A new Fixit for another Internet Explorer 0day

If you’re still using Internet Explorer 6 or 7, and haven’t upgraded to IE 8 or started using a better browser, you need to run over to Microsoft’s Security Advisory 981374 and apply the “Fixit” patch.

According to SANS Internet Storm Center, Microsoft posted the Fixit a few hours ago.

The Fixit disables something called the “peer factory” in IE6 and IE7. Apparently there’s working zero-day code running around that takes advantage of the security hole to run “backdoors” – programs that take over your computer, without your knowledge or consent.

MS-DEFCON 2: Lock down as Black Tuesday is here

Time to make sure Automatic Updates is turned off. Black Tuesday is just around the corner. With just two Security Bulletins this month, maybe we’ll be treated to a rather uneventful round of patches. But ya never know.

We’re moving to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Microsoft says NO to the F1 key

You may have read about Microsoft advising people to avoid the F1 key. People who like to take jabs at MS have seized on the opportunity to point out that the Redmond Emperor Has No Clothes. Of course, you read this blog, so you knew that already.

As MS explains in Security Advisory 981169, if you’re running Windows XP and you use Internet Explorer, you’re vulnerable to getting infected if you press the F1 key to run help files offered up on the Internet.

You don’t have to worry about it. You’ve already upgraded to Windows 7. And you never, ever, ever use Internet Explorer. Right?

Forget the F1 key. Get Firefox or Chrome.

MS-DEFCON 4: Get Patched

Microsoft just fixed the really bad February patch. MS10-015 / KB 977165, which I wrote about two weeks ago, had a nasty habit of clobbering Windows XP machines. According to a Microsoft Security Response Center blog, MS10-015 is now offered “with new logic that prevents the security update from being installed on systems if certain abnormal conditions exist.”

In other words, if your WinXP PC is infected with the Alureon rootkit, MS10-015 won’t install itself, and you won’t be faced with an endless cycle of Blue Screens of Death.

With that big problem out of the way, it’s now time to apply the February Black Tuesday patches. Get yourself all patched up, then make sure Automatic Updates is turned off. The two March patches will be out next week, and you don’t want Microsoft to zap you. Again.

I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

MS10-015 Blue Screens due to TDL3 rootkit infection

Fascinating.

Last week I wrote about Microsoft’s security patch MS10-015 causing Blue Screens of Death on some machines: if you install MS10-015/KB 977165, or it gets installed for you, your machine may BSOD on reboot. Every reboot.

Marco Giuliani on the Prevx site has this explanation:

TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.

This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.

Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.

MS10-015/KB977165 causing blue screens

Toldja so.

Microsoft confirms that “after installing the February security updates a limited number of users are experiencing issues restarting their computers”

SANS Internet Storm Center identifies the problem as a Blue Screen.

I’m hearing rumors that there’s much more to the story. Stay tuned. And for heaven’s sake, don’t install the February Black Tuesday patches, OK?

UPDATE: Looks like the Blue Screen happens on systems that are infected with a specific rootkit or other type of malware. When MS10-015 is applied, the infected systems suddenly fall over and play dead. Good details on Brian Krebs’ site.

MS-DEFCON 2: Black Tuesday patches are out

And what a crop they are…

As expected, Microsoft has just released 13 Security Bulletins which plug 26 separately identified security holes in Windows and Office. The list is mind-numbing.

According to SANS Internet Storm Center, only one of the Security Bulletins has a known exploit. That Bulletin, MS10-015, covers a 17-year-old security hole in Windows that I described two weeks ago. I wouldn’t worry about it for the moment.

The MS Security Research & Defense page has details about potential attack vectors, and speculation about how soon the bad guys will be able to take advantage of the security holes.

Keep yer shirt on. Let’s see how things shake out. We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

MS-DEFCON 2: Don’t patch and hold onto your hat

With 13 security bulletins and 26 separately-identified security holes, it’s going to be a wild month. Make sure you have Automatic Updates turned off. Let’s see what happens.