Tag: Announcements

Categories
Uncategorized

Security Advisory 979352 Posted: Vulnerability in Internet Explorer Could Allow Remote Code Execution

As noted in Mike Reavey’s posts on The Microsoft blog and The Microsoft Security Response Center (MSRC) blog today, we have just released Security Advisory 979352. Here’s the detail from Mike Reavey’s post

Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks. Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer. Additionally, we are cooperating with Google and other companies, as well as authorities and other industry partners.

Microsoft remains committed to taking the appropriate action to help protect our customers. We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with protections against exploit of this vulnerability. Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.

It is important to note that complex attacks targeting specific corporate networks are becoming more prevalent in the threat landscape, therefore organizations should follow defense-in-depth best practices, and deploy multiple layers of protection to improve their security posture. In addition, Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user’s machine. Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.

Customers can also set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. You can find details on implementing these settings in the advisory.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.

We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.

-Mike Reavey

This from our Security Advisories page on TechNet…

Microsoft Security Advisory (979352) – Vulnerability in Internet Explorer Could Allow Remote Code Execution, Published: January 14, 2010

Executive Summary

Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.

Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.

Mitigating Factors:

  • Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability.
  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
  • By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Tags: IE, Security, what I read, Internet Explorer, twitter, Microsoft, Windows 7.

Clubhouse Tags: Clubhouse, how-to, Windows 7, Security, IE, Internet Explorer (IE) 

MSRC references: Security Advisory, Internet Explorer (IE), Workarounds, Defense-in-depth, Exploitability, Zero-Day Exploit

Delicious Bookmark this on Delicious Bookmark and Share

Also available via http://bit.ly/4F3tgX

Categories
Uncategorized

Tablets & Slate PCs in Steve Ballmer’s CES keynote? The debut of Apple’s new iTablet? Dunno, but the Kindle DX does wireless worldwide on Jan 19th

amazon_kindleCES is off to a great start with plenty of new product news… and we haven’t even had the keynote kickoff!

As I noted last month (all of a week or so ago) I decided to get on the ebook reader bandwagon and finally ordered a new Amazon Kindle. I was torn on the size: the 6" appeared best for my needs at home, but the overwhelming majority of feedback I received was in favour of the 9.7" Amazon Kindle DX, and I agreed.

But I found that the wait was 3-5 weeks! http://bit.ly/6qUwlx from bit.ly

Now I know why, thanks to chatter at CES on Twitter from engadget last night (http://bit.ly/5I04ex), the WSJ Blog and now this latest mail from Amazon: the new Amazon Kindle DX includes global wireless support, shipping January 19th for $489. I love it when a company takes the initiative and beats my email query to the punch, asking about my back order…

From: Amazon.com Customer Service 
Sent: Wednesday, January 06, 2010 12:11 AM
Subject: Update on your Kindle DX order

Dear Kindle Customer,

Today we introduced Kindle DX with Global Wireless – the next generation of our 9.7” wireless reading device.

Because you already ordered the original Kindle DX and are awaiting its arrival, we are pleased to inform you that we are upgrading your order to receive a Kindle DX with Global Wireless at no additional cost. You will receive the new Kindle DX as soon as it becomes available later this month.

We kept everything readers love about the original Kindle DX, then added global 3G wireless coverage and improved battery life.

Kindle DX with Global Wireless now enables you to wirelessly download content in over 100 countries and territories. With an extended battery life, you can now read for up to 1 week on a single charge with wireless on, a significant improvement from the previous battery life of 4 days.

Read more about Kindle DX with Global Wireless at http://www.amazon.com/dp/B0015TG12Q/

With your Kindle DX order already placed, you will be among the first to receive Kindle DX with Global Wireless, and you do not need to do anything.

You can cancel your order or check on order status by visiting your order summary here: <link>

If you purchased a 2-Year Extended Warranty for Kindle DX, your warranty will automatically apply to your new Kindle DX with Global Wireless device. If you have not purchased and are interested in a 2-Year Extended Warranty for Kindle DX, visit the product page at www.amazon.com/dp/B002GYVVY2

We hope you enjoy Kindle DX with Global Wireless.

Amazon.com Kindle Customer Service

So, why get one now rather than wait for a new Apple tablet or a Windows based slate PC? (Or as Brandon coined, a "slablet". "Tablate" sounds horrible 😉 Perhaps "Slate PC." Whatever it is, imagine netbook performance w/ touch: that would be sweet.) As I said last month to stephbu, No, I have a tablet PC (actually, two) and wanted a Kindle for the Amazon book offerings and simple business model for buying content, and I expect there’ll be subscription fees tied to an Apple tablet offering.

As noted by njeaton and others on Twitter, the venerable New York Times reported here that Microsoft CEO Steve Ballmer will reveal "slate-like" PC tomorrow during Steve Ballmer’s CES keynote (http://bit.ly/6JBX07), and there’s already a (Kindle) app for that. (Regardless of tomorrow’s CES keynote, I’ll keep my Amazon Kindle (love it) & adopt the “Kindle for PC” app.)

You can follow Microsoft’s going’s on at CES via http://www.microsoft.com/ces/ beginning Jan 6 @ 6:30PM PST with the live keynote – it will be streamed live from the convention.

And, no, to answer several mails from friends and associates this week: I’m not at CES this year (that’s two year’s running I’ve missed it in person, and my wife just asked, "when were you last there?"  Hey, Al Roker’s there covering the gadgets along with the weather, so you’re good.) So I offer my post "Surviving CES in Las Vegas: A few helpful hints", with a few tips for those heading off to Vegas this week for the event, recycling the bits in the blog post. I figure that with the number of great folks following the play-by-play on the ground in Las Vegas on Twitter (what’s the best hashtag to use? I’m following #CES generally) and in the news, I think that I’ll get my fill of new gadgets and devices. Plus, the various email alias subscriptions and RSS feeds will likely blow out my Outlook mailbox quota.

 

Tags: Microsoft, Xbox 360, CES 2010, CES, travel tips.

Delicious Bookmark this on Delicious Bookmark and Share

Also available via http://bit.ly/6zzSgg

Categories
Uncategorized

Advisory: Bangladesh makes a last-minute decision to end daylight saving time on December 31, 2009

j0189360[1] Yes, it’s true, Virgina: once again a government has decided on making a last minute change to their daylight saving time. Quite reminiscent of when Argentina made a change to their their daylight saving time back in 2007 and brought me into the office virtually whilst I was on vacation.

<rant> Less than a week is a tough time to get everyone in the region – regardless of operating system, time piece or sundial – alerted to a change of this magnitude.  In order to achieve more seamless transitions to new DST rules and time zones, ample advance notice and concentrated efforts on promoting any change should be provided to the people and businesses impacted. </rant>

This time, Bangladesh decided to end daylight saving time on December 31, 2009 as noted on the Microsoft Daylight Saving Time & Time Zone Blog

On Monday, December 28, 2009 the Bangladesh government announced that, following a cabinet decision last week, the clocks would move back one hour to standard time at 11:59 PM on Dec 31. The decision was also reported on The Daily Star.
A notice from the power ministry on Sunday, however, clarified that clocks would be set back again one minute before midnight on Dec 31.

The notice also stated that the government has decided to continue with Daylight Saving Time from 2010 to ensure maximum utility of daylight.
Clocks will be advanced to 11:59pm (GMT+7) from 10:59 pm on March 31, to continue until Oct 31.
They will be turned back to 10:59pm (GMT+6) from 11:59 pm on Oct 31, to run until March 31.

This communication only addresses recommendations for the Dec 31, 2009 change. Microsoft will communicate future guidance for the 2010 DST transitions.

Users on all Windows OS platforms can switch their computers to the Central Asia Standard Time (Display name: (GMT+06:00) Astana. For users that did not apply KB978125, the time zone display name will look like this: (GMT+06:00) Astana, Dhaka).

Alternatively, for Windows OS versions released earlier than Vista, users may opt to update the registry key manually if they previously applied KB978125. Please note that the registry key value will be different if this operation is performed before Jan 1, 2010 than if it is performed after the start of the New Year, 2010. The reason for this is that the registry key value is different in 2009 than it is in 2010. Details on how to perform this operation can be found below in the section titled: “Manual Method to Perform DST Changes on down level platforms from Vista”.

An important note for Consumers:

For those customers (consumers, small businesses) wondering "Does this mean I have to install the updates manually?" 

No.  Generally, consumers should wait for the updates to be installed via Windows Update rather than download and install these from the DLC.  And for end users who have their PCs managed by a central administrator, your IT folks will handle the distribution and updating of your PCs over the network.  (When in doubt, ask. 😉

A note for IT Professionals:

More information including registry updates for folks who know how to do such things is available over at the Microsoft Daylight Saving Time & Time Zone Blog.

And now, a little history.

Microsoft’s product teams have moved to a regular rhythm to update their products and services to reflect time changes. For each update release, Microsoft accepts change requests at up to a few months prior to the release date.   Please refer to Microsoft’s Policy in Response to DST/TZ Requests, providing recommendations in order to achieve more seamless transitions to new DST and time zones policies. We suggest that governments should provide the following when considering changing DST or making adjustments to time zones:

  1. Ample advance notice (1 year or more) of the planned change.
  2. Official published confirmation of planned changes to DST or time zones.
  3. Concentrated efforts on promoting the change to the affected citizens.

Important notes for governments:

  • Please refer to Microsoft’s Policy in Response to DST/TZ Requests. It’s important for countries and territories to work towards seamless transitions to new DST and time zones policies, providing ample advance notice (of a year or more) with published confirmation of planned changes.
  • We suggest that entities planning DST changes consider implementing changes at the next clock tick after 01:59:59 rather than at 00:00:00. Making the change at midnight can impact daily systems, such as back-ups, financial reports, data pulls or other automated tasks.

Tags: Windows, Microsoft, Daylight Saving Time, Daylight Savings Time, RSS, DST; 18,000,000; 20,400,000 (up >3M)

Delicious Bookmark this on Delicious Bookmark and Share

Also available via http://bit.ly/4uuIzR

Categories
Uncategorized

Black is not the new Blue this season: more on “Black Screen” issues and the Microsoft November Security Updates

Well, Black really isn’t the new Blue this season, as some may have you believe.

Over at the Microsoft Security Response Center (MSRC) blog, Christopher posted a note on the reports of so-called “Black Screen” issues that some customers might have experienced with their systems as a result of issues with the November Security Updates

We’ve investigated these reports and found that our November Security Updates are not making changes to the system that these reports say are responsible for these issues.

While these reports weren’t brought to us directly, from our research into them, it appears they’re saying that our security updates are making permission changes in the registry to the value for the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell key.

We’ve conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don’t believe the updates are related to the “black screen” behavior described in these reports.

We’ve also checked with our worldwide Customer Service and Support organization, and they’ve told us they’re not seeing “black screen” behavior as a broad customer issue. Because these reports were not brought to us directly, it’s impossible to know conclusively what might be causing a “black screen” in those limited instances where customers have seen it. However, we do know that “black screen” behavior is associated with some malware families such as Daonol.

If you think that you’ve been affected by this type of an issue, contact our Customer Service and Support group and any time you think that you’ve been impacted by malware. As he further notes, Christopher reminds us that "this enables us to determine what might be happening and take steps to help customers by documenting new malware families in our MMPC malware encyclopedia or documenting known issues in our security bulletins and the supporting Knowledge Base articles."

To avoid malware and other bad things as I wrote here, you should only download software from a trusted source – for example, via Microsoft for our products and service – and avoid peer to peer to save yourself an additional security risk.

Additional information and guidance:

Tags: Windows Vista, Security, what I read, twitter, Microsoft, Windows 7, Microsoft Security Essentials.

Clubhouse Tags: Clubhouse, how-to, Security, download, Microsoft Security Essentials.

Delicious Bookmark this on Delicious Bookmark and Share

Also available via http://bit.ly/4HFBlB

Categories
Uncategorized

Announcement: Hotfix for Microsoft Windows OS releases available for Fiji 2009/2010 Daylight Saving Time

Going to Fiji anytime soon? Or scheduling LiveMeetings with a thriving supplier in the region? Then you’ll want to know about the latest changes to their changes to daylight saving time (aka DST).

As found over on the Microsoft Daylight Saving Time & Time Zone Blog, there is a link to the Hotfix for Windows OS releases available for Fiji 2009/2010 Daylight Saving Time

Fiji government has approved the re-introduction of daylight saving time in Fiji, from Sunday, November 29th 2009 at 2.00 am to Sunday, April 25th 2010 at 3.00 am.  This hotfix updates the start and end of Daylight Savings Time (DST) for Fiji in 2009.

Microsoft has produced a hotfix to implement this change.  If interested in downloading this hotfix, please refer to KB 977748 titled: “A hotfix is available to update the Daylight Saving Time for the Fiji Standard Time time zone for the year 2009 for Windows XP-based, Windows Server 2003-based, Windows Vista-based, Windows Server 2008-based, Windows 7-based and Windows Server 2008 R2-based computers”.

Hotfix download is available
Hotfix Download Available
View and request hotfix downloads

 

Tags: Windows, Microsoft, Daylight Saving Time, Daylight Savings Time, RSS, DST; 18,000,000; 20,400,000 (up >3M)

Delicious Bookmark this on Delicious Bookmark and Share

Also available via http://bit.ly/836fYb