Archive for the ‘Microsoft’ Category.

« Previous Entries

Microsoft on disabling wireless cards

December 26, 2011, 9:33 pm

I think it is important to disable wireless cards in laptops when a wired connection is present.   Microsoft doesn’t.   Steve Riley wrote about this back in October 2008.   I blogged about that then.   Now in a post signed by David Pracht but posted under MichaelPlatts’ userid, the Microsoft Enterprise Networking Team argues that it is no big deal to be connected to the internal corporate network in a wired fashion while you are connected to EVILROGUE hotspot in the parking lot.   They says this because Windows 7 has “strong host” routing.   Also you could disable the ability to connect to unapproved wireless.  They don’t really spell out how “strong host” routing helps.  

Disabling the ability to connect to unapproved wireless is not something I see happening in most organizations.   “To improve mobility, here is your laptop.   To improve security, you may not connect this to any wireless network except the one here at work.   And maybe Starbucks”.   Sounds like a recent Dilbert strip.

There is no valid reason for users to have multihomed computers.   While personal firewalls when configured correctly should prevent intrusion by a parking lot pentest access point, why take the risk?   It looks like you have a bad security posture.

Actually the Microsoft article left me wondering what happens if my wired connection is 100 Mb, but the wireless is 802.11n and is identified as having 300 Mb.   If both interfaces have default gateways does the wireless connection then “win”.   As I understand that article, fastest speed wins.   Worth testing.

Tags:
Category: Microsoft  |  2 Comments

Windows 8 Patch Reboot Policy

November 19, 2011, 8:51 am

I’m kind of confused by the headlines that Microsoft is streamlining the security update process in Windows 8 resulting in less reboots.

One could easily conclude from the headline that Microsoft has gone to work to make it less necessary to reboot when updates are applied.   Instead they are saving up reboots until patch Tuesday.

It is always good to challenge assumptions, but I’ve always been told that when you don’t reboot after patching, the system is in a unsteady state and the you aren’t patched until the reboot occurs.   Perhaps they’ve corrected the first problem by making sure the system doesn’t partially patch and then wait for a reboot to replace the files in use.     But you can’t solve the problem of the system not being patched until reboot.   I haven’t seen anything indicating much of anything is new other than a reboot policy.

That’s just Microsoft patches.   I see nothing here that will slow the rate of patches for end users.    Microsoft talks about a single restart patching policy.   They already only roll security patches once a month.  

Microsoft achieved what they wanted.   They received positive press for Windows 8.   I’m still not sure what is changing.

Tags: ,
Category: Microsoft  |  Comment

Who would have thought that could end badly

November 4, 2011, 12:47 am

The Federal Desktop Core Configuration blog (actually Microsoft’s USGCB Tech Blog, my Google Reader hasn’t updated the blog title) has a post on the risks of enabling “Initialize and script ActiveX controls not marked as safe” in any Internet Explorer security zone.

Prior to Windows 7, our IE security policy was the wild west.    “Do whatever you want”.   Now with it a bit more locked down, we find out when people are wanting to do dumb things.   I’m looking forward to their follow up post.   This reminds me of JAVA.   Developers not doing things the right way cause headaches for IT and bad security.

via Enabling “Initialize and script ActiveX controls not marked as safe” in ANY zone can get you hurt, bad..

Category: Microsoft  |  Comment

SCUP Command Line Length Limit

June 20, 2011, 1:49 pm

Over the weekend I was trying to test deploying a BlueCoat ProxyClient update using System Center Updates Publisher (SCUP) from Microsoft.   The first issue I ran into is that the command line options I wanted to use wouldn’t fit into the field provided.   It was truncated.   I found a workaround so my switches fit into the space allowed.

When I performed the install, it failed.   I couldn’t get any good clues from windowsupdate.log or the Windows application log so I tried installing ProxyClient with those switches outside of SCUP.  What I found is when performing an upgrade rather than a fresh install BlueCoat requires that I add REINSTALL=ALL REINSTALLMODE=vamus to the command line.    That pushed me right over the 100 character limit.

I could use something else to call the ProxyClient MSI with the correct command line options; such as iexpress or SMS installer.  I think that gets a bit messy.  Each executable returns a code after it is run indicating success or failue.   I wouldn’t be able to easily capture that and forward it as the return code of the wrapper.

I asked on the MYITForum.com SCCM discussion list whether the newer version of SCUP would solve my problems.   Jason Lewis of Microsoft answered that SCUP 2011 does not have the 100 character length limitation.

I should be fine once SCUP 2011 is installed.

Category: Microsoft  |  Comment

Microsoft Patches for April 2011 are out

April 12, 2011, 2:29 pm
Tags: ,
Category: Microsoft  |  Comment

Patch Tuesday

February 9, 2011, 2:10 pm

Mozilla took mercy on us and wont have their previously announced updates for Firefox and Thunderbird ready until next week.

Adobe took up the slack by releasing updates for Adobe Flash and Shockwave in addition to the previously announced updates for Adobe Acrobat and Reader.    I was wondering about an Adobe AIR update.   Seems like that contains Flash and often needs to be updated whenever Flash is updated.   But nothing new on that front.

Microsoft had their own bumper crop of security updates.   The USB autorun disabling for external drives is now part of Microsoft Update.  

It is a busy week for updates.

Tags: , ,
Category: Microsoft  |  Comment

Why Microsoft cannot open Windows Update to third-party developers

February 7, 2011, 7:43 pm

This morning I saw a post from Larry Seltzer rehashing the argument that Microsoft should be allowing the deployment of third part updates via Microsoft Update.  (He uses the older term “Windows Update” which is for Windows products only.   Microsoft Update is the term for the update server for the broader group of Microsoft products).  He argues, there are so many vulnerabilities that it is time consuming to keep up with it all.   Additionally it is difficult to verify the source of programs.  

The ink hadn’t even tried on that post when antimalware firm ESET reported on malware they had found in the Microsoft Update Catalog.  

Microsoft actually does include some third-party developed things in Microsoft Update.   They do this so you don’t have to install drivers every time you add new hardware, or plug something into the USB port.   Windows can updates drivers from Microsoft Update.   In this case Microsoft was serving up a remote access trojan when it installed battery charger management software.  

That is just a small example of what is feared both by the consumer and by Microsoft when we talk about opening up Microsoft Update to third-party developers.

ESET has a followup post from someone with insight on the antimalware scanning process for files available publically at Microsoft.   Their author feels it is impractical to scan the TB of update files Microsoft already has posted, and not respectful to Mother Earth.   I think it is rather easy to say ‘let the consumer’s desktop antivirus detect it’ when it is no longer your reputation on the line and no longer your desktop getting infected and you work for a desktop antivirus company.  

As the ESET blog posts say, this is a rare event.   I fear it would be many times worse if Microsoft were also allowing multiple venders to push their updates through Microsoft Update.   This is why MIcrosoft cannot open Microsoft Update to third-party developers.

Tags: , ,
Category: Antivirus, Microsoft  |  6 Comments

Microsoft MHTML Handler Zero Day

January 31, 2011, 8:38 pm

Microsoft issued a security advisory on Friday for a vulnerability in all supported versions of Windows.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim’s Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

At present there is publicly available exploit code.   So while not attacks have been seen in the wild, that is just a matter of time.  

Through Microsoft’s Active Protections Program, antimalware venders are able quickly provide protects against these sorts of attacks.  

One of the things I like is getting the advisory from Zscaler, a SaaS web security vender.   Their bulletin is a tight writeup of the issue advises that protections are in place, and additionally lets you know that Zscaler has reviewed the logs of previous traffic to see if any attacks had occurred already.

My other venders could take a lesson from this.    I don’t have the slightest idea what virus definition signature revision needs to be in place for my other products.  

While waiting for a patch, and trying to learn if you have any sort of protection from the existing expenditures in security,  Microsoft has provided fixit utility to lockdown the MHTML protocol.   Generally this needs to be reversed before applying a patch.  Check the next security bulletin for MHTML to see if reversing this is needed.

For enterprises, you need to change the registry keys documented in the 2501696 advisory.   This can be done through many methods.   Notageek.it does a good writeup (in I’m guessing Italian) of how to do it via Group Policy.

Restricting the MHTML protocol will prevent the launch of script in all zones within an MHTML document. Any application that uses MHTML will be affected by this workaround. Script in standard HTML files is not affected by this workaround.

Tags:
Category: Microsoft  |  Comment

KB2264107 Available Through Microsoft Update

January 13, 2011, 2:01 pm

A mere 5 months after its initial release, Microsoft has made update KB 2264107 available through Microsoft Update.   Previously it had been available only as a direct download.  This patch was created to control the DLL search path algorithm.  As I understand it deploying the patch only gives you the ability to then deploy a registry key to restrict dll preloading.  

Qualys has been showing this patch as a level 3 (out of 5) vulnerability so I wanted to get this patch deployed to improve the vulnerability statistics.

I already deployed this patch to my XP systems using SCUP, but I hadn’t been able to deploy MSU style patches used by Windows 7 and Windows 2008 using this method.   I’m glad they’ve finally made this update available.

Tags: , ,
Category: Microsoft  |  Comment

Microsoft Security Updates for Jan 2011

January 11, 2011, 5:42 pm

Microsoft has released two security bulletins.   Microsoft’s summary of both is posted http://www.microsoft.com/technet/security/bulletin/ms11-jan.mspx

Tags: ,
Category: Microsoft  |  Comment
« Previous Entries