IT consulting and tech support blog
Microsoft Patch Tuesday addresses 23 vulnerabilities
Published May 10, 2012
This week, Microsoft released seven bulletins fixing twenty-three vulnerabilities on Patch Tuesday. Three of the bulletins are rated as ‘critical,’ which could lead to remote code execution, whereas the remaining four are rated as ‘important.’
The first critical bulletin resolves a privately reported bug in Microsoft Office through which an attacker could remotely execute code after the user opens a specially crafted RTF file. The second patch resolves three publicly disclosed bugs and seven privately disclosed ones in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework, and Microsoft Silverlight. These could also lead to remote code execution if an attacker can find a way to trick users into opening a specially crafted document or visiting a webpage that embeds TrueType font files.
The set of vulnerabilities fixed by the MS12-034 patch is designed to fix one of the vulnerabilities exploited by the Duqu malware. Microsoft had already patched that bug in other applications, but in the last few months, engineers discovered that a snippet of code in the CVE-2011-3402 vulnerability was present in other places in Microsoft products.
In a recent blog post, Microsoft writes, "In the time since we shipped MS11-087, we discovered that several Microsoft products contained a copy of win32k.sys’s font parsing code. Unfortunately, each copy of the code also contained the vulnerability addressed by MS11-087. The most troublesome copy was in gdiplus.dll. We know that several third party applications – 3rd party browsers in particular – might use gdiplus.dll to parse and render custom fonts. Microsoft Office’s version of gdiplus, called ogl.dll, also contained a copy of the vulnerable code. Silverlight included a copy of the vulnerable code. And the Windows Journal viewer included a copy of the vulnerable code.
"In addition to addressing the vulnerabilities described in the bulletin, this security update also closes the malicious keyboard layout file attack vector. Windows Vista introduced a requirement that all keyboard layout files be loaded from %windir%\\system32. MS12-034 ports that change down level to Windows XP and Windows Server 2003 as well." (Find Microsoft’s TechNet blog summary here).
The last ‘critically’ rated patch fixes two privately reported vulnerabilities in Windows and the .NET Framework. These could allow for remote code execution on client systems where the user views a specially crafted webpage that can run XAML browser applications. Again, users with fewer rights are less impacted.
Within the four ‘important’ patches remaining, the first resolves six vulnerabilities in Microsoft Office and the second resolves a vulnerability in Microsoft Visio Viewer. Both vulnerabilities, if left unpatched, could lead to remote code execution. The last two important patches could both lead to elevation of privileges. The first resolves two bugs in TCP/IP and the second resolves vulnerability in Windows Partition Manager.
Protect yourself from DNSChanger
Published May 10, 2012
As part of Operation Ghost Click, the FBI brought down an Estonian hacker ring last year, which resulted in the takeover of the rogue DNS servers. Now, the Internet Systems Consortium is gearing up to permanently shut down deployed DNS servers that are currently serving as temporary surrogates for confiscated rogue DNS servers. As of last month, 84,000 U.S. computers still used the “pwned” servers put up for the FBI by the Internet Systems Consortium. Those servers must be taken down July 9th due to a court order. At that time, any machine still using them for name resolution will be forced offline. Some internet security firms rank DNSChanger as the most prevalent high-level infection with 1 in 400 households still infected. DNSChanger is not the result of a single malware infection. It has been in operation for over 5 years, and during that time has used a variety of techniques to gain control of victims’ computers and modify their DNS configuration. The most recent infection method has been the TDSS/Alureon rootkit.
To figure out whether you’ve been infected with DNSChanger, just visit this site: DNSChanger Check-Up. The link will take you to a DNS Changer Check-Up page in the United States that the DNS Changer Working Group maintains. It’s an accurate check, but if your router is infected, those websites will think that your PC is infected, even though it may be clean–furthermore, if your ISP redirects DNS traffic, your PC may appear to be clean even though your DNS settings may have been maliciously altered.
To be certain that your PC is free of DNSChanger malware, you need to manually look up the IP addresses of the DNS servers that your PC contacts to resolve domain names when browsing the web. To look up which DNS servers your Windows PC is using, open your Start menu and either run the Command Prompt application or type cmd in the Search field. Once you have a command prompt open, type ipconfig /allcompartments /all at the command line and press Enter. A big block of text should appear; scroll through it until you see a line that says ‘DNS Servers’, and copy down the string(s) of numbers that follow (there may be more than one string here, meaning that your PC accesses more than one DNS server).
It’s even easier for Mac OS X users to determine the IP addresses of the DNS servers that their PC uses. Open the Apple menu (usually located in the upper-left corner of the screen) and select System Preferences. Next, click the Network icon to open your Network Settings menu; navigate to Advanced Settings, and copy down the string(s) of numbers listed in the DNS Server box. Once you know the IP addresses of the DNS servers that your PC is using head over to the FBI DNSChanger website and enter those addresses into the search box. Press the big blue Check Your DNS button, and the FBI’s software will tell you whether your PC is using rogue DNS servers to access the internet.
If your PC is infected with DNSChanger, you’ll have to do some serious work to get rid of it. DNSChanger is a powerful rootkit that does more than just alter DNS settings; if you’ve been infected with DNSChanger, chances are you are infected with other malware on top of that. Your safest course (and easiest) is to back up your important data, reformat your hard drive, and reformat/reinstall your operating system. If the infected PC is on a network, then all PCs on the network will need to be checked for signs of infection, and then check your router’s settings to make sure that it isn’t compromised (DNSChanger is programmed to change router DNS settings automatically, using the default usernames and passwords of most modern routers). To do this, copy down your router’s DNS server IP addresses and check them against the FBI’s IP address database mentioned above. If your router is infected, reset the router and confirm that all network settings are restored to the manufacturer’s defaults.
If reformatting isn’t an option, it will be necessary to have your machine(s) professionally cleaned to ensure your It environment is safe and secure.
Search Posts
Recent posts
Categories
Archives
- January, 2024 (1)
- December, 2023 (1)
- November, 2023 (1)
- September, 2023 (1)
- July, 2023 (1)
- May, 2023 (1)
- April, 2023 (1)
- March, 2023 (1)
- January, 2023 (1)
- December, 2022 (1)
- November, 2022 (1)
- February, 2021 (1)
- March, 2018 (1)
- February, 2018 (1)
- October, 2017 (1)
- June, 2017 (1)
- April, 2017 (1)
- April, 2016 (1)
- February, 2016 (1)
- October, 2015 (1)
- July, 2015 (1)
- March, 2015 (2)
- February, 2015 (1)
- November, 2014 (2)