Disabling the ability to connect to unapproved wireless is not something I see happening in most organizations.   “To improve mobility, here is your laptop.   To improve security, you may not connect this to any wireless network except the one here at work.   And maybe Starbucks”.   Sounds like a recent Dilbert strip.

There is no valid reason for users to have multihomed computers.   While personal firewalls when configured correctly should prevent intrusion by a parking lot pentest access point, why take the risk?   It looks like you have a bad security posture.

Actually the Microsoft article left me wondering what happens if my wired connection is 100 Mb, but the wireless is 802.11n and is identified as having 300 Mb.   If both interfaces have default gateways does the wireless connection then “win”.   As I understand that article, fastest speed wins.   Worth testing.

One could easily conclude from the headline that Microsoft has gone to work to make it less necessary to reboot when updates are applied.   Instead they are saving up reboots until patch Tuesday.

It is always good to challenge assumptions, but I’ve always been told that when you don’t reboot after patching, the system is in a unsteady state and the you aren’t patched until the reboot occurs.   Perhaps they’ve corrected the first problem by making sure the system doesn’t partially patch and then wait for a reboot to replace the files in use.     But you can’t solve the problem of the system not being patched until reboot.   I haven’t seen anything indicating much of anything is new other than a reboot policy.

That’s just Microsoft patches.   I see nothing here that will slow the rate of patches for end users.    Microsoft talks about a single restart patching policy.   They already only roll security patches once a month.  

Microsoft achieved what they wanted.   They received positive press for Windows 8.   I’m still not sure what is changing.

Prior to Windows 7, our IE security policy was the wild west.    “Do whatever you want”.   Now with it a bit more locked down, we find out when people are wanting to do dumb things.   I’m looking forward to their follow up post.   This reminds me of JAVA.   Developers not doing things the right way cause headaches for IT and bad security.

via Enabling “Initialize and script ActiveX controls not marked as safe” in ANY zone can get you hurt, bad..

When I performed the install, it failed.   I couldn’t get any good clues from windowsupdate.log or the Windows application log so I tried installing ProxyClient with those switches outside of SCUP.  What I found is when performing an upgrade rather than a fresh install BlueCoat requires that I add REINSTALL=ALL REINSTALLMODE=vamus to the command line.    That pushed me right over the 100 character limit.

I could use something else to call the ProxyClient MSI with the correct command line options; such as iexpress or SMS installer.  I think that gets a bit messy.  Each executable returns a code after it is run indicating success or failue.   I wouldn’t be able to easily capture that and forward it as the return code of the wrapper.

I asked on the MYITForum.com SCCM discussion list whether the newer version of SCUP would solve my problems.   Jason Lewis of Microsoft answered that SCUP 2011 does not have the 100 character length limitation.

I should be fine once SCUP 2011 is installed.

Adobe took up the slack by releasing updates for Adobe Flash and Shockwave in addition to the previously announced updates for Adobe Acrobat and Reader.    I was wondering about an Adobe AIR update.   Seems like that contains Flash and often needs to be updated whenever Flash is updated.   But nothing new on that front.

Microsoft had their own bumper crop of security updates.   The USB autorun disabling for external drives is now part of Microsoft Update.  

It is a busy week for updates.

The ink hadn’t even tried on that post when antimalware firm ESET reported on malware they had found in the Microsoft Update Catalog.  

Microsoft actually does include some third-party developed things in Microsoft Update.   They do this so you don’t have to install drivers every time you add new hardware, or plug something into the USB port.   Windows can updates drivers from Microsoft Update.   In this case Microsoft was serving up a remote access trojan when it installed battery charger management software.  

That is just a small example of what is feared both by the consumer and by Microsoft when we talk about opening up Microsoft Update to third-party developers.

ESET has a followup post from someone with insight on the antimalware scanning process for files available publically at Microsoft.   Their author feels it is impractical to scan the TB of update files Microsoft already has posted, and not respectful to Mother Earth.   I think it is rather easy to say ‘let the consumer’s desktop antivirus detect it’ when it is no longer your reputation on the line and no longer your desktop getting infected and you work for a desktop antivirus company.  

As the ESET blog posts say, this is a rare event.   I fear it would be many times worse if Microsoft were also allowing multiple venders to push their updates through Microsoft Update.   This is why MIcrosoft cannot open Microsoft Update to third-party developers.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim’s Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

At present there is publicly available exploit code.   So while not attacks have been seen in the wild, that is just a matter of time.  

Through Microsoft’s Active Protections Program, antimalware venders are able quickly provide protects against these sorts of attacks.  

One of the things I like is getting the advisory from Zscaler, a SaaS web security vender.   Their bulletin is a tight writeup of the issue advises that protections are in place, and additionally lets you know that Zscaler has reviewed the logs of previous traffic to see if any attacks had occurred already.

My other venders could take a lesson from this.    I don’t have the slightest idea what virus definition signature revision needs to be in place for my other products.  

While waiting for a patch, and trying to learn if you have any sort of protection from the existing expenditures in security,  Microsoft has provided fixit utility to lockdown the MHTML protocol.   Generally this needs to be reversed before applying a patch.  Check the next security bulletin for MHTML to see if reversing this is needed.

For enterprises, you need to change the registry keys documented in the 2501696 advisory.   This can be done through many methods.   Notageek.it does a good writeup (in I’m guessing Italian) of how to do it via Group Policy.

Restricting the MHTML protocol will prevent the launch of script in all zones within an MHTML document. Any application that uses MHTML will be affected by this workaround. Script in standard HTML files is not affected by this workaround.

Qualys has been showing this patch as a level 3 (out of 5) vulnerability so I wanted to get this patch deployed to improve the vulnerability statistics.

I already deployed this patch to my XP systems using SCUP, but I hadn’t been able to deploy MSU style patches used by Windows 7 and Windows 2008 using this method.   I’m glad they’ve finally made this update available.