MS13-095 – Important: Vulnerability in Digital Signatures Could Allow Denial of Service – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2868626 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service when an affected web service processes a specially crafted X.509 certificate.

Read More

MS14-005 – Important: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2916036 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services included in Microsoft Windows. The vulnerability could allow information disclosure if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker’s website, or by getting them to open an attachment sent through email.

Read More

MS14-007 – Critical: Vulnerability in Direct2D Could Allow Remote Code Execution (2912390) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2912390 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker’s website, or by getting them to open an attachment sent through email.

Read More

MS13-090 – Critical: Cumulative Security Update of ActiveX Kill Bits – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2900986 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability exists in the InformationCardSigninHelper Class ActiveX control. The vulnerability could allow remote code execution if a user views a specially crafted webpage with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Read More

CVE-2014-1878

Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi. (CVSS:5.0) (Last Update:2014-02-28)

Read more

[BSA-093] Security Update for gnutls28

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Andreas Metzler  uploaded new packages for gnutls28 which fixed the
following security problems:

CVE-2014-1959 / DSA 2866-1 / GNUTLS-SA-2014-1
  Suman Jana reported that GnuTLS, deviating from the documented
  behavior considers a version 1 intermediate certificate as a CA
  certificate by default.

For the testing distribution (jessie) and the unstable distribution
(sid), this problem has been fixed in gnutls26/2.12.23-12 and
gnutls28/3.2.11-1.

For the stable distribution this problem has been fixed in
gnutls26/2.12.20-8. 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJTCLAZAAoJEKVPAYVDghSE3KIP/ixlMQKA9H/v4FqWB2QOQIeY
QT67kgjrG/UKgEBk3pivvfWU8bSRA8SQ4AJXnKSMrkq6GkAEOBCFV8pVdHZV2pVZ
zUJ25vt4LX9cJHnOmMDSyC5Rrc/MH6/NnJWxIcZryc+XNOrzP0P00WqJ6fRfkZ/M
X7ktaICuNH5FqZ+P5ROdUrx+P8VX2y65vTTMrOTVPDYnn+hQBXXlQBK/7bUj0fkj
xsEP3XBLVqGrfJWzAxMCiOTMFgPzlc1MaQT2tCfIgHsWdATUYgKX8R5Nt+a2PrYo
S8IFrfpuXj9Kgamwj2ODs+lp7vDG2ftVTrTkaT4Mb7Xi0WdsTrM

Read More