communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features are
available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx
and
numerous other Microsoft Knowledge Base articles.
-- Disclosure Timeline:
2010-08-25 - Vulnerability reported to vendor
2011-02-28 - Coordinated public release of advisory
The algorithm, as well as the paper, are available on Trusteer's
website: http://www.trusteer.com/docs/windowsdns.html
Microsoft were informed on April 30th, and patched versions of
Windows DNS Server are now available on their website (see
Microsoft Security Bulletin MS07-062 and Microsoft Knowledge Base
Article 941672).
Thanks,
Amit Klein
* An indicator that notes whether the tool is being run by Microsoft Update, Windows Update, Automatic Updates, the Download Center, or from the Web site
* An anonymous GUID
* A cryptographic one-way hash (MD5) of the path and file name of each malicious software file that is removed from the computer
If apparently malicious software is found on the computer, the tool prompts you to send information to Microsoft beyond what is listed here. You are prompted in each of these instances, and this information is sent only with your consent. The additional information includes the following: * The files that are suspected to be malicious software. The tool will identify the files for you.
* A cryptographic one-way hash (MD5) of any suspicious files that are detected.
You can disable the reporting feature. For information about how to disable the reporting component and how to prevent this tool from sending information to Microsoft, click the following article umber to view the article in the Microsoft Knowledge Base:
891716 (http://support.microsoft.com/kb/891716/) Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
======
Either I am missing the point of J. Oquendo's post, or the conclusions I think he reaches are speculation rather that established.
Fortinet customers who subscribe to Fortinet’s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.
References:
• Microsoft Security Advisory: http://www.microsoft.com/technet/security/advisory/954157.MSpx"
• Microsoft Knowledge Base Article: http://support.microsoft.com/kb/954157
• CVE ID: CVE-2009-4210
Acknowlegement:
• Bing Liu of Fortinet's FortiGuard Labs
