulnerabilities in SMBv2 could allow Remote Code Execution
MS07-065 (KB937894) Vulnerabilities in Message Queuing could allow Remote Code Execution
MS07-066 (KB943078) Vulnerabilities in Windows Kernel could allow Elevation of Privilege
MS07-067 (KB944653) Vulnerabilities in Macrovision Driver could allow local Elevation of Privilege

Out-of-Schedule Issue, 4th December 2007
The Sydney Morning Herald details in this article a very serious vulnerability in MS Internet Explorer,
which originates in the way that IE automatically processes proxy settings. This vulnerability is critical
- originally discovered in 1999 and thought to be fixed, has surfaced again. Lately, thousands of internet
users in Britain were redirected to an online auction site when a criminal hacked wpad.co.uk and used the
website to serve up bogus configuration information that redirected hijacked browsers to an online auction site,
eebuy.co.uk.
Please apply remedial actions detailed below immediately - as no PATCH has been issued yet.
(KB945713) Internal Errors in WeB Proxy Auto-Discovery (WPAD) processing could allow Remote Code Execution
The Original security bulletin from December 1999 is here:
MS99-054 (KB247333) WPAD Spoofing (Critical )

Urgent Out-of-Schedule Patch April 2007
MS07-017 (KB925902) Vulnerabilities in GDI could allow Remote Code Execution
This critical patch was issued by Microsoft 3rd April 2007, and is a patch-for-a-patch...
Yes, it's been seen many times before, strengthening the question marks against Microsoft's
product testing and verification methods. Worrying for private as corporate users alike.
The scandal, yes - it is a scandal, about this patch is very well written in George Ou's blog at
TechRepublic: "Why Is Microsoft Hell-bent on Ruining It's Reputation?"
Furthermore, it's a global patch: It applies to VISTA as well as XP, the server 200X family and 2000SP4!
The patch concerns a stack-based buffer overflow in the animated cursor code in Microsoft Windows
2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service
(persistent reboot) via a malformed .ANI, cur, or .ico file, which results in memory corruption when
processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally
demonstrated using Internet Explorer 6 and 7.
The patch has been issued out-of-schedule due to an alarming rise in actual uses of this exploit, so
the advice from MS, CA and F-Secure is to PATCH RIGHT NOW!

30 Days with Windows VISTA April 2007 + May 2007
There's a very good and very in depth article over at HardOCP about installing and using VISTA
for actual work, multimedia and gaming, both 32-bit and 64-bit. It is a long 9-pager, but very
accurate and balanced in its observations - this is not a Microsoft-bashing exercise. Highly
recommended for those who might consider VISTA a replacement for their daily work OS.
Hint: VISTA is not nearly there yet; our own observations with VISTA Business (32-bit, for
maximum compatibility with XP-based software) also indicate sudden re-boots, installation
problems, general non-functionality, and a frustrating user interface for other than novice
user tasks.

UPDATE: VISTA's Long Goodbye Deleting files in VISTA can take HOURS for large multi-media
files... Apparently a result of either a basic construction flaw or a result of DRM measures
(often called DRM infection by now). This article at The Register explains the details.
This is not just a user issue. Corporations need to make sure this issue is corrected before
any roll-out takes place.

Patch Tuesday, March 2007- a day that never came!!! March 2007
They've done it again!! Microsoft once again slips up the patching schedule.
N F C (That is: No FURTHER Comments) . . .

Mpas-d.exe, who's that? February 2007
Answer: It is part of Defender - so not a module to worry about. However, you should always pay
attention to unexpected launches of seemingly known modules. It always pays to have a bit of healthy
skepticism, when "strange" things happen in your (XP) system...

VISTA Secure? February 2007
A very good article in The Register details the user experience and the security implications.
The main culprit is the UAC, much discussed elsewhere, but also IE 7.0 gets a thorough going-over.
The between-the-lines conclusion is: wait for Vienna or maybe a very restructured security
architecture in VISTA-SP1, being a bit naive & hopeful, perhaps?

Patch Tuesday, February 2007
Critical
MS07-008 - Vulnerability in HTML Help ActiveX Control could allow Remote Code Execution
MS07-009 - Vulnerability in Microsoft Data Access Components could allow Remote Code Execution
MS07-010 - Vulnerability in Microsoft Malware Protection Engine could allow Remote Code Execution
MS07-014 - Vulnerabilities in Microsoft Word could allow Remote Code Execution
MS07-015 - Vulnerabilities in Microsoft Office could allow Remote Code Execution
MS07-016 - Cumulative Security Update for Internet Explorer

Important
MS07-005 - Vulnerability in Step-by-Step Interactive Training could allow Remote Code Execution
MS07-006 - Vulnerability in Windows Shell could allow Elevation of Privilege
MS07-007 - Vulnerability in Windows Image Acquisition Service could allow Elevation of Privilege
MS07-011 - Vulnerability in Microsoft OLE Dialog could allow Remote Code Execution
MS07-012 - Vulnerability in Microsoft MFC could allow Remote Code Execution
MS07-013 - Vulnerability in Microsoft RichEdit could allow Remote Code Execution

-------------------------------------------------------------------------------------------------------------------
Patch Tuesday, January 2007
Critical
MS07-002 - Vulnerabilities in Microsoft Excel could allow Remote Code Execution
MS07-003 - Vulnerabilities in Microsoft Outlook could allow Remote Code Execution
MS07-004 - Vulnerability in Vector Markup Language could allow Remote Code Execution

Important
MS07-001 - Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker
Could Allow Remote Code Execution

-------------------------------------------------------------------------------------------------------------------
Patch Tuesday, December 2006
Critical
MS06-072 - Cumulative Security Update for Internet Explorer
MS06-073 - Vulnerability in Visual Studio 2005 could allow Remote Code Execution
MS06-078 - Vulnerability in Windows Media Format could allow Remote Code Execution
MS06-059 - Re-Release: Vulnerabilities in Excel could allow Remote Code Execution

Important
MS06-074 - Vulnerability in SNMP could allow Remote Code Execution
MS06-075 - Vulnerability in Windows could allow Elevation of Privilege
MS06-076 - Cumulative Security Update for Outlook Express
MS06-077 - Vulnerability in Remote Installation Service could allow Remote Code Execution

-------------------------------------------------------------------------------------------------------------------
Patch Tuesday, November 2006
MS06-067 - Cumulative Security Update for Internet Explorer Remote Code Execution
This is the all-important update to 3 different vulnerabilities, each of them serious.
The most noted KB927892 (below).
MS06-068 - Vulnerability in Microsoft Agent could allow Remote Code Execution
MS06-069 - Vulnerabilities in Macromedia Flash Player from Adobe could allow Remote Code Execution
MS06-070 - Vulnerability in Workstation Service could allow Remote Code Execution
MS06-071 - Vulnerability in Microsoft XML Core Services could allow Remote Code Execution

Open vulnerability in Microsoft's XML Core Services XMLHTTP ActiveX control

Link to Microsoft's Security Advisory (KB927892)
Vulnerability in Microsoft XML Core Services could allow Remote Code Execution.
Microsoft has now admitted that a critical vulnerability exists in the above ActiveX control.

The vulnerability is being used right now by several hackers, and both Secunia and US-CERT
report of sightings in the wild.

This is not the first vulnerability in exactly this area. Back in February 2002 this was patched:

A properly patched Windows system may not be completely exposed, but the following advice
should prevent infection:
Do not open links in-mails, and block the use of ActiveX until a patch has been published.

Patch Tuesday, October 2006
MS06-057 - Vulnerability in Windows Shell could allow Remote Code Execution
MS06-058 - Vulnerabilities in Microsoft PowerPoint could Lead to Remote Code Execution
MS06-059 - Vulnerabilities in Microsoft Excel could allow Remote Code Execution
MS06-060 - Vulnerability in Microsoft Word could allow Remote Code Execution
MS06-061 - Vulnerabilities in Microsoft XML Core Services could allow Remote Code Execution
MS06-062 - Vulnerabilities in Microsoft Office could lead to Remote Code Execution
MS06-063 - Vulnerability in Server Service could allow Denial of Service
MS06-056 - Vulnerability in ASP.NET could allow Information Disclosure
MS06-065 - Vulnerability in Windows Object Packager could allow Remote Execution
MS06-064 - Vulnerability in TCP-IP IPv6 could result in Denial of Service

--------------------------------------------------------------------------------------------------------------------
URGENT: Out-of-schedule Patch
MS06-055 (KB925486) A security issue has been identified in the way Vector Markup Language
(VML) is handled that could allow an attacker to compromise a computer running Microsoft
Windows and gain control over it. Remote Code Execution
Rated Critical and for immediate implementation.
--------------------------------------------------------------------------------------------------------------------

Patch Tuesday, September 2006
MS06-052 Vulnerability in Pragmatic General Multicast (PGM) could allow Remote Code Execution
MS06-053 Vulnerability in Indexing Service could allow Cross-Site Scripting
Vulnerability in Indexing Service could allow Cross-Site Scripting (Not critical)
Audio playback does not play the audio file from the correct position after you pause
Error message when you try to update a Microsoft Windows-based computer: "0x80070002"
MS06-054 Vulnerability in Microsoft Publisher could allow Remote Code Execution

The only critical patch this month was MS06-054, and, just like the Excel and Word issues,
requires the user to open a malformed file. The other patches this month are both taken
care of by other prudent security measures. So, it was a very easy month this time also.

--------------------------------------------------------------------------------------------------------------------

URGENT: Out-of-schedule Patch for the MS06-042 Patch
A patch for the patch; it's happened a number of times before.
To quote Microsoft: "Security issues have been identified that could allow an attacker to
compromise a computer running Microsoft Internet Explorer and gain control over it."
In other words: Remote Code Execution
Direct download at: Cumulative Update for Internet Explorer 6 SP1 (KB918899)

This is yet another example of why staying alert re. security issues can be very important;
as soon as a patch is released the "zero-day/hour" count starts (unless publicly available
code/exploit was already available). So we shall see how soon examples appear in the wild.
The potential victims are of course all users who do not apply such important patches immediately.
A very important issue for business, who rely on the well-functioning (remote) systems of their customers.

--------------------------------------------------------------------------------------------------------------------

Patch Tuesday, August 2006
A large event involving what proved to be a block buster vulnerability (MS06-040)
which was used by malware writers to create "wgareg.exe" and "wgavm.exe".
Antivirus vendors have named this threat W32.Wargbot (Symantec), Worm.IRCBOT.JK/JL
(Trend Micro), IRC.Mocbot (McAfee), and IRCBOT-ST (F-Secure).
The use of the wga prefix supposedly served to mask the process for the semi-technically
minded user population.

The full list, the critical first:
MS06-040 - Vulnerability in Server Service could allow Remote Code Execution
MS06-041 - Vulnerability in DNS Resolution could allow Remote Code Execution
MS06-042 - Cumulative Security Update for Internet Explorer
MS06-043 - Vulnerability in Microsoft Windows could allow Remote Code Execution
MS06-044 - Vulnerability in Microsoft Management Console could allow Remote Code Execution
MS06-046 - Vulnerability in HTML Help could allow Remote Code Execution
MS06-047 - Vulnerability in Microsoft Visual Basic for Applications could allow Remote Code Execution
MS06-048 - Vulnerabilities in Microsoft Office could allow Remote Code Execution
MS06-051 - Vulnerability in Windows Kernel could result in Remote Code Execution

Rated as moderate:
MS06-045 - Vulnerability in Windows Explorer could allow Remote Code Execution
MS06-049 - Vulnerability in Windows Kernel could result in Elevation of Privilege
MS06-050 - Vulnerabilities in Microsoft Windows Hyperlink Object Library could allow Remote Code Execution

The negative news:
1. Everyone is once again reminded of the narrowing test & patch window. Corporate procedures
   need updating to ensure that parches are installed as quickly as possible following publication from
   Microsoft. Many companies have a 7-day window which has not been adequate for some time now.
   This could be the business case mandating a sweeping change.

2. There were 10 (T E N) vulnerabilities related to remote code execution (!)
   Microsoft sets a new record here - for a single month.

3. It is disturbing that at this late stage in the product's life such an amount of serious security issues can
    be found. Please also remember that the growth in malware focuses exactly on this type of vulnerability,
    not jut the actual example re. MS06-040, but the majority of new malware of 2006 up till now!

The positive news:
AV companies are getting better prepared at the more focused efforts from Virus writers.
Microsoft has a strong focus on eliminating vulnerabilities, and each new vulnerability discovered
in Windows XP hopefully ensures a better Windows VISTA. A possible problem with this assumption is
that VISTA is written from the ground up. Thus there is no guarantee that experience with XP vulnerability
remedies can be directly transferred to the (now) finishing stages of work on the VISTA product.

--------------------------------------------------------------------------------------------------------------------
Patch Tuesday, July 2006
A relatively successful update with 2 very interesting critical updates:
MS06-038
Vulnerability in Microsoft Office could allow Remote Code Execution (915384)
http://www.microsoft.com/technet/security/bulletin/MS06-038.mspx
A very relevant anti-malware update -and relevant for all users of Microsoft Office,
ALSO for the APPLE users.

MS06-039
Vulnerability in Microsoft Office could allow Remote Code Execution (915384)
http://www.microsoft.com/technet/security/bulletin/MS06-039.mspx
As above and equally important.
The other updates were mostly related to servers - no less important.

--------------------------------------------------------------------------------------------------------------------
"Best of 2005":
Patch Tuesday, September 2005 - a day that never came!!!

This short note was available on the updated Microsoft update site - after pulling the statement:
"Late in the testing process, Microsoft encountered a quality issue that necessitated the update
to go through additional testing and development before it is released,-" from the site replacing
it with the above. The problem for Windows users is that one of the critical patches was a
"wormable" vulnerability (discovered by eEye) JUST as serious as the MS05-039! Windows users will
have to live in the vain hope no-one really finds out what this one was about until Microsoft is good
and ready to let everyone patch up properly. . .

(back)

Send mail to admin@StealthSecure.net with questions or comments about this web site.
Copyright © 2005 - 2010 StealthSecure.net - Copyright of all documents and other content belonging to this site by StealthSecure.net.
It is illegal to copy or redistribute this information in any way without the expressed written consent of StealthSecure.net.
Adverse consequences of the uses of, or reliance upon, information obtained from StealthSecure.net cannot be made
attributable to the owner(s) of StealthSecure.net. Last modified: 01/02/10