Discussion:
New Microsoft Advisory and FixIt
Dave
2014-10-21 21:36:52 UTC
Permalink
Greetings

Microsoft has just released Advisory 3010060 for Microsoft OLE
https://technet.microsoft.com/en-us/library/security/3010060

FixIt available here -
https://support.microsoft.com/kb/3010060

Best Regards

Dave
Turner, Glenn
2014-10-21 23:17:25 UTC
Permalink
Am I reading this correctly that if you have UAC enabled, this isn’t an issue?

From: Dave [mailto:***@gmx.us]
Sent: Wednesday, 22 October 2014 8:37 AM
To: Patch Management Mailing List
Subject: [patchmanagement] New Microsoft Advisory and FixIt

Greetings

Microsoft has just released Advisory 3010060 for Microsoft OLE
https://technet.microsoft.com/en-us/library/security/3010060

FixIt available here -
https://support.microsoft.com/kb/3010060

Best Regards

Dave

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-***@patchmanagement.org
Kurt Buff
2014-10-21 23:23:45 UTC
Permalink
Nope.

AFAICT, if you or your fellow employees are unaware enough to fill in
the prompt, you will have been gotten.

Kurt
Am I reading this correctly that if you have UAC enabled, this isn’t an
issue?
Sent: Wednesday, 22 October 2014 8:37 AM
To: Patch Management Mailing List
Subject: [patchmanagement] New Microsoft Advisory and FixIt
Greetings
Microsoft has just released Advisory 3010060 for Microsoft OLE
https://technet.microsoft.com/en-us/library/security/3010060
FixIt available here -
https://support.microsoft.com/kb/3010060
Best Regards
Dave
Dave
2014-10-21 23:41:27 UTC
Permalink
Kurt is correct. Also, keep in mind that if the malware author is good
enough, it can bypass UAC, ASLR, and even all versions of EMET, and if
it does the end user will see nothing. Your choice, but we use a lot of
Power Point and other Office files regularly here so I am planning on
using the FixIt to manage our potential risk until a future patch comes out.

Dave
Post by Kurt Buff
Nope.
AFAICT, if you or your fellow employees are unaware enough to fill in
the prompt, you will have been gotten.
Kurt
Am I reading this correctly that if you have UAC enabled, this isn’t an
issue?
Sent: Wednesday, 22 October 2014 8:37 AM
To: Patch Management Mailing List
Subject: [patchmanagement] New Microsoft Advisory and FixIt
Greetings
Microsoft has just released Advisory 3010060 for Microsoft OLE
https://technet.microsoft.com/en-us/library/security/3010060
FixIt available here -
https://support.microsoft.com/kb/3010060
Best Regards
Dave
---
PatchManagement.org is hosted by Shavlik
The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.
If you are unable to unsubscribe via this email address, please email
Julian Harper
2014-10-22 08:24:32 UTC
Permalink
Does anyone know how to roll this out with EMET via group policy?

You can add custom settings for applications but for the dllhost.exe below I couldn’t see the switch for ASR in the Group Policy help.

<EMET Version="5.0.5324.31801">
<Settings />
<EMET_Apps>
<AppConfig Path="*" Executable="dllhost.exe">
<Mitigation Name="DEP" Enabled="false" />
<Mitigation Name="SEHOP" Enabled="false" />
<Mitigation Name="NullPage" Enabled="false" />
<Mitigation Name="HeapSpray" Enabled="false" />
<Mitigation Name="EAF" Enabled="false" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="false" />
<Mitigation Name="BottomUpASLR" Enabled="false" />
<Mitigation Name="LoadLib" Enabled="false" />
<Mitigation Name="MemProt" Enabled="false" />
<Mitigation Name="Caller" Enabled="false" />
<Mitigation Name="SimExecFlow" Enabled="false" />
<Mitigation Name="StackPivot" Enabled="false" />
<Mitigation Name="ASR" Enabled="true">
<asr_modules>packager.dll</asr_modules>
</Mitigation>
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="POWERPNT.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="true">
<asr_modules>flash*.ocx;packager.dll</asr_modules>
</Mitigation>
</AppConfig>
</EMET_Apps>
</EMET>


Julian Harper
IT Manager
Laytons Wine Services Ltd


From: Dave [mailto:***@gmx.us]
Sent: 21 October 2014 22:37
To: Patch Management Mailing List
Subject: [patchmanagement] New Microsoft Advisory and FixIt

Greetings

Microsoft has just released Advisory 3010060 for Microsoft OLE
https://technet.microsoft.com/en-us/library/security/3010060

FixIt available here -
https://support.microsoft.com/kb/3010060

Best Regards

Dave

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-***@patchmanagement.org
Justin Spawn
2014-10-22 15:59:44 UTC
Permalink
Did anybody figure out how to apply this to a domain using group policy?

Thanks,

[cid:***@01CFEDE7.496D4580]

Justin Spawn
Business Technology Manager
Girl Scouts of Eastern Iowa and Western Illinois
940 Golden Valley Drive
Bettendorf, IA 52722
D 309-283-2320
T 563-823-9940 x333
F 563-823-0162
GirlScoutsToday.org<http://www.girlscoutstoday.org/>
Facebook<https://www.facebook.com/GSEIWI> | Twitter<http://twitter.com/#!/GSEIWI>
Pinterest<http://pinterest.com/girlscoutstoday/>

Girl Scouting builds girls of
courage, confidence,
and character who make
the world a better place.

From: Julian Harper [mailto:***@Laytons.co.uk]
Sent: Wednesday, October 22, 2014 3:25 AM
To: Patch Management Mailing List
Subject: RE: [patchmanagement] New Microsoft Advisory and FixIt

Does anyone know how to roll this out with EMET via group policy?

You can add custom settings for applications but for the dllhost.exe below I couldn’t see the switch for ASR in the Group Policy help.

<EMET Version="5.0.5324.31801">
<Settings />
<EMET_Apps>
<AppConfig Path="*" Executable="dllhost.exe">
<Mitigation Name="DEP" Enabled="false" />
<Mitigation Name="SEHOP" Enabled="false" />
<Mitigation Name="NullPage" Enabled="false" />
<Mitigation Name="HeapSpray" Enabled="false" />
<Mitigation Name="EAF" Enabled="false" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="false" />
<Mitigation Name="BottomUpASLR" Enabled="false" />
<Mitigation Name="LoadLib" Enabled="false" />
<Mitigation Name="MemProt" Enabled="false" />
<Mitigation Name="Caller" Enabled="false" />
<Mitigation Name="SimExecFlow" Enabled="false" />
<Mitigation Name="StackPivot" Enabled="false" />
<Mitigation Name="ASR" Enabled="true">
<asr_modules>packager.dll</asr_modules>
</Mitigation>
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="POWERPNT.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="true">
<asr_modules>flash*.ocx;packager.dll</asr_modules>
</Mitigation>
</AppConfig>
</EMET_Apps>
</EMET>


Julian Harper
IT Manager
Laytons Wine Services Ltd

From: Dave [mailto:***@gmx.us]
Sent: 21 October 2014 22:37
To: Patch Management Mailing List
Subject: [patchmanagement] New Microsoft Advisory and FixIt

Greetings

Microsoft has just released Advisory 3010060 for Microsoft OLE
https://technet.microsoft.com/en-us/library/security/3010060

FixIt available here -
https://support.microsoft.com/kb/3010060

Best Regards

Dave

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-***@patchmanagement.org

Loading...