MowGreen

There have been frequent reports of the reoffering of KB927978 (MS06-071) and KB925672 (MS06-061) in the MS Windows Update newsgroup. Users are reporting that even after the so-called successfull installation of KB925672 and the subsequent installation of KB927978, they are both reoffered. After installing them over and over, they are still reoffered.
KB927978 supercedes KB925672 in respect to

Note This security update only replaces the MS06-061 security update for Microsoft XML Core Services 4.0 and Microsoft XML Core Services 6.0 as both Microsoft XML Core Services 3.0 and Microsoft XML Core Services 5.0 are not affected.

Since KB927978 has a CRITICAL severity rating, it would behoove one to get it installed ASAP. I can not find any article that states that the vulnerability is being actively exploited, but I *think* it was being used when the Genuine Santa's web page was hacked.

OK, let's get this installed so that it's not reoffered.

Uninstall KB927978 from Add/Remove Programs.
It will be listed as MSXML 4.0 SP2 (KB927978)
Reboot

Now uninstall KB925672 from Add/Remove Programs.
It will be listed under Windows XP - Software Updates at the bottom
(The Show updates box at the top next to Currently installed programs and updates must be checked to see the installed Windows Updates)
Reboot

After rebooting, download MSXML 4.0 SP2 KB927978
Save it, do NOT run it.
Close the browser and ANY other open window
If you've done any printing, suggest rebooting prior to installation.

Install msxml4-KB927978-enu.exe now
Reboot

If either KB927978 or KB925672 are not listed in Add/Remove Programs (and Show updates is checked), then please show hidden files, folders, and system files
Using either Windows Explorer or My Computer, navigate to the WINDOWS directory (folder)
Check to see if either $NtUninstallKB927978$ and/or $NtUninstallKB925672$ are present.
Open the folders and then open the spuninst folder and run spuninst.exe for each of the installed updates, rebooting between each uninstall.
Then install msxml4-KB927978-enu.exe.
NOTE : As pointed out by Torgeir Bakken, MVP, one can also download MSXML 4.0 SP2 . Download the msxml.msi run it, and choose Remove from the 3 options presented, Modify/ Repair /Remove. If prompted to, reboot the system. If not, run msxml.msi once more to install it.
Then download the SECURITY update from here save it, close the browser, then run msxml4-KB927978-enu.exe to install it.

In addition, KB927978 generates randomly named folders on either the root drive, usually C:\ , or on the drive with the most free space, for each attempt at installing it. The folders contain the installation log file.
These folders can be safely deleted.

Posted by MowGreen at 12:17 PM | Permalink | Comments (36) | TrackBacks (0)

According to this newspaper article , Teacher guilty in Norwich porn case

State Prosecutor David Smith said he wondered why Julie Amero didn't just pull the plug on her classroom computer.

The six-person jury Friday may have been wondering the same thing when they convicted Amero, 40, of Windham of four counts of risk of injury to a minor, or impairing the morals of a child. It took them less than two hours to decide the verdict. She faces a sentence of up to 40 years in prison.

Oct. 19, 2004, while substituting for a seventh-grade language class at Kelly Middle School, Amero claimed she could not control the graphic images appearing in an endless cycle on her computer.

"The pop-ups never went away," Amero testified. "They were continuous."

The Web sites, which police proved were accessed while Amero was in the classroom, were seen by as many as 10 minor students. Several of the students testified during the three-day trial in Norwich Superior Court to seeing images of naked men and women.

Computer expert W. Herbert Horner, testifying in Amero's defense, said he found spyware on the computer and an innocent hair styling Web site "that led to this pornographic loop that was out of control."

"If you try to get out of it, you're trapped," Horner said.

But Smith countered Horner's testimony with that of Norwich Police Detective Mark Lounsbury, a computer crimes investigator. On a projected image of the list of Web sites visited while Amero was working, Lounsbury pointed out several highlighted links.

"You have to physically click on it to get to those sites," Smith said. "I think the evidence is overwhelming that she did intend to access those Web sites."

Detective Mark Lounsbury, a computer crimes officer at the Norwich Police Department testified as an expert witness for the prosecution. He maintained that Amero was intentionally surfing for pornography while her seventh grade class busied itself with language arts.

Lounsbury told the court that Amero musts have "physically clicked" on pornographic links during class time in order to unleash the pornographic pictures. However, he admitted under cross-examination that the prosecution never even checked the computer for malware.

Why didn't the police check for malicious software? According to prosecutor David Smith, the police didn't check for malware because the defense didn't raise the possibility of a malware attack during the pretrial phase, as required by law. Defense attorney Cocheo could not be reached for comment as of press time.

Herb Horner, the proprietor of the consulting firm Contemporary Computing Consultants, testified as an expert witness for the defense. His exhaustive independent forensic analysis of Amero's hard drive showed that the machine had been infected with multiple pieces of malicious software before she arrived at the school, and that these hidden programs were responsible for the pornographic deluge.

Horner arrived in court with two laptops filled with the voluminous records of his investigation. However, the judge only let him present two slides. Prosecutor Smith objected because his team hadn't been previously informed about the malware defense.

Did she knowingly and deliberately visit the pornographic sites while teaching class ?
The police and prosecutor say yes; Mr. Horner says definitely NOT, the system was not in her control and was downloading the porno without any intervention by Ms. Amero.

As anyone who has had their computers taken over by malware will testify, once the virulent form of malware witnessed here takes over, the computer belongs to the Bad Guyz, not the owner nor operator of said system.

Let's hope that justice is served when this case is appealed.

Posted by MowGreen at 11:52 AM | Permalink | Comments (0) | TrackBacks (0)

From US-CERT Technical Cyber Security Alert TA07-022A

Original release date: January 22, 2007
Last revised: --
Source: US-CERT

Systems Affected
Sun Java Runtime Environment versions

* JDK and JRE 5.0 Update 9 and earlier
* SDK and JRE 1.4.2_12 and earlier
* SDK and JRE 1.3.1_18 and earlier

Overview

The Sun Java Runtime Environment contains multiple vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

The Sun Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Sun has released updates to the Java Runtime Environment software to address multiple vulnerabilities. Further details about these vulnerabilities are available in the Vulnerability Notes Database.

Note that exploit code is publicly available for at least one of these vulnerabilities.

II. Impact

By convincing a user to run a specially crafted Java application, a remote, unauthenticated attacker can execute arbitrary code on a vulnerable system. A common attack vector would be a web page that contains a Java applet.

III. Solution
Apply an update from Sun

These issues are addressed in the following versions of the Sun Java Runtime environment:

* JDK and JRE 5.0 Update 10 or later
* SDK and JRE 1.4.2_13 or later
* SDK and JRE 1.3.1_19 or later

If you install the latest version of Java, older versions of Java may remain installed on your computer. If these versions of Java are not needed, you may wish to remove them. For instructions on how to remove older versions of Java, refer to the following instructions from Sun.

Posted by MowGreen at 11:44 AM | Permalink | Comments (0) | TrackBacks (0)

Since Sun's security position can not be taken seriously, as evidenced by the never-ending articles I've been writing here, let's see what the latest security issue they've sat on for hidden for the past SEVEN MONTHS is Java brews critical bug

A bug in the Java Runtime Environment (JRE) can leave corporate systems open to attack if a user visits a site containing malicious code, security researchers have warned.

The bug affects Windows, Linux and Solaris, and Sun has released a patch.

The JRE includes the Java Virtual Machine and supporting executables and files, and contains safeguards that prevent applets from causing trouble on the wider system. The newly disclosed flaw allows applets to upgrade their privileges, effectively giving them free access to the rest of the system, Sun said in an advisory.

"For example, an applet may grant itself permissions to read and write local files or execute local applications with the privileges of the user running the untrusted applet," Sun said.

The specific bug is to do with the processing of GIF image components, according to the Zero Day Initiative (ZDI), a bounty-oriented program run by 3Com's TippingPoint, which bought rights to disclosure from an anonymous researcher.

"When the image width in an image block of a valid GIF file is set to 0, the Java runtime will allocate the specified size but subsequently copy all data to the under allocated memory chunk," ZDI said in its advisory. "The overflow results in the corruption of multiple pointers, at least one of which is later dereferenced and can therefore result in execution of arbitrary code."

ZDI originally informed Sun of the problem back in June, the organization said.

Secunia, a third-party security company based in Denmark, said the problem was one of the most serious to have affected Java in some time. Secunia said the bug was "highly critical".

The bug affects Java Development Kit (JDK) and JRE 5.0 Update 9 and prior, Java Software Development Kit (SDK) and JRE 1.4.2_12 and prior, and SDK and JRE 1.3.1_18 and prior.

Posted by MowGreen at 11:19 AM | Permalink | Comments (0) | TrackBacks (0)