MS13-077 – Important : Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339) – Version: 1.0

 Microsoft Security Bulletins  Comments Off on MS13-077 – Important : Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339) – Version: 1.0
Sep 112013
 

Severity Rating: Important
Revision Note: V1.1 (September 11, 2013): Updated the Known Issues entry in the Knowledge Base Article section from “None” to “Yes”.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker convinces an authenticated user to execute a specially crafted application. To exploit this vulnerability, an attacker either must have valid logon credentials and be able to log on locally or must convince a user to run the attacker’s specially crafted application.

Potential leak of 6.5+ million LinkedIn password hashes, (Wed, Jun 6th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Potential leak of 6.5+ million LinkedIn password hashes, (Wed, Jun 6th)
Jun 062012
 

Reports originally surfaced in Norway overnight that about 6.5 million unsalted SHA-1 password hashes had been posted to a Russian site with a request for assistance in cracking them. Several highly trusted security researchers have confirmed that the hashes posted include those of passwords they use exclusively on LinkedIn. There are no usernames associated with the hashes and a number of us have confirmed that our passwords are NOTincluded, but this seems serious enough to merit a recommendation that LinkedIn users change their passwords. The folks from LinkedIn have posted to twitter that they are investigating and further information will be forthcoming.
Update: (2012-06-06 20:00 UTC–JC) Okay, some have asked if we have recommendations. Other than change your password now and don’t use the same password on multiple accounts, all we can really recommend at the moment is wait and see. LinkedIn is reporting they see no evidence of a breach at the moment, but the investigation is still pretty early (in my opinion). Once you’ve changed this password (and the passwords on any other accounts where you used this one), wait for a while. Once we figure out what happened here, you’ll probably need to change it again. We’ll save a rehash of password policies and the secure handling of passwords within databases and applications for a future diary. In the meantime, I’m adding a few links to some other password-related diaries we’ve done that seem appropriate to review today
Update 2: (2012-06-06 20:10 UTC–JC) No sooner do Ido the previous update then Idiscover an official response from LinkedIn.
References:
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
http://thenextweb.com/socialmedia/2012/06/06/bad-day-for-linkedin-6-5-million-hashed-passwords-reportedly-leaked-change-yours-now/
Also see @thorsheim on twitter.

Some previous password diaries that might be of interest:
Critical Control 11: Account Monitoring and Control
Theoretical and Practical Password Entropy
An Impromptu Lesson on Passwords
Password Rules:Change them every 25 years (or when you know the target has been compromised)
I’m sure I’ve missed a couple of good ones, but these are a decent place to start –JC
—————

Jim Clausing, GIAC GSE #26

jclausing –at– isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Potential leak of 6.5+ million LinkedIn password hashes, (Wed, Jun 6th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Potential leak of 6.5+ million LinkedIn password hashes, (Wed, Jun 6th)
Jun 062012
 

Reports originally surfaced in Norway overnight that about 6.5 million unsalted SHA-1 password hashes had been posted to a Russian site with a request for assistance in cracking them. Several highly trusted security researchers have confirmed that the hashes posted include those of passwords they use exclusively on LinkedIn. There are no usernames associated with the hashes and a number of us have confirmed that our passwords are NOTincluded, but this seems serious enough to merit a recommendation that LinkedIn users change their passwords. The folks from LinkedIn have posted to twitter that they are investigating and further information will be forthcoming.
Update: (2012-06-06 20:00 UTC–JC) Okay, some have asked if we have recommendations. Other than change your password now and don’t use the same password on multiple accounts, all we can really recommend at the moment is wait and see. LinkedIn is reporting they see no evidence of a breach at the moment, but the investigation is still pretty early (in my opinion). Once you’ve changed this password (and the passwords on any other accounts where you used this one), wait for a while. Once we figure out what happened here, you’ll probably need to change it again. We’ll save a rehash of password policies and the secure handling of passwords within databases and applications for a future diary. In the meantime, I’m adding a few links to some other password-related diaries we’ve done that seem appropriate to review today
Update 2: (2012-06-06 20:10 UTC–JC) No sooner do Ido the previous update then Idiscover an official response from LinkedIn.
References:
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
http://thenextweb.com/socialmedia/2012/06/06/bad-day-for-linkedin-6-5-million-hashed-passwords-reportedly-leaked-change-yours-now/
Also see @thorsheim on twitter.

Some previous password diaries that might be of interest:
Critical Control 11: Account Monitoring and Control
Theoretical and Practical Password Entropy
An Impromptu Lesson on Passwords
Password Rules:Change them every 25 years (or when you know the target has been compromised)
I’m sure I’ve missed a couple of good ones, but these are a decent place to start –JC
—————

Jim Clausing, GIAC GSE #26

jclausing –at– isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability

 Security Alerts  Comments Off on Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability
Apr 092012
 

Type: Vulnerability. Microsoft Windows Common Controls is prone to a remote code-execution vulnerability; fixes are available.

MS11-066 – Important: Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943)

 Microsoft Security Bulletins  Comments Off on MS11-066 – Important: Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943)
Aug 092011
 

Bulletin Severity Rating:Important – This security update resolves a privately reported vulnerability in ASP.NET Chart controls. The vulnerability could allow information disclosure if an attacker sent a specially crafted GET request to an affected server hosting the Chart controls. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker’s user rights directly, but it could be used to retrieve information that could be used to further compromise the affected system. Only web applications using Microsoft Chart Control are affected by this issue. Default installations of the .NET Framework are not affected. This security update is rated Important for Microsoft .NET Framework 4 on all supported releases of Microsoft Windows and for Chart Control for Microsoft .NET Framework 3.5 Service Pack 1. For more information, see the subsection, Affected and Non-Affected Software, in this section.

%d bloggers like this: