December 2008 Monthly Bulletin Release
Posted Tuesday, December 09, 2008 10:44 AM by MSRCTEAM
Hi,
This is Christopher Budd. I wanted to let you know that we’ve just released our security bulletins for December. The new bulletins for this month are:
· MS08-070: Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349) which is rated “Critical”
· MS08-071: Vulnerabilities in GDI Could Allow Remote Code Execution (956802) which is rated “Critical”
· MS08-072: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173) which is rated “Critical”
· MS08-073: Cumulative Security Update for Internet Explorer (958215) which is rated “Critical”
· MS08-074: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070) which is rated “Critical”
· MS08-075: Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349) which is rated “Critical”
· MS08-076: Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807) which is rated “Important”
· MS08-077: Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175) which is rated “Important”
In addition, today we’ve published Microsoft Security Advisory 960906 regarding new reports of a vulnerability in the Wordpad Converter for Word 97 files affecting Windows 2000 SP4, Windows XP SP2 and Windows Server 2003 SP1 and SP2. We are aware of very limited and targeted attacks seeking to exploit this vulnerability. The advisory details workarounds that you can evaluate while we develop a security update for this issue.
As we do each month, our colleagues over at the Security Vulnerability Research and Defense blog have more information and details on today’s security updates including MS08-076 that addresses a vulnerability similar to what we addressed with MS08-068. In my posting last month about MS08-068 I noted how we’ve been doing a lot of work to address the difficult issues around the SMBRelay attack. This new bulletin is borne out of that same ongoing effort andthat work is still going on: there are other related issues we’re still working on. You can expect to see more updates in the future out of this ongoing project.
This month the Windows Malicious Software Removal Tool is adding detection for two new families: Win32/FakeXPA and Win32/Yektel. Our colleagues over at the Microsoft Malware Protection Center (MMPC) have posted information on these new families on their blog.
Google Flu Trends spreads privacy concern Google's new Flu Trends tool, which collects and analyzes search queries to predict flu outbreaks around the country, is raising concern with privacy groups. Read more...
Microsoft issues mammoth security update, biggest in five years
Another Microsoft Bug Revealed on Huge Patch Day
Along with its biggest patch release in five years, Microsoft warned on Tuesday of another potentially dangerous vulnerability...
Spam levels climb as criminals replace crippled botnets
Analysis: Obama can't have a BlackBerry. Should your CEO?
Study: Police not prepared for international cybercrime
VeriSign, NeuStar and others team on DNS security
Momentum continues to build for rapid deployment of DNS encryption mechanisms.
Seven leading domain name vendors -- representing more than 112 million domain names or 65% of all registered domain names -- have formed an industry coalition to work together to adopt DNS Security Extensions, known as DNSSEC.
Members of the DNSSEC Industry Coalition include: VeriSign, which operates the .com and .net registries; NeuStar, which operates the .biz and .us registries; .info operator Afilias Limited; .edu operator EDUCAUSE; and The Public Interest Registry, which operates the .org registry.
New Web attack exploits unpatched IE flaw
0-day exploit for Internet Explorer in the wild
Published: 2008-12-10,Last Updated: 2008-12-10 09:38:03 UTC
As reported by some other researchers, there is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon.
This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine.
Cybercrime '09: Too late to save Facebook?
Security expert warns of continuing threats from the Web
Google tests ActiveX alternative dubbed Native Client
Dec 9, 2:45 pm
Turning a Blind Eye to Cybercrime
Governments are blind to cybercrime, says McAfee.
Current Wireless Devices Lack Real Security
A recent congressionally sponsored report shoots down the notion that anything wireless is secure.
How to Handle Security Patches With Sanity
Guest columnist and network administrator Ed Ziots offers his recipe for a sane and solid patch management program.
Read more
Disguised USB Drive
This is a 2 Gig USB drive disguised as a piece of frayed cable. You'll still want to encrypt it, of course, but it is likely to be missed if your bags are searched at customs, the police raid your house, or your lose it.
Google Notebook SpamDecember 10, 2008
Google Notebook is being used by spammers to host spam content.
Two new zero-day exploits dent Microsoft's Patch Tuesday
Several Windows components, the Windows Vista search feature, Word, Excel, Internet Explorer and Visual Basic are updated, but the updates are overshadowed by two zero-day exploits for IE7 and SQL Server 2000 more…
Security vulnerability found in MS SQL Server 2000
An attacker could exploit a memory leak to remotely execute code in the server and no update is available. The security consultant who discovered the vulnerability recommends removing the stored procedure from SQL Server more…
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment