MS Patch: 13 tačaka, 26 ranjivosti
Vesti, 20.02.2010, 00:25 AM
Microsoft je prošlog utorka objavio 13 tačaka sa popravkama 26 ranjivosti koje se tiču korisnika Windows i Office i upozorio kupce da posebno obrate pažnju na mnoštvo pukotina koje cyber-kriminalci lako mogu da iskoriste.
Kompanija je tom prilikom zahtevala od korisnika da četiri ažuriranja stave na listu prioriteta i da ih što pre implementiraju zbog toga što su rangirani kao „kritični“ kao i zbog činjenice da će se 'exploit' kod pojaviti u narednih 30 dana. Evo informacija o tri ažuriranja koja odmah treba primeniti.
MS10-13: Kritična ranjivost je u DirectShow, i trebalo bi da se nalazi u vrhu liste onoga što hitno treba implementirati. Ovo ažuriranje je prioritetno za sve podržane verzije Windows-a sa izuzetkom na Itanium-u baziranih serverskih proizvoda a ima Exploitability index 1. Za iskorišćavanje ove ranjivosti napadač treba da host-uje štetan AVI fajl na sajtu i ubedi korisnika da poseti sajt, ili da pošalje fajl email-om i ubedi korisnika da ga otvori.
MS10-006: Ovo ažuriranje takođe je rangirano kao „kritično“ za sve verzije Windows-a, izuzev Windows Vista i Windows Server 2008, a tiče se dve ranjivosti u SMB klijentu (Server Message Block). Jedna od ranjivosti ima Exploitability index rejting 1. U najjednostavnijem slučaju, sistem se povezuje na 'file sharing' mrežu u SMB klijentu. Problem nastaje tokom faze pregovaranja na relaciji klijent/server. Pokušavajući da iskoristi ovo, napadač će morati da host-uje štetan server i natera sistemskog klijenta da se poveže sa njim. Napadač takođe pokušava da izvede 'man-in-the-middle' napad odgovarajući na SMB zahteve koji dolaze od klijenta. Prema našoj analizi, očekujemo da je verovatniji rezultat pokušaja iskorišćavanja Denial of Service nego Remote Code Execution.
MS10-007: Ispravljanje kritične ranjivosti u Windows Shell Handler tiče se Windows 2000, Windows XP i Windows 2003. Pravac napada sledi poseban link koji se pojavljuje u ShellExecute API kako bi bio validan link. Ovaj problem nije bio iznošen javno, ali mu je ipak dodeljen Exploitability Index rejting 1, tako da apelujemo na korisnike platformi koje ovo dotiče da instaliraju zakrpu što je pre moguće.
Četvrta tačka - MS10-008 - uključuje ActiveXBits za Internet Explorer i trebalo bi da bude tretirana kao prioritet najvišeg stepena zbog toga što izlaže one koji surfuju internetom napadima štetnim izvršnim kodovima. Od 13 tačaka, 11 njih se tiče operativnog sistema Windows dok se dve tiču starijih verzija MS Office. Ova tabela sa Majkrosoftovog bloga za ispitivanje bezbednosti i odbrane (Microsoft's Security Research & Defense Blog ) pruža korisne informacije koje mogu da pomognu u proceni rizika udruženih sa ovim ranjivostima:
Bulletin |
Most likely attack vector |
Max Bulletin Severity |
Max Exploit- ability Index |
Likely first 30 days impact |
Platform mitigations |
(Quartz) |
Victim opens malicious AVI or WAV file. |
Critical |
1 |
Likely to see working exploit in next 30 days. |
|
(ShellExecute) |
Attacker hosts a malicious webpage, lures victim to it. |
Critical |
1 |
Likely to see exploit code released resulting in binary on WebDAV share being executed.
For more detail, see this SRD blog post. |
|
(SMB Client) |
Locally logged-in attacker with low privilege runs a malicious executable to elevate to high privilege. |
Critical |
1 |
Likely to see working exploit code for local attacker escalation.
For more detail, see this SRD blog post. |
|
(ActiveX kill-bits) |
Attackers host a malicious webpage, lures victim to it |
Critical |
2 |
Likely to see working exploit for vulnerabilities in third party ActiveX controls. |
|
(SMB Server) |
Attacker sends network-based malicious connection to remote Windows machine via SMB. |
Important |
1 |
Likely to see working proof-of-concept in next 30 days for CVE-2010-0231 resulting in attacker luring remote victim user to open file on attacker server and initiating a connection back to machine where remote victim is logged on.
Less likely to see working exploit code for the authenticated code execution vulnerability (CVE-2010-0020) or unauthenticated denial-of-service vulnerabilities (CVE-2010-0021 and 0022)
For more detail, see this SRD blog post. |
|
(Kernel) |
Attacker already able to execute code as low-privileged user escalates privileges. |
Important |
1 |
Proof of concept code already widely available. No active attacks. |
|
(CSRSS) |
Attacker who logs onto console of system where victim later logs onto console of same system can potentially run code with victim’s identity. |
Important |
1 |
Likely to see proof-of-concept code published for this vulnerability. However, unlikely to see wide-spread exploitation due to extensive user interaction required. |
|
(TCP/IP) |
Attacker sends network-based attack against system on local subnet. |
Critical |
2 |
May see denial-of-service proof-of-concept code published leveraging CVE-2010-0239 or CVE-2010-0241. Attackers are less likely to discover real-world attack surface in next 30 days for CVE-2010-0240. |
/GS effective mitigation for CVE’s: CVE-2010-0239 CVE-2010-0240 CVE-2010-0241.
CVE-2010-0242 is denial of service only. |
(Excel) |
Attack sends malicious .xls file to victim who opens it with Office XP or lower. (Office 2003, 2007 not affected.) |
Important |
1 |
Likely to see working exploit file effective on Office XP in first 30 days. |
Office 2003 and Office 2007 not affected. |
(PowerPoint) |
Attacks malicious .ppt file to victim who opens it with Powerpoint Viewer 2003. |
Important |
1 |
Likely to see working exploit file effective on PowerPoint Viewer 2003. However, PowerPoint Viewer 2003 was replaced online by PowerPoint Viewer 2007. Only victims who use PowerPoint Viewer 2003 from Office 2003 install disk would be vulnerable to the PowerPoint Viewer vulnerabilities.
Less likely to see working exploit for other PowerPoint vulnerabilities. |
|
(Hyper-V) |
Attacker running code on virtual machine crashes host OS. |
Important |
3 |
Unlikely to see working exploit code in next 30 days. |
|
(Kerberos) |
Attacker potentially able to cause denial of service via Kerberos traffic if victim server configured with trust relationship to MIT Kerberos realm. |
Important |
3 |
Unlikely to see public exploit code in next 30 days. |
|
(GDI+) |
Attacker sends malicious JPEG to victim. Victim saves JPG, launches mspaint, and then file->opens the malicious JPEG |
Moderate |
1 |
Likely to see exploit code developed. Unlikely to have broad impact as mspaint is not registered file association for JPEG. |
|
Microsoft je takođe ažurirao alatku za uklanjanje štetnog softvera kako bi omogućio detekciju Win32/Pushbot porodice štetnih programa.
---------
Članak preuzet sa:
http://threatpost.com/
Izdvojeno
Uprkos akciji policije, BadBox nastavlja da se širi: malverom zaraženo 192.000 Android uređaja
Android malver BadBox zarazio je više od 192.000 uređaja širom sveta uprkos nedavnoj operaciji policije u Nemačkoj koja je pokušala da zaustavi ... Dalje
Interpol traži da se termin ''pig butchering'' (svinjokolj) ne koristi više za žrtve investicionih i ljubavnih internet prevara
Interpol je pozvao zajednicu sajber bezbednosti, organe za sprovođenje zakona i medije da prestanu da koriste termin „pig butchering“ (sv... Dalje
Milioni korisnika interneta izloženi riziku od lažnih captcha stranica i infekcije malverom Lumma
Istraživači Guardio Labsa i Infobloxa otkrili su kampanju velikih razmera koja distribuira malver Lumma preko lažnih captcha stranica. Napadači is... Dalje
Amnesty International: Srpske vlasti koriste do sada nepoznati špijunski softver NoviSpy
Srpske vlasti su instalirale špijunski softver na telefone desetina predstavnika civilnog društva, aktivista i novinara, navodi se u izveštaju koji... Dalje
Android malver BadBox predinstaliran na desetinama hiljada IoT uređaja
Nemačka Savezna kancelarija za informacionu bezbednost (BSI) je saopštila da je blokirala malver BadBox koji je predinstaliran na više od 30.000 An... Dalje
Pratite nas
Nagrade