Archive for Microsoft Security and Systems Management

March Patch Tuesday Overview

March 10, 2010 · Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management, Patch Management · Tagged ,

After a busy February with 13 security bulletins, Microsoft is easing off the patching throttle a bit this month.  Microsoft released two new security bulletins addressing 8 vulnerabilities, all not publically known at this time.  It is not uncommon for Microsoft to have a large patch month followed by a relatively light patch month.

As the bulletins affect client Windows operating systems and Microsoft Office, your servers should be spared from this month’s patching cycle unless you have SharePoint Server 2007 installed.  As expected, Microsoft is not planning to release a bulletin for their recently released security advisory (981169).  Microsoft will need time to investigate, implement and test the fix for this known vulnerability.

It is important to note that MS10-016 affects Microsoft Producer 2003.  However, Microsoft is not providing a patch for this product.  They are suggesting administrators remove the affected component on their machines.  Microsoft not providing patches for known software vulnerabilities has become more common over the past 12 months.  This is a great example of why administrators should take time each month and research the information associated with each bulletin.  Simply blindly pushing out patches does not necessarily make your network secure. 

MS10-017 should be addressed first on your network.  Microsoft Excel attachments are as common as Meryl Streep nominations at the Oscars.  Opening a malicious Excel document could lead to remote code execution.

Last month, there were issues identified with security bulletin MS10-015.  This bulletin caused blue screen on systems that were recently patched.  Microsoft researched the issue and found a rootkit was the cause of the blue screen.  This is a perfect example of why companies should have a solid patching process that includes testing each bulletin before deploying it to their network.

Microsoft also announced a new security advisory in 981374.  This security advisory affects Internet Explorer versions 6 and 7.  Microsoft has been receiving limited reports of targeted attacks on the browser.  Although there is not a patch available for this issue, administrators should keep an eye on this advisory for more information.

Lastly, Microsoft re-released MS09-033.  They added Microsoft Virtual Server 2005 to the list of affected products.  If you have already patched the previous affected products, there is no action that is needed on those.  Be on the lookout for MS09-033 missing on some systems though.

Happy Patching!

- Jason Miller

Leave a comment »

Back to blogging, SCUPdates announced

March 3, 2010 · Filed under Microsoft Security and Systems Management, Patch Management, Shavlik General · Tagged

It has been quite a while since I have blogged and I am finally getting some free time to get back to it.  Today, we announced our new SCUPdates offering.  We will be providing third party software updates (non-Microsoft) data files for the System Center Updates Publisher for SCCM.  SCCM users will now be able to easily patch non-Microsoft products without having to create their own updates.

The SCUPdates offering is a data file.  There are no Shavlik products that need to be installed on your servers or workstations.  If you are a SCCM user, you can keep your same environment and use our data in your environment.  Importing the data in your SCCM database will result in patch/product detection on the same reports you see today.

Patching third party products can be quite an undertaking.  SCCM users can patch Microsoft products but they need a way to patch third party applications without adding to their workload..  With SCUPdates, we are providing a new patching mechanism for third party products such as Adobe, Apple and Firefox.

Third party product attacks are becoming more common.  Only focusing on Microsoft products is half the battle.  The Shavlik Data Team puts in a lot of research on these applications already in the Shavlik NetChk product line.  By taking our expertise to the SCCM/SCUP side of patching, we can help tackle the global problem of patching non-Microsoft products.

With the release of SCUPdates, I will be back on my normal blogging schedule.

- Jason Miller

Leave a comment »

New Microsoft Security Advisory Announced (KB980088)

February 3, 2010 · Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management, Patch Management · Tagged

Microsoft just announced another new security advisory for Internet Explorer.  With this zero-day vulnerability, a user would need to visit a malicious website that takes advantage of this vulnerability.  The title of the advisory is stating the vulnerability could allow information disclosure.  Microsoft is reporting there are no active attacks for this vulnerability.

Microsoft has listed numerous workarounds to help mitigate the risk of attack on a system.  If you choose to apply any of these workarounds, each workaround should be tested thoroughly in your environment to ensure functionality of your applications.

Tomorrow is the February Advanced Notification for patch Tuesday.  We will have to see if this is addressed with this month’s patch Tuesday.  I highly doubt this will be addressed next patch Tuesday as the announcement and turnaround time for a patch has a very small window of opportunity.

- Jason Miller

Leave a comment »

New Microsoft Security Advisory Published (979352)

January 14, 2010 · Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management · Tagged ,

Microsoft has just published a new security advisory.  This advisory affects Internet Explorer and can lead to remote code execution on machines.  There have been reports of limited targeted attacks which makes this a zero-day exploit as there is no patch available yet for this vulnerability.

Microsoft has posted a couple of workarounds to help mitigate this risk:

  • Set your Internet Security Zone settings to “High” for ActiveX Controls and Active Scripting
  • Set Internet Explorer to prompt or disable Active Scripting
  • Enable DEP for Internet Explorer

With a vulnerability like this, it is very important to be aware of phishing attempts through email, instant messaging or Internet sites.

Because this affects Internet Explorer and is a zero-day exploit, we can probably expect an out-of-band patch release in the coming days/weeks before February’s patch Tuesday.

This could be related to the Google breach reported a few days ago as the advisory page cites Acknowledgements to Google, Adobe and McAfee.

- Jason Miller

Leave a comment »

Claimed IIS Zero-Day Update

December 30, 2009 · Filed under Configuration Management, Current Threats and Vulnerabilities, Microsoft Security and Systems Management · Tagged

A few days ago, there were reports of a zero-day exploit affecting Microsoft IIS.  Microsoft has concluded their research and found there is no vulnerability in the IIS code.  The findings published outside of Microsoft surrounding the vulnerability were due to improper IIS security configurations.  The MSRC Blog has more information regarding their findings around the claimed zero-day exploit.

Patching a system is a good start for a line of defense against attackers.  But, improperly configured systems and services should be high on your list as well.  An IIS server is typically outside facing and should be “hardened” to prevent unauthorized access.

In the past few months, there have been many claims outside of Microsoft regarding zero-day exploits in the wild.  It is very important to remember to wait for the vendor to confirm the claims that are made by security researchers.  Microsoft relies heavily on external security researchers, but Microsoft is always the best source of information regarding vulnerabilities and exploits.

- Jason Miller

Leave a comment »

Microsoft prohibited from selling Microsoft Word

December 22, 2009 · Filed under Microsoft Security and Systems Management · Tagged

The U.S. Court of Appeals just sent judgment down on Microsoft prohibiting them from selling Microsoft Word starting January 11, 2010.  Microsoft is planning to release a new version of Word that will pull the offending code that started this patent infringement lawsuit.

The good news:  Microsoft will still be able to provide support (patching) to the product.

If Microsoft was not able to support the offending version of Word, many people would have vulnerable products for future patches that affect Word.

- Jason Miller

Leave a comment »

So where are the XP Embedded patches?

December 22, 2009 · Filed under Microsoft Security and Systems Management, Patch Management · Tagged ,

A few weeks ago, we added official support for scanning and patching of Windows XP Embedded devices.  Those of you who have these devices on your network and use the Shavlik product line may have noticed no patches were applicable from December’s patch Tuesday.  This does not mean those devices do not need to be kept up to date.

Microsoft does not release support for XP Embedded patches the same day as they do for their other operating systems.  There is an approximate two week period between patch Tuesday and when the patches become available to vendors.

If you have Windows XP Embedded devices on your network, you should plan accordingly to patch these possibly later than the rest of your machines.

- Jason Miller

Leave a comment »

December Patch Tuesday Overview

December 8, 2009 · Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management, Patch Management · Tagged , ,

Microsoft has released 6 new security bulletins for December.  They have also released two new security advisories as well as one bulletin that has been re-released.  In addition to the Microsoft releases, even though Adobe’s quarterly security update is scheduled for next month, they are planning to release a security bulletin for Adobe Flash and Adobe Air today.

A quick rundown of today’s patches:

MS09-072 is the first security bulletin administrators should address on their network.  This bulletin is a cumulative update for Internet Explorer.  Microsoft usually releases a cumulative update for Internet Explorer every other month, and typically contains multiple fixes in it.  This bulletin addresses five vulnerabilities, with one of the vulnerabilities publically known.  There is one vulnerability patched with this bulletin that administrators should pay close attention to.  Microsoft released a Security Advisory for this vulnerability late last month in Security Advisory 977981.  With this bulletin, the advisory expires if administrators patch the vulnerable versions of Internet Explorer.  The vulnerability specifically deals with malicious Active-X controls that were built with a vulnerable ATL.  The ATL vulnerability prompted an out-of-band release earlier this year from Microsoft.  All five vulnerabilities will target any user that browses to a malicious web site with an unpatched Internet Explorer.  In this scenario, this can lead to remote code execution on the target system.

MS09-070 affects Microsoft Active Directory Federation Service (ADFS).  Web servers that have ADFS enabled are at risk, clients are not at risk from this vulnerability.  The attacker needs to be an authenticated user to carry out an attack, so this reduces the risk of this vulnerability.  Companies that have implemented ADFS on their network should apply this patch as soon as possible.

MS09-071 affects Microsoft Internet Authentication Server (IAS) on servers and clients except for Windows 7 and Windows 2008 R2.  IAS is a technology from Microsoft that allows such business services as Wireless and VPN connections.  This security bulletin addresses two vulnerabilities.  One of these vulnerabilities is publically known, but the vulnerability is not being actively exploited at this time.  An attacker can send a malicious packet to a vulnerable server that can result in remote code execution. Interesting enough, Client systems do not have the vulnerable files on the system as they are not part of the base operating system, but Microsoft is providing a patch for Windows Client system.  However, third party products can be installed on client systems that can be vulnerable.

MS09-069 affects the Microsoft LSASS service on Windows 2000, XP and 2003.  An attacker can send a specially crafted packet to a target machine that will cause the system to be unresponsive.  The LSASS service can use up all system resources that will cause the machine to be unresponsive.  Users will need to reboot their systems to gain back those resources and make the system responsive once again.  This security bulletin addresses one vulnerability that is not publically known at this time.

MS09-073 affects WordPad on Windows XP and 2003 as well as Office Text Converters for Office XP and 2003.  This security bulletin fixes one software vulnerability which is not publically known at this time.  A user with a vulnerable operating system or Microsoft Office program will need to be enticed into opening a malicious Word 97 document.  Upon opening, the document will be converted to a new version of a Word document.  A successful exploit can lead to remote code execution.

MS09-074 affects Microsoft Project.  The one security vulnerability this bulletin addresses is not publically known at this time.  In an attack scenario, a user would need to be enticed into opening a malicious Project document.  This can lead to remote code execution.

Microsoft has also re-released security bulletin MS08-037.  The bulletin was updated to include the DNS client on Windows 2000 Service Pack 4.  Anyone who has previously installed this patch will need to apply this lastest patch offering.

On the Security Advisory front, Microsoft released two new security advisories.

Microsoft Security Advisory (954157)

This security advisory does not offer a patch and Microsoft is not planning on release for this product.  This advisory explains to customers how to disable the Indeo codec on their systems.  The workaround will prevent malicious websites from exploiting vulnerable systems that can lead to remote code execution on the target system.

Microsoft Security Advisory (974926)

This security advisory informs customers of a potential man in the middle attack.  In this scenario, the attacker would need valid user credentials that are passed between system.  Microsoft is offering up two non-security patches to help administrators harden their systems.  Both of these patches were offered a few months ago.

Adobe Patch

Adobe is also joining this patch Tuesday with the release of a new Adobe Flash Player and Adobe Air.  This security patch will address critical software vulnerabilities.  There is no word from Adobe yet on how many vulnerabilities are addressed and if they are publically known or exploited at this time.  Any Adobe Flash Player less than version 10.0.32.18 and any Adobe Air less than version is affected by this vulnerability(ies).

- Jason Miller

Leave a comment »

Windows 7 – Not Just A New User Experience

October 26, 2009 · Filed under Microsoft Security and Systems Management · Tagged

Last week marked the arrival of Windows 7 to the market.  We had the operating system in our hands for the past couple of months and have done some extensive testing with it.  It is definitely a bit snappier in terms of speed compared to Windows 7.

On the security side of Windows 7, you shouldn’t be looking for anything major.  This release was focused on the user experience.  A lot of the features introduced in Windows 7 address the “black eyes” the Windows Vista operating system received during its release.

Although, there are some worthwhile security improvements in Windows 7 to take note of: 

  • Improved UAC
    Depending on how you view the changes made to UAC, you may either consider the changes as a step forward or a step backwards.  Microsoft made UAC less intrusive.  They received feedback on the UAC security feature presenting too many pop-ups that created a very frustrating user experience.  Users will now be presented less UAC pop-ups.
     
  • Bitlocker to Go
    In Windows Vista, Microsoft introduced the Bitlocker technology that allowed local hard drive encryption.  This was a great feature, but it lacked the breadth for an ever changing IT world.  USB flash drives and USB hard drives are very common in the work place now and deserve the attention from security minded people.  Laptops can be, and have been, stolen that can lead to data disclosure.  But, mobile storage devices are extremely common and can easily be lost or stolen.  With Bitlocker to Go, Microsoft has extended their encryption technology to cover these devices.
     
  • AppLocker
    Acceptable use software policies on networks can be a giant pain for many administrators today.  Commonly, IT policies restrict what applications can be used on a network and for a good reason.  With each additional application on a computer, the threat risk increases exponentially.  Operating systems are not the only software that can have software vulnerabilities.  With the addition of AppLocker, administrators can specify exactly which programs can be run on a desktop computer.  In the past, this has been somewhat achievable through Windows Software Restriction Policies.  This technology was especially cumbersome and time consuming.  In addition, users could easily circumvent application rules by simply updating the software to a new version.  With AppLocker, administrators are now armed with a smarter and more robust software application control technology.
     
  • Windows Biometric Framework
    It is really strange to be in the year 2009 and talking about Windows and Biometrics as both of these technologies have been around for years.  Administrators implementing biometrics have the burdensome task of implementing third party software with their networks in order to implement security.  I have been there before and have spent many hours setting up and troubleshooting fingerprint biometric environments.  In Windows 7, Microsoft has introduced a new common programming interface for biometric providers.  This will allow a unified system for new technologies that implement this framework.  What does this mean for you?  A simple, reliable and easy to implement biometric solution for your company.  Although this technology will not have an immediate impact on your networks, Microsoft has laid the groundwork for the future of biometrics.

 

 - Jason Miller

Leave a comment »

Happy Anniversary MS08-067

October 22, 2009 · Filed under Microsoft Security and Systems Management · Tagged ,

Tomorrow will mark the one year anniversary of the MS08-067 software vulnerability in the Windows Server Service.  This is the vulnerability the Conficker worm exploited.

Microsoft released this patch “out-of-band”, unbeknownst, to the security industry.  When I looked at this security bulletin in detail, I was instantly alarmed.  The vulnerability allowed remote code execution as well as being out-of-band.  Well, ok, this may sound like a lot of vulnerabilities Microsoft patches each month.

This security bulletin was different for two reasons:

  1. This vulnerability affected the Windows Server Service.  Ah, but what uses that service?  Pretty much every computer running Windows has this service running and could be exploited.
  2. This vulnerability did not require any authentication to be exploited.  In other words, an attacker does not need to supply a login to exploit the vulnerability.

These combinations made the vulnerability extremely alarming and a potential hotbed for a new worm outbreak.  We had made some announcements regarding this vulnerability in October, warning people to patch their systems as soon as possible.  On a ranking of how bad this vulnerability was, we gave it 10 out of 10.

Fast forward to February 2009.  A new worm hits the Internet attacking the software vulnerability.  Shockingly, this worm rapidly spread to millions of computer across the globe.  These computers did not have the patch applied that was released 4 months earlier.

The worm itself did not deliver a payload, so the hype around the vulnerability quickly turned to frustration by people.  “Why all the warning around MS08-067 and Conficker?  Nothing happened!  This was a bunch of media hype trying to scare us!”

Plain and simple:  We got lucky with this vulnerability as it did not deliver pain like the Code Red Worm.  Next time, we might not be as lucky.

A valuable lesson we all should take from this:  Don’t ignore patches.  They are your first line of defense against virus and worm outbreaks.

- Jason Miller

Leave a comment »

« Previous entries
Next Page »