Interestingly enough, there are footnotes that apply to Windows Server 2008 and Windows Server 2008 R2 detailing whether or not the Server Core installation is affected:

*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option.

**Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option.

This tends to support some of the things I am hearing about Server Core being more secure than a full-blown GUI installation of the products. Here’s Microsoft’s take:

Reduced attack surface. Because Server Core has fewer system services running on it than a Full installation does, there’s less attack surface (that is, fewer possible vectors for malicious attacks on the server). This means that a Server Core installation is more secure than a similarly configured Full installation.

Microsoft is planning eight security updates next week – two critical – as part of its regular Patch Tuesday program.

The obvious highlight of the batch is a critical update for Internet Explorer that affects all supported versions of Microsoft’s ubiquitous web browser, including IE 9. The second critical update covers flaws in Microsoft .NET Framework and Microsoft Silverlight that create a possible mechanism for miscreants to inject hostile code onto vulnerable systems.

The bad news is that most of the updates will require system restarts. I suggest you set updates to manual on any application servers.

Stuxnet was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes. According to a PC World report, “… Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran’s Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm’s attack.”

See Microsoft Security Bulletin Advance Notification for October 2010.

On Monday, Microsoft issued a rare out-of-cycle patch to permanently fix the vulnerability. However, applying the patch does not disable the workaround, so those who used the FixIt solution will need to go here and use the “disable workaround” button. According to The Register, “. . . Microsoft released the update outside of its normal patching schedule because the vulnerability is being actively targeted. When the flaw first came to public attention three weeks ago, it was being used to attack SCADA — supervisory control and data acquisition — systems that control sensitive equipment at power plants, gas refineries, and other other critical infrastructure.”

Be sure all your machines have this one.

The overall conclusion is that despite considerable security investments, the software industry at large still proves unable to produce software with substantially less vulnerabilities, highlighting the continued need for Vulnerability Intelligence and Patch Management.

Further, the report shows an alarming development in 3rd party program vulnerabilities, representing an increasing threat to both users and business, which, however, continues to be greatly ignored. This trend is supported by the fact that users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring 3rd party programs, and finding the actions to secure these too complex and time-consuming. Ultimately this leads to incomplete patch levels of the 3rd party programs, representing rewarding and effective targets for criminals.

What’s interesting is that since 2005 in more than 29,000 products covered by Secunia’s intelligence, no significant up- or downward trend in the number of vulnerabilities could be discerned. But that just means that software is still just as insecure as it was five years ago; no progress is being made. Not surprising, ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco account for an average of 38 percent of all vulnerabilities disclosed on a yearly basis. Further highlights:

• In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010 to 760.
• During the first six months of 2010, 380 vulnerabilities or 89% of the figures for all of 2009 has already been reached.
• A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010.

Secunia is testing its own Auto Update technology that will work with a broad variety of programs from a number of different vendors. They plan to release a version later this year with the intention to significantly improve the security of home users’ PCs.

Kudos to them, I say; it’s just a shame that the vendors themselves don’t take a more proactive role. That’s what absolutely must happen if we’re ever to get ahead of the curve.

This was first revealed on June 10, 2010 in Microsoft Security Advisory (2219475). It was updated on June 15th.

Microsoft is investigating new public reports of a possible vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. Microsoft is aware that proof-of-concept exploit code has been published for the vulnerability. Microsoft is also aware of limited, targeted active attacks that use this exploit code.

This problem is related to the HCP protocol. It’s still not patched, but here is a workaround for it:

Unregistering the HCP Protocol prevents this issue from being exploited on affected systems.

Using the Interactive Method

1. Click Start, click Run, type Regedit in the Open box, and then click OK

2. Locate and then click the following registry key: HKEY_CLASSES_ROOT\HCP

3. Click the File menu and select Export

4.In the Export Registry File dialog box, enter HCP_Procotol_Backup.reg and click Save. Note This will create a backup of this registry key in the My Documents folder by default.

5. Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes.

We hope Microsoft will issue a patch shortly.

To check your plug-ins, go to: http://www.mozilla.com/en-US/plugincheck/

I’ve checked both my systems at home and sure enough, I was out of date on at least one plug-in on each system.

Having to check several applications using different tools can be tedious, so I still recommend that everyone use Secunia’s Personal Software Inspector.

The Secunia PSI is a free security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly “popular” among criminals. I’ve written about this one before and I still recommend it.

Bottom line: whatever tool you use, keep your apps, plug-ins, scripts, whatever up to date.

The beauty of this site is that it works with all popular browsers as noted by Steve Gibson of Security Now!:

The big news is they’ve decided to expand this service beyond Firefox, which is so cool. They’re now offering it for not only Firefox, but Safari, Chrome, Opera, and IE.

Just do it!

The first issue is caused by a boundary error while processing Shockwave 3D block. The second issue is a memory corruption vulnerability caused by a signedness error while processing malicious Shockwave files. The third issue is a memory corruption vulnerability caused by an array indexing error while processing malicious Shockwave files.

. . .

The eleventh issue is caused by a signedness error while processing Director files. There are some more unspecified errors which can be exploited to cause memory corruption.

Unless you have a specific use for this plugin, just get rid of it. I found I don’t even have it, so it’s not really an issue for website functionality.

According to Microsoft, in Microsoft Security Advisory (981374), “The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”

When the advisory was issued, Microsoft was aware of targeted attacks attempting to use this vulnerability. Today, the Microsoft Security Response Center (MSRC) issued this statement:

Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing security update MS10-018 tomorrow, March 30, 2010, at approximately10:00 a.m. PDT (UTC-8). MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version to benefit from the improved security protection it offers.

Be sure to apply the update if you are running IE 6 or IE 7. Better yet, just upgrade to IE 8 . Even better still, dump IE and use Firefox or Chrome.