Ozan's profileozan gökçenPhotosBlogListsMore  |  Tools Help |
|
Ne kadar çok, o kadar iyi
ozan gökçenProduction is the reason of our lives and producing an idea is the beginning. June 05 ADVANCE NOTIFICATION - June 2009 Microsoft Security Bulletin ReleaseWhat is the purpose of this alert?
As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity, and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively.
On June 9, 2009, Microsoft is planning to release ten new security bulletins. Below is a summary in order of severity.
New Bulletin Summary
Although we do not anticipate any changes, the number of bulletins, products affected, restart information, and severities are subject to change until released.
Advance Notification Web Page: The full version of the Microsoft Security Bulletin Advance Notification for this month can be found at http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx.
Microsoft Windows Malicious Software Removal Tool: Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.
Monthly Security Bulletin Webcast: To address customer questions on these bulletins Microsoft will host a Webcast next week, Wednesday, at 11:00 A.M. Pacific Time (U.S. and Canada). Registration for this event and other details can be found at http://www.microsoft.com/technet/security/bulletin/summary.mspx.
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
Thank you, Microsoft CSS Security Team
May 29 Alert - Microsoft Security Advisory 971778 ReleasedWhat is the purpose of this alert? This alert is to notify you that Microsoft has released Security Advisory 971778 – Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution - on May 28, 2009.
Summary
Microsoft is investigating new public reports of a new vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted QuickTime media file. Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable. Microsoft has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate this issue.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers.
Mitigating Factors
· In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions.
· An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
· All versions of Windows Vista and Windows Server 2008 are not affected by this issue.
Recommendations
Review Microsoft Security Advisory 971778 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQs), and links to additional resources.
Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.
Additional Resources
· Microsoft Security Advisory 971778– Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution - http://www.microsoft.com/technet/security/advisory/971778.mspx
· Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/
· Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/
· Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
Thank you, Microsoft CSS Security Team
Regards, Ozan Gökçen | Technical Account Manager | Microsoft Services Turkiye È +90 533 375 62 33 | ' +90 212 370 50 70 | www.microsoft.com/support
May 24 Alert - Microsoft Security Advisory 971492 ReleasedWhat is the purpose of this alert? This alert is to notify you that Microsoft has released Security Advisory 971492 – Vulnerability in Internet Information Services (IIS) Could Allow Elevation of Privilege - on May 18, 2009.
Summary
Microsoft is investigating new public reports of a possible vulnerability in Microsoft Internet Information Services (IIS). An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.
We are not aware of attacks that are trying to use this vulnerability or of customer impact at this time. Microsoft is investigating the public reports.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Affected Software
· Microsoft Internet Information Services 5.0 · Microsoft Internet Information Services 5.1 · Microsoft Internet Information Services 6.0
Mitigating Factors
File system ACLs are enforced. This vulnerability bypasses the IIS configuration that specifies which authentication is allowed, but not the file system-based ACL check that verifies whether a file is accessible by a given user. Even if successfully exploited, the attacker would still be limited to the permissions granted to the anonymous user account on file system ACL level. Therefore this vulnerability cannot be used to exceed the level of access granted to the anonymous user account through file system ACLs. The default anonymous user account is configured as the IUSR_<computername> account.
The anonymous user account is denied write access by default. In order to successfully exploit this vulnerability with write access, the anonymous user account would need to have write access ACLs set within the IIS folder structure. However, by default, the IUSR_<computername> account only has read access ACLs set. On IIS 6.0, there is an explicit deny ACE for the default anonymous user account. Unless overridden by the administrator, this deny ACE will be inherited by all children under the wwwroot.
WebDAV is not enabled by default on IIS6.0. On Windows Server 2003 systems running IIS 6.0, WebDAV is not enabled in the default configuration. Unless WebDAV has been enabled by an administrator on these systems, the vulnerability is not exposed.
Recommendations
Review Microsoft Security Advisory 971492 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQs), and links to additional resources.
Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.
Additional Resources
· Microsoft Security Advisory 971492 – Vulnerability in Internet Information Services Could Allow Elevation of Privilege - http://www.microsoft.com/technet/security/advisory/971492.mspx
· Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc
· Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd
· Microsoft Security Development Lifecycle (SDL) Blog: http://blogs.msdn.com/sdl
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
Thank you, Microsoft CSS Security Team Regards, Ozan Gökçen | Technical Account Manager | Microsoft Services Turkiye È +90 533 375 62 33 | ' +90 212 370 50 70 | www.microsoft.com/support
 May 20 Alert - Microsoft Security Advisory 971492 ReleasedWhat is the purpose of this alert? This alert is to notify you that Microsoft has released Security Advisory 971492 – Vulnerability in Internet Information Services (IIS) Could Allow Elevation of Privilege - on May 18, 2009.
Summary
Microsoft is investigating new public reports of a possible vulnerability in Microsoft Internet Information Services (IIS). An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.
We are not aware of attacks that are trying to use this vulnerability or of customer impact at this time. Microsoft is investigating the public reports.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Affected Software
· Microsoft Internet Information Services 5.0 · Microsoft Internet Information Services 5.1 · Microsoft Internet Information Services 6.0
Mitigating Factors
File system ACLs are enforced. This vulnerability bypasses the IIS configuration that specifies which authentication is allowed, but not the file system-based ACL check that verifies whether a file is accessible by a given user. Even if successfully exploited, the attacker would still be limited to the permissions granted to the anonymous user account on file system ACL level. Therefore this vulnerability cannot be used to exceed the level of access granted to the anonymous user account through file system ACLs. The default anonymous user account is configured as the IUSR_<computername> account.
The anonymous user account is denied write access by default. In order to successfully exploit this vulnerability with write access, the anonymous user account would need to have write access ACLs set within the IIS folder structure. However, by default, the IUSR_<computername> account only has read access ACLs set. On IIS 6.0, there is an explicit deny ACE for the default anonymous user account. Unless overridden by the administrator, this deny ACE will be inherited by all children under the wwwroot.
WebDAV is not enabled by default on IIS6.0. On Windows Server 2003 systems running IIS 6.0, WebDAV is not enabled in the default configuration. Unless WebDAV has been enabled by an administrator on these systems, the vulnerability is not exposed.
Recommendations
Review Microsoft Security Advisory 971492 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQs), and links to additional resources.
Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.
Additional Resources
· Microsoft Security Advisory 971492 – Vulnerability in Internet Information Services Could Allow Elevation of Privilege - http://www.microsoft.com/technet/security/advisory/971492.mspx
· Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc
· Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd
· Microsoft Security Development Lifecycle (SDL) Blog: http://blogs.msdn.com/sdl
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
Thank you, Microsoft CSS Security Team
Regards,, Ozan Gökçen | Technical Account Manager | Microsoft Services Turkiye È +90 533 375 62 33 | ' +90 212 370 50 70 | www.microsoft.com/support
 May 13 Alert - Critical Product Vulnerability - May 2009 Microsoft Security Bulletin Release
This alert is to provide you with an overview of the new security bulletin(s) being released on May 12, 2009. Security bulletins are released monthly to resolve critical problem vulnerabilities.
New Security Bulletins Microsoft is releasing the following one new security bulletin for newly discovered vulnerabilities:
Additional Details
This security update also addresses the vulnerability first described in Microsoft Security Advisory 969136.
Answers to Frequently Asked Questions
Q: I am running Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5, or Microsoft Works 9.0. Why are updates not available for these software?
A: Microsoft is able to release this current update because we have updates ready on the regular bulletin release cycle for an entire product line to address the vast majority of customers at risk. We are aware of active exploitation on versions of Microsoft Office PowerPoint running on Windows operating systems. The updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5, and Microsoft Works 9.0 are still in development. Microsoft will issue updates on the regular bulletin release cycle for these product lines when testing is complete to ensure quality.
Q: Do users need to make special considerations regarding PowerPoint 4.0 file formats?
A: With this update, the ability to open PowerPoint 4.0 file formats will be disabled by default in Microsoft Office PowerPoint 2000 and Microsoft Office PowerPoint 2002. This functionality has already been disabled by default in Microsoft Office PowerPoint 2003 Service Pack 3. This functionality also no longer exists in Microsoft Office PowerPoint 2007. For more information regarding this change, please see Microsoft Knowledge Base Article 970980.
Summaries for new bulletin(s) may be found at http://www.microsoft.com/technet/security/bulletin/MS09-May.mspx.
Microsoft Windows Malicious Software Removal Tool Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Server Update Services (WSUS), Windows Update (WU), and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS). Information on the Microsoft Windows Malicious Software Removal Tool is available at http://support.microsoft.com/?kbid=890830.
High-Priority Non-Security Updates High priority non-security updates Microsoft releases to be available on Microsoft Update (MU), Windows Update (WU), or Windows Server Update Services (WSUS) will be detailed in the KB Article found at http://support.microsoft.com/?id=894199.
Public Bulletin Webcast
Microsoft will host a Webcast to address customer questions on
these bulletins: Title: Information about Microsoft May Security Bulletins (Level 200) Date: Wednesday, May 13, 2009, 11:00 A.M. Pacific Time (U.S. and Canada) URL: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032395223 New Security Bulletin Technical Details
In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle web site: http://support.microsoft.com/lifecycle/.
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
Thank you,
Microsoft CSS Security Team
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Public folders
Olmadık, olamadık şarkı sözleri... O kelimeler yanyana gelir mi?
|
Gezilecek, Görülecek, Öğrenecek şeyler var bu dünyada...
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Send a private message
Subscribe to RSS feed
Tell a friend
Add to My MSN
Add to your network
Sign up for alerts
|
|
