Fixlet Request for Microsoft Security Advisory: 2916652 & 2905247

(imported topic written by CSL2012)

Fixlet Request for Microsoft Security Advisory: 2916652 & 2905247

Will fixlets be provided for Microsoft Security Advisory 2916652: Improperly Issued Digital Certificates Could Allow Spoofing (December 9, 2013) and Microsoft Security Advisory 2905247: UInsecure ASP.NET Site Configuration Could Allow Elevation of Privilege (December 10, 2013).

Microsoft Security Advisory 2916652

Summary:

Microsoft is aware of an improperly issued subordinate CA certificate that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The subordinate CA certificate was improperly issued by the Directorate General of the Treasury (DG Trésor), subordinate to the Government of France CA (ANSSI), which is a CA present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

The improperly issued subordinate CA certificate has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. The subordinate CA certificate may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.

Reference URL:
http://technet.microsoft.com/en-us/security/advisory/2916652

Microsoft Security Advisory 2905247

Summary:

Microsoft is announcing the availability of an update for Microsoft ASP.NET to address a vulnerability in ASP.NET view state that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings. The vulnerability could allow elevation of privilege and affects all supported versions of Microsoft .NET Framework except .NET Framework 3.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1.

Reference URL:
http://technet.microsoft.com/en-us/security/advisory/2905247

Thanks,

Chi

(imported comment written by TerryWeiChao)

Hi Chi,

Regarding SA 2916652, in the page “Suggested Action”, mentioned user need to install another KB2677070, which was available in production site.

Regarding SA 2905247, we are aware of that and currently working on it. ETA is by this week.

Let me know if you need anything. Thanks!

-Terry

(imported comment written by CSL2012)

http://technet.microsoft.com/en-us/security/advisory/2916652
has released an alternative to KB2677070. The automatic updater does not apply to Secure networks but servers like Server 2003 or 2008 R2 are still held to Compliance. I see that KB2917500 (Fixlet ID: 291750001) is available but it’s only for Windows XP. Is there a way to have fixlets available for Windows Server 2003 & 2008R2, as indicated in the revision statement: “…2917500 update for customers running Windows XP
or Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates
…” We have applied KB2677070 but the mentioned Certificate is not updated because of a Secure Network scenario. This may be overkill but if firewalls are ever breached or Internet Connectivity is established, the servers are still protected to some degree.

V2.0 (December 12, 2013): Advisory revised to announce the availability of the 2917500 update for customers running Windows XP or Windows Server 2003, or for customers who choose not to install the automatic updater of revoked certificates. The 2917500 update is available via the Microsoft Update service and from the download center. For more information, see the Suggested Actions section of this advisory.

I’ve attached a screenshot of an email Notification from our WSUS server showing the availability of KB2917500 for Windows 2003 & Windows 2008R2

(imported comment written by sylviabeing)

As replied in another thread. The V2 fixlet is available in EnterpriseSecurity site 1895.

(imported comment written by sylviabeing)

Content for SA 2905247 is available in IEM.

Published site version:

Patches for Windows (English), version 1891