FYI...

Microsoft Security Advisory (937696)
MS Office Isolated Conversion Environment (MOICE) and File Block Functionality for MS Office
- http://www.microsoft.com/technet/security/advisory/937696.mspx
Published: May 21, 2007 ~ "...Both features are designed to make it easier for customers to protect themselves from Office files that may contain malicious software, such as unsolicited Office files received from unknown or known sources. MOICE makes it easier by providing new security mitigation technologies designed to convert specific Microsoft Office files types, while File Block provides a mechanism that can control and block the opening of specific Microsoft Office file types. The Microsoft Office Isolated Conversion Environment (MOICE) uses the 2007 Microsoft Office system converters to convert Office 2003 binary documents to the newer Office open XML format. The Conversion process helps protect customers by converting the Office 2003 binary file format to the Office open XML format in an isolated environment. In summary, MOICE provides a mechanism for customers to pre-process potentially unsafe Office 2003 binary documents, by virtue of the conversions process it provides customers with a greater degree of certainty that the document can be considered safe. We encourage Microsoft Office customers to review the related Knowledge base article and consider whether MOICE can help protect users in your IT environment. For more information about this release, see Microsoft Knowledge Base Article 935865*... for MS Office 2003 and the 2007 MS Office..."
* http://support.microsoft.com/kb/935865

.

FYI...

Microsoft Security Advisory (927891)
Fix for Windows Installer (MSI)
- http://www.microsoft.com/technet/security/advisory/927891.mspx
Published: May 22, 2007
"Today we are announcing the availability of an update that does not address a security vulnerability, but is a high priority for customers in keeping their systems updated. The update addresses the following issue:

Your system may appear to become unresponsive when Windows Update or Microsoft Update is scanning for updates that use Windows installer, and you may notice that the CPU usage for the svchost process is showing 100%.
When you try to install an update from Windows Update or from Microsoft Update, you experience the following symptoms:
• Your system may appear to become unresponsive when Windows Update or Microsoft Update is scanning for updates that use Windows Installer.
• You receive an access violation error in svchost.exe. This access violation stops the Server service and the Workstation service.
• A memory leak occurs when Windows Update or Microsoft Update is scanning for updates that use Windows Installer.
• Windows Update or Microsoft Update scans take a very long time, sometimes hours, to complete.

We encourage Windows customers to review and install this update. This update will be offered automatically through Automatic Updates. For more information about this issue, including download links for the available non-security update, please review Microsoft Knowledge Base Article 927891*.
Please note that this update is the first part of a two-part fix that is the comprehensive solution to the problem. In June, another update will involve the Windows Update client. The update for the Windows Update client will also be automatically offered through Automatic Updates."

* http://support.microsoft.com/kb/927891

.

FYI...

Microsoft Security Advisory (932596)
Update to Improve Kernel Patch Protection
- http://www.microsoft.com/technet/security/advisory/932596.mspx
August 14, 2007 - "An update is available for Kernel Patch Protection included with x64-based Windows operating systems. Kernel Patch Protection protects code and critical structures in the Windows kernel from modification by unknown code or data. This update adds additional checks to this protection for increased reliability, performance, and resiliency of Windows. For more information about this release, see Microsoft Knowledge Base Article 932596*..."

* http://support.microsoft.com/kb/932596

.

FYI...

Microsoft Security Advisory (943521)
URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/943521.mspx
Published: October 10, 2007
"Microsoft is investigating public reports of a remote code execution vulnerability in supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. Microsoft is investigating the public reports.
• This vulnerability does not affect Windows Vista or any supported editions of Windows where Internet Explorer 7 is not installed..."

MSRC
> http://preview.tinyurl.com/yoadp8
October 10, 2007

.

FYI...

URL Update to IE URL Handling Vuln
- http://isc.sans.org/diary.php?storyid=3547
Last Updated: 2007-10-26 02:05:06 UTC - "Earlier this month, Microsoft published KB943521. This article acknowledged that third party software had to validate URLs before passing them to Internet Explorer, as Internet Explorer will not validate them. Today, Microsoft published an update to the advisory, suggesting limited exploitation of this vulnerability.
Microsoft does not appear to plan to fix the issue in Internet Explorer. Instead, it asks vendors releasing tools that pass URLs to Internet Explorer to validate them...

Links:

http://www.microsoft.com/technet/security/advisory/943521.mspx

http://blogs.technet.com/msrc/archive/2007/10/25/msrc-blog-october-25th-update-to-security-advisory-943521.aspx "

.

FYI...

Microsoft Security Advisory (944653)
Vulnerability in Macrovision SECDRV.SYS Driver on Windows Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/944653.mspx
November 5, 2007 - "Microsoft is working with Macrovision, investigating new public reports of a vulnerability in the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. This vulnerability does not affect Windows Vista. We are aware of limited attacks that try to use the reported vulnerability. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process..."

> http://www.macrovision.com/promolanding/7352.htm

.

FYI...

Follow-up on Macrovision Secdrv exploit
- http://www.symantec.com/enterprise/security_response/weblog/2007/11/followup_on_macrovision_secdrv.html
November 6, 2007 - "...Microsoft posted Microsoft Security Advisory (944653) about this issue. With the release of this advisory, I’d like to answer a few follow-up questions for blog readers:
Q: I don’t play games and I don’t use Macrovision software, so am I safe?
A: No. The vulnerable component affected by the bug is the Macrovision driver SECDRV.SYS, which is shipped by default with Windows systems. It is usually installed under the %System%\drivers folder.
Q: Is Windows Vista affected by this vulnerability?
A: Vista is not affected. Only SECDRV versions shipped with Windows XP and 2003 are. Instead the version shipped with Vista is a completely different driver, reworked and not vulnerable to this attack.All users should keep in mind that, in a multi-layered defense perspective, it is possible that malware dropped on the system via some other exploit (e.g. browser vulnerability or the recent PDF exploit) could potentially take advantage of the SECDRV bug to take further control of the computer and bypass other layers of protection.
Q: Where is the patch?
A: Macrovision released a version of the driver today (almost identical to the one shipped with Vista) that fixes this problem. The update is available here:
http://www.macrovision.com/promolanding/7352.htm
It’s not clear at the moment if Microsoft will distribute this update with the next cycle of Windows Update."

- http://www.microsoft.com/technet/security/advisory/944653.mspx
Revisions:
• November 05, 2007: Advisory published
• November 07, 2007: Advisory revised to include indentified workarounds for this vulnerability and additional information on what is secdrv.sys.

FYI...

Microsoft Security Advisory (945713)
Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/945713.mspx
December 3, 2007 - "Microsoft is investigating new public reports of a vulnerability in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). The technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Microsoft has not received any information to indicate that this vulnerability has been publicly used to attack customers, and Microsoft is not aware of any customer impact at this time. Microsoft is aggressively investigating the public reports. Customers whose domain name begins in a third-level or deeper domain, such as “contoso.co.us”, or for whom the following mitigating factors do not apply, are at risk from this vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers...
Mitigating Factors:
• Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured. Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by this vulnerability.
• Customers whose DNS domain name is registered as a second-level domain (SLD) below a top-level domain (TLD) are not affected by this vulnerability. Customers whose DNS suffixes reflect this registration would not be affected by this vulnerability. An example of a customer who is not affected is contoso.com or fabrikam.gov, where “contoso” and “fabrikam” are customer registered SLDs under their respective “.com” and “.gov” TLDs.
• Customers who have specified a proxy server via DHCP server settings or DNS are not affected by this vulnerability.
• Customers who have a trusted WPAD server in their organization are not affected by this vulnerability. (See the Workaround section for specific steps in creating a WPAD.DAT file on a WPAD server.)
• Customers who have manually specified a proxy server in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.
• Customers who have disabled 'Automatically Detect Settings' in Internet Explorer are not at risk from this vulnerability when using Internet Explorer..."

.

FYI...

Microsoft Security Advisory (944653)
Vulnerability in Macrovision SECDRV.SYS Driver on Windows Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/944653.mspx
Updated: December 11, 2007 - "...We have issued MS07-067* to address this issue..."

* http://www.microsoft.com/technet/security/Bulletin/MS07-067.mspx

FYI...

Microsoft Security Advisory (943411)
Update to Improve Windows Sidebar Protection
- http://www.microsoft.com/technet/security/advisory/943411.mspx
January 8, 2008 - "An update is available for currently supported editions of the Windows Vista operating system. The update to improve Windows Sidebar Protection enables Windows Sidebar to help block gadgets from running in Sidebar. For more information about installing this update, see Microsoft Knowledge Base Article 943411*. For more information about how Windows Sidebar Protection helps block installed gadgets from running in Windows Sidebar, see Microsoft Knowledge Base Article 941411**..."

* http://support.microsoft.com/kb/943411

** http://support.microsoft.com/kb/941411

.

FYI...

Microsoft Security Advisory (945713)
Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/945713.mspx
Updated: January 9, 2008
Revisions:
• December 3, 2007: Advisory published.
• January 9, 2008: Advisory updated: The registry key for the Configure a Domain Suffix Search List workaround has been corrected to the proper key of SearchList.

.

FYI...

Microsoft Security Advisory (947563)
Vulnerability in Microsoft Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/947563.mspx
January 15, 2008 - "Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. At this time, our initial investigation indicates that customers who are using Microsoft Office Excel 2007 or Microsoft Excel 2008 for Mac, or who have installed Microsoft Office Excel 2003 Service Pack 3 are not affected by this vulnerability. Microsoft is investigating the public reports and customer impact. Upon completion of this investigation, Microsoft will take the appropriate action... At this time, we are aware only of targeted attacks that attempt to use this vulnerability. Additionally, as the issue has not been publicly disclosed broadly, we believe the risk at this time to be limited..."

FYI...

Microsoft Security Advisory (947563)
Vulnerability in Microsoft Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/947563.mspx
Updated: March 11, 2008 - "...We have issued MS08-014* to address this issue..."
* http://www.microsoft.com/technet/security/Bulletin/MS08-014.mspx

.

FYI...

Microsoft Security Advisory (950627)
Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/950627.mspx
March 21, 2008 - "Microsoft is investigating new public reports of very limited, targeted attacks using a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word.
Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.
Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.
Microsoft is investigating the public reports and customer impact. We are also investigating whether the vulnerability can be exploited through additional applications. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."

RE: http://www.microsoft.com/technet/security/advisory/950627.mspx

- http://isc.sans.org/diary.html?storyid=4192
Last Updated: 2008-03-25 00:41:39 UTC - "...A few minutes ago Microsoft has posted more details about this issue on the MSRC blog*. Summarizing:
- The Jet Database Engine vulnerability is well-known since March 2005. The main issue now is that it can be exploited through a new attack vector, Microsoft Word (specifically two DOC files), avoiding the mitigations enforced by Outlook and Exchange over this unsafe file type (MDB).
- Microsoft is currently working on the fixes, evaluating if an update may prevent Word from opening MDB files, and checking how to apply the fixed msjet40.dll currently available for Windows Server 2003 SP2, Windows Vista, and beta versions of Windows XP SP3 in other OS versions.
- In the meantime, apart from the general recommendation of not opening untrusted MS Word files, you can follow the two workarounds detailed on the initial advisory:
o Computer-based workaround: Restrict the Microsoft Jet Database Engine from running through the "cacls" command, used to modify the access control lists (ACLs) of files. Applications requiring the Jet Database Engine will not function.
o Infrastructure-based workaround: Block specific files at your mail gateway based on string signatures (if it provides file inspection capabilities). The associated strings plus implementation details for specific mail gateways are detailed on the advisory..."
* http://preview.tinyurl.com/2lvatz

.