Cumulative IE Patch Corrects Six Critical Vulns

Severity: High

14 October, 2008

Summary:

§  This vulnerability affects: Internet Explorer 7 and earlier versions

§  How an attacker exploits it: By enticing one of your users to visit a malicious Web page or link

§  Impact: In the worst case, the attacker can execute code on your user’s computer, gaining complete control of it

§  What to do: Deploy the appropriate Internet Explorer patches immediately

Exposure:

In a security bulletin released today as part of its monthly patch update, Microsoft describes six vulnerabilities in Internet Explorer (IE) versions 5.01, 6.0, and 7.0. The two worst vulnerabilities involve memory corruption issues. While they differ technically, they have the same scope and impact. By luring one of your users into visiting a maliciously crafted Web page, an attacker can exploit either memory corruption vulnerability to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges; in that case, the attacker could gain complete control of the victim’s computer.

Microsoft describes the remaining four vulnerabilities as “cross-domain information disclosure” vulnerabilities. Most web browsers impose a security measure called the same origin policy to help prevent one web site from accessing the contents of another web site. This security measure should protect you from an entire range of cross-site or cross-domain attacks, such as cross-site scripting (XSS) attacks. Unfortunately, IE suffers from four cross-domain information disclosure flaws that would allow attackers to bypass the same origin policy. Though technically different, an attacker would leverage all four flaws in the same way: By enticing one of your users into following a specially crafted link, an attacker could exploit these vulnerabilities to execute scripts under the context of a legitimate site. The attacker could leverage this capability to read data from the legitimate site. For instance, if your users visit secure web sites which store sensitive data, an attacker might leverage this flaw to steal that sensitive data.

In addition to fixing these six newly announced flaws, today’s Internet Explorer patch also fixes all previously known flaws.

Solution Path:

These patches fix serious issues. You should download, test, and deploy the appropriate IE patches as soon as possible.

§  Internet Explorer 5.01

§  Internet Explorer 6.0

§  Microsoft no longer supports 98, ME, or XP SP1.

§  For Windows 2000

§  For Windows XP

§  For Windows XP x64

§  For Windows Server 2003

§  For Windows Server 2003 x64

§  For Windows Server 2003 Itanium

 

§  Internet Explorer 7.0

§  For Windows XP

§  For Windows XP x64

§  For Windows Server 2003

§  For Windows Server 2003 x64

§  For Windows Server 2003 Itanium

§  For Windows Vista

§  For Windows Vista x64

§  For Windows Server 2008

§  For Windows Server 2008 x64

§  For Windows Server 2008 Itanium

For All WatchGuard Users:

These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

§  MS Security Bulletin MS08-058

WatchGuard LiveSecurity Service: Seven Windows Vulns, Including Critical AD Flaw

Severity: High

14 October, 2008

Summary:

§  These vulnerabilities affect: All current versions of Windows

§  How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic

§  Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer

§  What to do: Install the appropriate Microsoft patches immediately

Exposure:

Today, Microsoft released seven security bulletins describing vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to a different extent. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities, in order from highest to lowest severity.

MS08-060: Windows 2000 Active Directory (AD) Buffer Overflow Vulnerability

Active Directory (AD) is the authentication component Windows uses to verify the credentials of users logging into your systems. The AD component that ships with Windows 2000 suffers from a buffer overflow vulnerability. By sending a specially crafted LDAP or LDAP over SSL (LDAPS) request, an attacker could exploit this vulnerability to gain complete control of your Windows domain controller. Once an attacker gained control of such an high value server, he’d have a significant hold over your network. However, most administrators do not allow LDAP (port 389) or LDAPS (port 636) requests through their firewall. In most cases, an attacker would have to launch this attack from inside your network in order for it to succeed.
Microsoft rating: Critical.

MS08-063: SMB Buffer Overflow Vulnerability

Server Message Block (SMB) is a protocol Windows uses for network file sharing. According to Microsoft, SMB suffers from a buffer overflow vulnerability involving its inability to handle specially crafted file names. By sending specially crafted SMB packets, an attacker could exploit this vulnerability to gain complete control of your Windows computers. However, only authenticated users with valid Windows credentials could exploit this vulnerability. That makes this flaw, too, primarily an insider threat.
Microsoft rating: Important.

MS08-065: Message Queuing Remote Code Execution Vulnerability

Microsoft Message Queuing (MSMQ) is a technology that allows applications running at different times to communicate with one another over the network in an asynchronous fashion. Unfortunately, the MSMQ service suffers from a security vulnerability having to do with the way it parses Remote Procedure Call (RPC) requests. By sending a specially crafted RPC request, an attacker could exploit this vulnerability to gain complete control of your Windows computer. However, Windows doesn’t enable MSMQ by default, which significantly lowers the severity of this flaw. Furthermore, this flaw only affects Windows 2000 computers.
Microsoft rating: Important.

MS08-062: Internet Printing Server Remote Code Execution Vulnerability

Internet Printing Protocol (IPP) is an ISAPI extension that is enabled by default on many Windows servers running Internet Information Services (IIS). This protocol suffers from an unspecified integer overflow vulnerability. By sending a specially crafted HTTP POST request, an attacker could trick a vulnerable IIS web server into connecting to a malicious computer masquerading as an IPP-compatible printer. The malicious computer could then send specially crafted IPP responses to the vulnerable IIS server, which would exploit the IPP integer overflow vulnerability. The attacker could leverage this integer overflow vulnerability to execute code on the IIS web server with the privileges of the logged-in user. If he or she has administrative privileges, the attacker would gain complete control of your IIS server. That said, only authenticated users with valid Windows credentials can exploit this vulnerability, making it primarily an insider threat. Furthermore, the latest Windows servers no longer enable IPP by default, and so are not inherently vulnerable to this flaw.
Microsoft rating: Important.

MS08-061: Three Kernel Elevation of Privilege Vulnerabilities

The kernel is the central component of any operating system (OS). According to Microsoft, the Windows kernel suffers from three elevation of privilege vulnerabilities. The three flaws differ technically, but have the same scope and impact. If an attacker can log into one of your Windows machines, and can run a specially crafted program, he could exploit any of these three flaws to gain complete control of that machine. Of course, in order to log into your machines, the attacker needs valid Windows credentials. This fact significantly lowers the severity of this vulnerability, making it primarily an insider threat.
Microsoft rating: Important.

MS08-066: Ancillary Function Driver Elevation of Privilege Vulnerability

The Ancillary Function Driver (AFD.sys) is one of the components Windows installs to support the Windows Socket API (winsock). Unfortunately, AFD suffers from an elevation of privilege vulnerability very similar in scope to the three described above. If an attacker can log into one of your Windows machines, and can run a specially crafted program, he could exploit this flaw to gain complete control of that machine. As before, the attacker needs valid Windows credentials in order to exploit this vulnerability, making it primarily an insider threat.
Microsoft rating: Important.

MS08-064: Virtual Address Descriptor Elevation of Privilege Vulnerability

According to Microsoft, a Virtual Address Descriptor (VAD) is a form of virtual memory that allows each application to have its own private address space. The memory manager component that handles VAD suffers from an integer overflow flaw. Like the two flaws described above, if an attacker can log into one of your Windows machines, and can run a specially crafted program, he could exploit this integer overflow vulnerability to elevate privileges, gaining complete control of that machine. Again, the attacker needs valid Windows credentials in order to exploit this vulnerability, making it primarily an insider threat.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

MS08-060:

§  For Windows 2000 Servers

Note: This vulnerability only affects Windows 2000 Servers.

MS08-063:

§  For Windows 2000

§  For Windows XP

§  For Windows XP x64

§  For Windows Server 2003

§  For Windows Server 2003 x64

§  For Windows Server 2003 Itanium

§  For Windows Vista

§  For Windows Vista x64

§  For Windows Server 2008

§  For Windows Server 2008 x64

§  For Windows Server 2008 Itanium

MS08-065:

§  For Windows 2000 Servers

Note: This vulnerability only affects Windows 2000 Servers.

MS08-062:

§  For Windows 2000

§  For Windows XP

§  For Windows XP x64

§  For Windows Server 2003

§  For Windows Server 2003 x64

§  For Windows Server 2003 Itanium

§  For Windows Vista

§  For Windows Vista x64

§  For Windows Server 2008

§  For Windows Server 2008 x64

§  For Windows Server 2008 Itanium

MS08-061:

§  For Windows 2000

§  For Windows XP

§  For Windows XP x64

§  For Windows Server 2003

§  For Windows Server 2003 x64

§  For Windows Server 2003 Itanium

§  For Windows Vista

§  For Windows Vista x64

§  For Windows Server 2008

§  For Windows Server 2008 x64

§  For Windows Server 2008 Itanium

MS08-066:

§  For Windows XP

§  For Windows XP x64

§  For Windows Server 2003

§  For Windows Server 2003 x64

§  For Windows Server 2003 Itanium

Note: Doesn’t affect Windows 2000, Vista, or Server 2008.

MS08-064:

§  For Windows XP

§  For Windows XP x64

§  For Windows Server 2003

§  For Windows Server 2003 x64

§  For Windows Server 2003 Itanium

§  For Windows Vista

§  For Windows Vista x64

§  For Windows Server 2008

§  For Windows Server 2008 x64

§  For Windows Server 2008 Itanium

Note: Doesn’t affect Windows 2000.

For All WatchGuard Users:

WatchGuard Fireboxes, by default, reduce the risks presented by many of these vulnerabilities. For instance, by default your Firebox blocks the ports necessary to launch the Active Directory, SMB, and Message Queuing attacks described above. However, attackers could exploit many of these attacks locally, without passing traffic through your firewall. For that reason, we urge you to apply the patches above.

Status:

Microsoft has released patches correcting these issues.

References:

§  Microsoft Security Bulletin MS08-060

§  Microsoft Security Bulletin MS08-061

§  Microsoft Security Bulletin MS08-062

§  Microsoft Security Bulletin MS08-063

§  Microsoft Security Bulletin MS08-064

§  Microsoft Security Bulletin MS08-065

Microsoft Security Bulletin MS08-066

Bardissi Enterprises, LLC Presents: Windows Essential Business Server 2008 Webinar:A Cost-Effective Solution Built for Midsize Business

Join us for a Webinar on October 24 11:00 AM – 12:00 PM

Attend this exciting preview event exclusively for key IT and business decision makers like you. Be one of the first to see how this integrated platform, designed and priced specifically for midsize businesses, can propel your company forward by reducing IT complexity and improving business efficiency. See first-hand how Windows Essential Business Server 2008 can help to: • Simplify your daily activities with a Centralized Administration Console that gives you a single point of access to your IT environment • Proactively manage your environment, reduce your IT complexity, and help give you back control of your systems • Increase the predictability and reliability of your systems and reduce typical errors that can occur when standalone products are deployed • Increase productivity by working both in and away from the office with remote access, anti-spam, and anti-virus protection, and improved messaging technologies Register Today!     System Requirements PC-based attendees Required: Windows® 2000, XP Home, XP Pro, 2003 Server, Vista   Macintosh®-based attendees Required: Mac OS® X 10.4 (Tiger®) or newer   Reserve your Webinar seat now at: https://www1.gotomeeting.com/register/127027614

Bardissi Enterprises, LLC Presents: Windows Small Business Server 2008 Webinar:A Cost-Effective Solution Built for Small Businesses

Join us for a Webinar on October 17 11:00AM – 12:00PM EST

Attend this exciting preview event exclusively for key business decision makers like you. Be one of the first to see how this affordable and integrated server solution helps you protect your business data, and increase your employees’ productivity. See first-hand how Windows Small Business Server 2008 can help to: • Protect your vital business information from loss by automatically backing up the computers and servers in your network, and enabling you to recover accidentally deleted files • Work with existing technology, built on Microsoft best practices, and delivers a comprehensive network solution at an affordable price • Give you highly secure access to business contacts, calendars, e-mail, files, and other important desktop resources from any Internet-connected computer, virtually anywhere at any time, so you can be productive while you’re away from the office or on the road Register Today!     System Requirements PC-based attendees Required: Windows® 2000, XP Home, XP Pro, 2003 Server, Vista   Macintosh®-based attendees Required: Mac OS® X 10.4 (Tiger®) or newer   Reserve your Webinar seat now at: https://www1.gotomeeting.com/register/308762080

WatchGuard Live Security Service: OS X SECURITY UPDATE FIXES 40 FLAWS

Apple’s October Update Plugs Holes in XML, PHP, PDF

OS X Security Update Fixes 40 Flaws

Severity: High

9 October, 2008

Summary:

§  These vulnerabilities affect: OS X 10.4.x (Tiger) and OS X 10.5.x (Leopard), both client and server versions

§  How an attacker exploits them: Multiple vectors of attack, including enticing one of your users into visiting a malicious web site, downloading a malicious document, or subscribing to a malicious RSS feed

§  Impact: Various results; in the worst case, attacker executes code on your user’s computer, potentially gaining full control of it

§  What to do: OS X administrators should download, test and install Security Update 2008-007

Exposure:

Late today, Apple released a security update to fix vulnerabilities in OS X. The update fixes 40 security issues (number based on CVE-IDs) in many software packages that ship as part of OS X, including the Finder, ColorSync, and the Postcript interpreter. Some of these vulnerabilities allow attackers to execute code on your OS X machines, so we rate this update Critical. Apply it as soon as you can. Three of the fixed vulnerabilities of special interest to businesses include:

§  Three PHP vulnerabilities. PHP is a scripting language optimized to work well with HTML. It is used on millions of web sites to generate a page dynamically, accepting input from users or from a database. PHP suffers from a buffer overflow vulnerability, and a few other flaws. By luring one of your users to a malicious web site, an attacker could exploit one of these flaws to execute code on that user’s computer.

§  Buffer overflow vulnerabilities in rendering color graphics. ColorSync is the component of OS X that helps handle graphic images having an embedded ICC profile. If you shoot a picture with a digital camera and later need to use the picture in a printed brochure, the ICC profile contains the data ColorSync uses to convert the RGB colors from the camera into the CMYK colors a printer understands. ColorSync contains a buffer overflow flaw in the way it handles images that have an embedded ICC profile. There are a wide variety of such images, including PICT, PDF, and Postscript files. If an attacker can get a victim to open a maliciously crafted color image, he could exploit this flaw to execute attack code on the victim’s computer. Apple’s advisory also addresses another buffer overflow in how OS X renders Postscript files.

§  Heap buffer overflow in rendering XML documents. XML is a relatively human-legible programming language widely used on the Internet, showing up in uses ranging from vector-based graphics to RSS news feeds. A flaw in the way OS X renders XML documents could allow an attacker to craft a malicious HTML page. If the attacker can get one of your users to visit the page, he could exploit the flaw to execute his code on your user’s computer, possibly taking control of it.

Apple’s alert covers many more flaws, including other code execution flaws in addition to those described above. The remaining vulnerabilities include Denial of Service (DoS) flaws, elevation of privilege flaws, crash vulnerabilities, plus others. Some of the flaws only affect OS X Server. Components patched by this security update include:

Apache	ClamAV
CUPS	Finder
launchd	MySQL Server
Postfix	QuickLook
rlogin	Script Editor
Tomcat	Weblog

Please refer to Apple’s OS X alert for more details.

Solution Path:

Apple has released OS X Security Update 2008-007 to fix these security issues. OS X administrators should download, test, and deploy the update as soon as they can.

§  Security Update 2008-007 (PPC)

§  Security Update 2008-007 (Intel)

§  Security Update 2008-007 (Leopard)

§  Security Update 2008-007 Server (PPC)

§  Security Update 2008-007 Server (Leopard)

§  Security Update 2008-007 Server (Universal)

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these issues.

References:

§  Apple’s October OS X Advisory

PlateSpin Forge 2.0 is now shipping

The latest version of PlateSpin’s disaster recovery hardware appliance includes SAN integration, support for 64-bit Windows workloads and multiple recovery points for greater flexibility and workload integrity. This on-demand webinar discusses how PlateSpin Forge 2.0 provides a quicker, smarter and more economical way to deploy, test and manage a disaster recovery environment. Hear how the PlateSpin Forge appliance, available in either a 10 or 25 workload protection model, provides affordable, out-of-the-box protection for both physical and virtual server workloads in the data center.

View the Webinar Replay: Introducing PlateSpin Forge 2.0
Learn more about PlateSpin Forge

Motion Computing in the News

Queensland Minister for Health Announces Success of e-Health Clinician Usability Study at Robina Hospital

The Honourable Stephen Robertson notes that study results of the Motion C5 Mobile Clinical Assistant show improvements in areas such as delivery and quality of care and staff productivity

SYDNEY — September 30, 2008 – Motion Computing, a leader in mobile computing and wireless communications, announced today that the Queensland Minister for Health, Stephen Robertson, enthusiastically welcomed the early study results of the C5 Mobile Clinical Assistant (MCA) at Robina Hospital. In addition to improvements in delivery and quality of care and staff productivity, Robertson estimated a 30 to 60 minute time savings per clinician per day because doctors don’t have to walk away from patients to record or access data.
To read the entire press release, click here.

Dell Teaming With Intel, Motion Computing To Help Provide Anytime, Anywhere Wireless For Health Care IT
Seamless, reliable access to patient information is critical to safe, quality care in an increasingly complex and mobile health care environment. Dell, Intel and Motion Computing have launched a new service to assess, design and validate the quality and coverage of wireless networks soon to become the backbone of health care information flow.
To read the entire press release, click here.

Park Place Automotive Improves the Client Experience with Motion Tablet PCs and MOC1 Mobile Service Solutions

Service advisors swap pen and paper for highly portable tablet PCs with real-time access to client history on the service drive

AUSTIN, Texas – October 7, 2008 – Motion Computing, a leader in mobile computing and wireless communications, announced that Park Place Automotive, the operator of nine luxury automotive dealerships in Texas and California, selected MOC1 Wireless Service Advisor™ (WSA™) on Motion LE1700 tablet PCs to improve the quality of customer service and efficiency of service representatives.

After reviewing several mobile service solutions, Park Place selected MOC1 and purchased 80 Motion LE1700 tablet PCs preconfigured with the MOC1 WSA solution, which have been deployed at the Mercedes Benz dealerships and are currently rolling out across three Lexus dealerships.

To read the entire press release, click here.

Double-Take® Software Expands Infrastructure Software Solutions with Network Boot Technology and Software-Based iSCSI SAN

SOUTHBOROUGH, MA. – October 7, 2008 – Double-Take® Software (NASDAQ: DBTK), today announced the release of its netBoot/i™ and sanFly™.  Together, they can provide a centralized means of booting and managing servers and desktops from iSCSI storage area networks (SANs). These products give IT administrators the flexibility to streamline workload management across both physical and virtual environments, and the cost efficiency of ‘greener IT’ through reduced power consumption and energy costs.  Double-Take® for Windows, the company’s flagship product, is known for its non-disruptive, affordable, hardware agnostic solutions. The addition of these new product offerings combined  with existing capabilities such as continuous full server wide area replication build upon Double-Take Software’s objective to be the leader in Dynamic Infrastructure; that is, to move workloads, for whatever purpose, whenever needed, affordably and non-disruptively.

 

“For years, many organizations have come to rely on Double-Take Software for replication, failover and recovery,” said Lauren Whitehouse, analyst with Enterprise Strategy Group. “The addition of netBoot/i and sanFly not only positions Double-Take Software’s entrance into a new market, but enhances its current offerings by providing additional flexibility to companies looking to create a more dynamic IT infrastructure.”

 

To read the entire release, please  click here.

WatchGuard Releases Version 10.2.3 for WSM, Edge, Fireware, and Fireware Pro

WatchGuard is pleased to announce the availability of version 10.2.3 of WatchGuard System Manager, for Edge, Fireware, and Fireware Pro. This update is a maintenance release and contains a number of enhancements and fixes for critical issues as reported by WatchGuard customers.

Contained in this release are improvements to:

§  Vista SP1 support for Mobile VPN with SSL

§  Log Viewer search and filter functions

§  Improved security in Mobile VPN with SSL

§  Improved handling of emails sent to the quarantine server

§  Tunnel stability with multiple IPSec clients behind a single NAT device

For full details on these and other resolved issues, as well as a list of known issues with this release, please consult the Release Notes posted on the Software Downloads page for your Firebox.

Does This Release Pertain to Me?

10.2.3 is a regularly scheduled maintenance release. If you are impacted by any of the issues listed above or those contained in the Release Notes, you should consider upgrading to version 10.2.3. Please read the Release Notes before you upgrade to understand what’s involved.

How Do I Get the Release?

Firebox X, Edge, Peak and Core owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Software Downloads web page, which also includes clear installation instructions. As always, if you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)