Update
Businessweek has an article about the SCADA connection of this flaw, Siemens has issued an advisory and update for the software components that are being attacked by some strains of the malware.

Original
Just three days after July's Patch Tuesday, Microsoft issued an advisory for an issue affecting all current Windows Operating Systems. The flaw is located in Windows Shell and can be used to execute arbitrary code on vulnerable systems. According to the advisory, Microsoft is aware of targeted attacks in the wild exploiting the issue. Brian Krebs reports that Russian AV company VirusBlokAda detected the attack while analyzing a new malware sample.

The advisory lists workarounds that can be implemented by editing the registry. They change the way certain icons are visualized, so there is a visible impact on the desktop of the user.

The advisory does not list Windows XP SP2, or Windows 2000 for that matter, as being affected, because Microsoft just ended support for both Operating Systems last Tuesday. However we assume the attack works against both of them and attackers will surely take advantage of this security hole. We recommend upgrading your existing Windows XP SP2 installations to SP3 as soon as possible to be able to install the security update for this issue once Microsoft publishes it. Windows 2000 users face a bigger hurdle and they need to upgrade to an entirely new Operating System.

http://www.youtube.com/watch?v=Fviwf2GvzjM

Microsoft's July update is a small step for security updates, but a huge leap for enterprise security. Windows 2000 and Windows XP SP2 are being retired from official support today and will not receive security updates anymore. Our own internal statistics indicate that approximately 50 % of Windows XP machines are still on the SP2 level and external surveys put the number of organizations that still depend on SP2 at 77 %. This month there are four bulletins, two for security flaws in Windows and two for Microsoft Office. We rank MS10-042 as the most urgent update: It covers Windows XP (both SP2 and SP3) and Windows 2003 and addresses the Windows Help and Support Center vulnerability published by Tavis Ormandy in a much discussed full disclosure move. Microsoft showed a quick turnaround time on this update.

Next on our list is MS10-045 because it undermines the security model of attachments in Microsoft Outlook. Microsoft classified the vulnerability only as "important", but it allows an attacker to camouflage malicious files as a safe file type. An example would be to pass off an executable as a simple text file. All versions of Outlook are affected, excluding the newest Outlook 2010. The second Microsoft Office update, MS10-044 is a vulnerability in a Microsoft Access ActiveX component, is ranked critical and should be treated as a priority as well.

Last on our list is MS10-043, a vulnerability in the CDD display driver for Windows 7 and Windows 2008R2. It is ranked critical, but there are a number of mitigating factors; it is only applicable to 64 bit versions and requires a fairly high display resolution. The priority of the update depends on your environment.

Microsoft's July update is small - four bulletins in total, two of them addressing security flaws in Windows and two for Microsoft Office. Both Windows bulletins have a maximum rating of critical and both address previously disclosed vulnerabilities. The first one is for Windows XP and 2003 and fixes the Windows Help and Support Center vulnerability published by Tavis Ormandy in a much discussed full disclosure move. Microsoft showed some impressive turnaround time on that patch. The second bulletin fixes a problem in the AERO display driver component for Windows 7 and Windows Server 2008 R2, which was disclosed publicly earlier in May.

The two remaining bulletins, one ranked critical and one important, are for Microsoft Office and all versions but the new Office 2010 are affected, including Office XP, Office 2003 and Office 2007.

July also marks the end of support for two important Microsoft Operating Systems, Windows XP SP2 and Windows 2000. Windows XP SP2 users are advised to upgrade to SP3, which will be supported throughout 2014. Windows 2000 users need to upgrade to a different version of the operating system altogether, as the entire Windows 2000 line is discontinued.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

Update:

• The "Launch" vulnerability still seems to be attackable according to some recent blogposts by security researchers.
• Didier Stevens publishes a work-around for the new attack in this blog post

Original:
Yesterday Adobe released its quarterly security update for Adobe Reader and Adobe Acrobat. Adobe anticipated the release by 2 weeks, because some of the vulnerabilities addressed are currently being exploited in the wild. The release fixes the zero-day vulnerability in the embedded Flash player that Adobe ships within the Reader product and addresses 15 other vulnerabilities.

The new Adobe Reader also improves the treatment for the high profile "Launch" vulnerability and introduces changes and default settings that neuter that attack.

All Adobe users should update immediately because exploits for the vulnerability have been reported by many industry sources.

References:

• Adobe PSIRT blog entry
• Didier Stevens blog with screen shots of the launch vulnerability

Update:

• Microsoft warns of limited, targeted exploits in the wild.
• Windows 2003 Server not affected
• Secunia dissects the Hotfix (not the workaround)

Original:

Earlier today Tavis Ormandy released an advisory disclosing a new vulnerability in Windows XP and Windows 2003. The vulnerability is in the Windows Help and Support Center component and is accessed through the protocol handler "hcp://". It can be triggered through all major browsers, but as Tavis points out it is easier to exploit under IE7. Tavis provides sample exploit code for both IE8 and IE7 in the advsiory.

As a work-around for the vulnerability, it is possible to de-register the HCP protocol on the target machine:

1. From the Start Menu, select Run
2. Type regedit then click OK (The registry editor program launches)
3. Expand HKEY_CLASSES_ROOT and highlight the HCP key
4. Right mouse click on the HCP key, and select Delete

This workaround will disable all local, even legitimate help links that use hcp://. For example links in the Control Panel may no longer function. For more details on the workaround consult MS03-044, which lists the above instructions for an older vulnerability in the Help system.

Tavis' decision to use full disclosure for this vulnerability will certainly revive the discussions around full vs. responsible disclosure. Tavis provides some comments regarding that discussion and includes references to articles by Bruce Schneier exploring the matter.

We are working on testing the exploit and will update this post when new developments occur.

Updates:

• MIcrosoft MSRC comment on disclosure
• Microsoft Advisory KB2219475

Today Adobe a new version of their Flash player, which fixes the 0-day announced last Friday plus another 30 plus vulnerabilities. We recommend installing immediately.The release for the corresponding 0-day in Adobe Reader is expected on June 29.

If you run Internet Explorer plus another browser (Chrome, Firefox,Safari,Opera or acombination) you have to install updates for both IE and the others. Here are the driect download links:

• Flash for Chrome/Firefox/Safari/Opera
• Flash for IE

http://www.youtube.com/watch?v=qsVma2zAg7g

June is a big month for Microsoft patches, there are 10 bulletins covering 34 vulnerabilities. Four bulletins address 0-day issues, the most significant being MS10-035, which fixes the 0-day published by Core Security for an information disclosure vulnerability originally published in February 2010. It also fixes the PWN2OWN vulnerability that security researcher Peter Vreugdenhil used to win ZDI'S competition at CANSECWEST, not a 0-day but high profile as it bypassed all built-in protections such as DEP and ASLR by combining multiple attack methods. MS10-039 addresses a second 0-day, the vulnerability in SharePoint, described by Microsoft in KB983438. MS10-032 and MS10-041 are the additional updates that fix vulnerabilities that were previously disclosed.

The most critical bulletins this month are MS10-035 for Internet Explorer, MS10-033 for DirectShow, and MS10-038 for Excel in Microsoft Office. All versions of IE, including IE8 are affected by MS10-035. There are 6 vulnerabilities in the update, 2 critical and it has an overall exploitability index of 1, indicating that an exploit is expected within 30 days. MS10-033 is a vulnerability in the MJPEG codec and affects a large number of Microsoft products, but its main attack vector is going to be through media files delivered through the Internet to Windows Media Player or IE. Excel has 14 vulnerabilities covered by MS10-038, with 11 in Office XP and only 3 in more recent versions (2003,2007). These vulnerabilities can be used to trigger code execution when a malicious file is opened by the user. The new Office 2010, which is scheduled to be released later this month, is not affected by any of the vulnerabilities.

MS10-032 addresses a local escalation of privilege vulnerability. While it is not remotely exploitable through any Microsoft product, 3rd party applications could expose it and provide a remote attack possibility.

MS10-040 is a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset.

In related news, Adobe which published an advisory for a critical 0-day vulnerability in Flash and Reader on Friday, announced that they will provide patches on June 10th and June 29th, respectively, 2 dates that IT administrators should track closely as exploits for the vulnerability are widely available.

References:

• Microsoft SRD Blog
• Peter Vreugdenhil's research site
• Adobe APSA10-01 Advisory

On Friday Adobe announced a critical 0-day vulnerability for Adobe Flash that has been observed in active use in the wild. A successful exploit gives the attacker full control over the target machine, which can run Windows, Mac OS X, Linux and Solaris.

The vulnerability also affects Adobe Reader V9, that comes with an integrated Flash player, which is used to play Flash content embedded in PDF documents. Adobe Redare V8 is not affected.

Attack vectors are malicious websites and and infected PDF documents that can be received through e-mail or web download.

Although Adobe does not have a patch at the moment, users can evaluate Adobe's posted instructions for workarounds in the advisory itself.

References:

• Adobe PSIRT blog entry
• Visual of an sample exploit (via Mikko Hypponen)
• Symantec post with additional information
• Example exploit (via reversemode)