Microsoft Releases October Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows, SQL Server, Server Software, Office, and Lync as part of the Microsoft Security Bulletin summary for October 2012. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with elevated privileges.

US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which updates should be applied.

This product is provided subject to this Notification and this Privacy & Use policy.

Supreme Court Terminates Warrantless Electronic Spying Case

Behind this door at an AT&T San Francisco office is a switching room where the NSA allegedly siphoned Americans’ communications. Photo: Mark Klein

The Supreme Court closed a 6-year-old chapter Tuesday in the Electronic Frontier Foundation’s bid to hold the nation’s telecoms liable for allegedly providing the National Security Agency with backdoors to eavesdrop, without warrants, on Americans’ electronic communications in violation of federal law.

The justices, without comment, declined to review a lower court’s December decision (.pdf) dismissing the EFF’s lawsuit challenging the NSA’s warrantless eavesdropping program. At the center of the dispute was 2008 congressional legislation retroactively immunizing the telcos from being sued for cooperating with the government in a program President George W. Bush adopted shortly after the September 2001 terror attacks.

After Bush signed the legislation and invoked its authority in 2008, a San Francisco federal judge tossed the case, and the EFF appealed. Among other things, the EFF claimed the legislation, which granted the president the discretion to invoke immunity, was an illegal abuse of power.

The New York Times first exposed the NSA’s warrantless wiretapping of international phone calls to and from Americans in 2005. A former AT&T technician named Mark Klein later produced internal company documents suggesting that the NSA was surveilling internet backbone traffic from a secret room at an AT&T switching center in San Francisco, and similar facilities around the country. Klein’s evidence formed the basis of the now-dismissed suit, Hepting v. AT&T.

Cindy Cohn, the EFF’s legal director, said the group was “disappointed” with the outcome because “it lets the telecommunication companies off the hook for betraying their customers’ trust.”

The Bush administration, and now the President Barack Obama administration, have neither admitted nor denied the spying allegations — though Bush did admit that the government warrantlessly listened in on some Americans’ overseas phone calls, which he said was legal.

But as to widespread internet and phone dragnet surveillance of Americans, both administrations have declared the issue a state secret — one that would undermine national security if exposed.

After six years of legal jockeying, the merits of the allegations have never been weighed in the litigation. But some portions of them still might.

That’s because litigation on the surveillance program continues. After U.S. District Judge Vaughn Walker tossed the case against the telcos, the EFF sued the government instead. Walker dismissed that case, too, ruling that it amounted to a “general grievance” from the public and not an actionable claim. But a federal appeals court reversed, and sent it down to a trial judge in December.

Judge Margaret McKeown, of the 9th U.S. Circuit Court of Appeals, ruled that the EFF’s claims “are not abstract, generalized grievances and instead meet the constitutional standing requirement of concrete injury. Although there has been considerable debate and legislative activity surrounding the surveillance program, the claims do not raise a political question nor are they inappropriate for judicial resolution.”

A hearing on that case is scheduled next month in San Francisco federal court.

The Obama administration is again seeking it to be tossed, claiming it threatens to expose state secrets and would be an affront to national security. When the state secrets doctrine is invoked, judges routinely dismiss cases amid fears of exposing national security secrets.

On Monday, President Obama said that in the presidential contest with Republican challenger Mitt Romney: ”We haven’t talked about what’s at stake with respect to civil liberties.” One might say that hasn’t been heard in the courts, either, under Obama’s tenure.

Monkeys Explain Why Anonymous and Occupy Exist

Protesters burn a flag during Occupy Oakland’s move-in day in front of City Hall on Saturday, Jan. 28, 2012.
Photo: Alex Washburn

Sometimes Anonymous gets mad — like when PayPal and Visa cut off donations to WikiLeaks on the flimsiest of justifications. Sometimes chunks of the populace gets mad, like when the Occupy Movement brought into focus what any close observer of the finance industry knows: The finance industry is no longer about funding enterprises and is largely focused now on finding an edge to bleed money from the productive economy and sucker citizens.

The inequalities are so obvious even a monkey can see them. And in fact, monkeys do see them.

Of course, the problem of figuring out what’s fair and what’s not is usually a lot harder than deciding between getting a grape and a cucumber slice for equal work, but sometimes the world makes it pretty easy to see, even if the inequality proves hard to change.

Hat Tip: BoingBoing

Microsoft Patch Tuesday – October 2012

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 20 vulnerabilities. One of this month's issues is rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the October releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms12-Oct

The following is a breakdown of the issues being addressed this month:

  1. MS12-064 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution

    Word PAPX Section Corruption Vulnerability (CVE-2012-0182) MS Rating: Important

    A remote code execution vulnerability exists in the way that Microsoft Word handles specially crafted Word files. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

    RTF File listid Use-After-Free Vulnerability (CVE-2012-2528) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted RTF files. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

  2. MS12-065 Vulnerability in Microsoft Works Could Allow Remote Code Execution

    Works Heap Vulnerability (CVE-2012-2550) MS Rating: Important

    A remote code execution vulnerability exists in the way that affected versions of Microsoft Works parse specially crafted RTF data. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

  3. MS12-066 Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege

    HTML Sanitization Vulnerability (CVE-2012-2520) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that HTML strings are sanitized. An attacker who successfully exploited this vulnerability could perform cross-site scripting attacks and run script in the security context of the logged-on user.

  4. MS12-067 Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-1766) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-1767) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-1768) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-1769) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-1770) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-1771) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-1772) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-1773) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-3106) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-3107) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-3108) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-3109) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In library contains multiple exploitable vulnerabilities (CVE-2012-3110) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint using the Advanced Filter Pack; an attacker could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

  5. MS12-068 Vulnerability in Windows Kernel Could Allow Elevation of Privilege

    Windows Kernel Integer Overflow Vulnerability (CVE-2012-2529) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

  6. MS12-069 Vulnerability in Kerberos Could Allow Denial of Service

    Kerberos NULL Dereference Vulnerability (CVE-2012-2551) MS Rating: Important

    A denial of service vulnerability exists when the Microsoft Kerberos implementation fails to properly handle a specially crafted session. An attacker who successfully exploited this vulnerability could cause the system to stop responding and restart.

  7. MS12-070 Vulnerability in SQL Server Could Allow Elevation of Privilege

    Reflected XSS Vulnerability (CVE-2012-2552) MS Rating: Important

    A reflected XSS vulnerability exists in SQL Server Report Manager that could allow an attacker to inject a client-side script into the user's instance of Internet Explorer. The script could spoof content, disclose information, or allow the attacker to take actions in the context of the user on the affected site.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.