Posts tagged ‘Microsoft’

« Previous Entries

Windows 8 Patch Reboot Policy

November 19, 2011, 8:51 am

I’m kind of confused by the headlines that Microsoft is streamlining the security update process in Windows 8 resulting in less reboots.

One could easily conclude from the headline that Microsoft has gone to work to make it less necessary to reboot when updates are applied.   Instead they are saving up reboots until patch Tuesday.

It is always good to challenge assumptions, but I’ve always been told that when you don’t reboot after patching, the system is in a unsteady state and the you aren’t patched until the reboot occurs.   Perhaps they’ve corrected the first problem by making sure the system doesn’t partially patch and then wait for a reboot to replace the files in use.     But you can’t solve the problem of the system not being patched until reboot.   I haven’t seen anything indicating much of anything is new other than a reboot policy.

That’s just Microsoft patches.   I see nothing here that will slow the rate of patches for end users.    Microsoft talks about a single restart patching policy.   They already only roll security patches once a month.  

Microsoft achieved what they wanted.   They received positive press for Windows 8.   I’m still not sure what is changing.

Tags: ,
Category: Microsoft  |  Comment

Microsoft Patches for April 2011 are out

April 12, 2011, 2:29 pm
Tags: ,
Category: Microsoft  |  Comment

Win7 SP1 SEP Support

March 29, 2011, 11:13 pm

Ouch!

Symantec has posted a knowledge base article.   Symantec Endpoint Protection will not support Service Pack 1 for Windows 7 or Windows 2008 R2 until SEP 11.0.7 (11.0 Release update 7).

There are no known issues.   They just aren’t going to certify it until 11.0.7.

Tags: , , ,
Category: Antivirus  |  Comment

Patch Tuesday

February 9, 2011, 2:10 pm

Mozilla took mercy on us and wont have their previously announced updates for Firefox and Thunderbird ready until next week.

Adobe took up the slack by releasing updates for Adobe Flash and Shockwave in addition to the previously announced updates for Adobe Acrobat and Reader.    I was wondering about an Adobe AIR update.   Seems like that contains Flash and often needs to be updated whenever Flash is updated.   But nothing new on that front.

Microsoft had their own bumper crop of security updates.   The USB autorun disabling for external drives is now part of Microsoft Update.  

It is a busy week for updates.

Tags: , ,
Category: Microsoft  |  Comment

Why Microsoft cannot open Windows Update to third-party developers

February 7, 2011, 7:43 pm

This morning I saw a post from Larry Seltzer rehashing the argument that Microsoft should be allowing the deployment of third part updates via Microsoft Update.  (He uses the older term “Windows Update” which is for Windows products only.   Microsoft Update is the term for the update server for the broader group of Microsoft products).  He argues, there are so many vulnerabilities that it is time consuming to keep up with it all.   Additionally it is difficult to verify the source of programs.  

The ink hadn’t even tried on that post when antimalware firm ESET reported on malware they had found in the Microsoft Update Catalog.  

Microsoft actually does include some third-party developed things in Microsoft Update.   They do this so you don’t have to install drivers every time you add new hardware, or plug something into the USB port.   Windows can updates drivers from Microsoft Update.   In this case Microsoft was serving up a remote access trojan when it installed battery charger management software.  

That is just a small example of what is feared both by the consumer and by Microsoft when we talk about opening up Microsoft Update to third-party developers.

ESET has a followup post from someone with insight on the antimalware scanning process for files available publically at Microsoft.   Their author feels it is impractical to scan the TB of update files Microsoft already has posted, and not respectful to Mother Earth.   I think it is rather easy to say ‘let the consumer’s desktop antivirus detect it’ when it is no longer your reputation on the line and no longer your desktop getting infected and you work for a desktop antivirus company.  

As the ESET blog posts say, this is a rare event.   I fear it would be many times worse if Microsoft were also allowing multiple venders to push their updates through Microsoft Update.   This is why MIcrosoft cannot open Microsoft Update to third-party developers.

Tags: , ,
Category: Antivirus, Microsoft  |  6 Comments

Microsoft MHTML Handler Zero Day

January 31, 2011, 8:38 pm

Microsoft issued a security advisory on Friday for a vulnerability in all supported versions of Windows.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim’s Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

At present there is publicly available exploit code.   So while not attacks have been seen in the wild, that is just a matter of time.  

Through Microsoft’s Active Protections Program, antimalware venders are able quickly provide protects against these sorts of attacks.  

One of the things I like is getting the advisory from Zscaler, a SaaS web security vender.   Their bulletin is a tight writeup of the issue advises that protections are in place, and additionally lets you know that Zscaler has reviewed the logs of previous traffic to see if any attacks had occurred already.

My other venders could take a lesson from this.    I don’t have the slightest idea what virus definition signature revision needs to be in place for my other products.  

While waiting for a patch, and trying to learn if you have any sort of protection from the existing expenditures in security,  Microsoft has provided fixit utility to lockdown the MHTML protocol.   Generally this needs to be reversed before applying a patch.  Check the next security bulletin for MHTML to see if reversing this is needed.

For enterprises, you need to change the registry keys documented in the 2501696 advisory.   This can be done through many methods.   Notageek.it does a good writeup (in I’m guessing Italian) of how to do it via Group Policy.

Restricting the MHTML protocol will prevent the launch of script in all zones within an MHTML document. Any application that uses MHTML will be affected by this workaround. Script in standard HTML files is not affected by this workaround.

Tags:
Category: Microsoft  |  Comment

KB2264107 Available Through Microsoft Update

January 13, 2011, 2:01 pm

A mere 5 months after its initial release, Microsoft has made update KB 2264107 available through Microsoft Update.   Previously it had been available only as a direct download.  This patch was created to control the DLL search path algorithm.  As I understand it deploying the patch only gives you the ability to then deploy a registry key to restrict dll preloading.  

Qualys has been showing this patch as a level 3 (out of 5) vulnerability so I wanted to get this patch deployed to improve the vulnerability statistics.

I already deployed this patch to my XP systems using SCUP, but I hadn’t been able to deploy MSU style patches used by Windows 7 and Windows 2008 using this method.   I’m glad they’ve finally made this update available.

Tags: , ,
Category: Microsoft  |  Comment

Microsoft Security Updates for Jan 2011

January 11, 2011, 5:42 pm

Microsoft has released two security bulletins.   Microsoft’s summary of both is posted http://www.microsoft.com/technet/security/bulletin/ms11-jan.mspx

Tags: ,
Category: Microsoft  |  Comment

Hibernate and FDE

December 16, 2010, 11:50 am

Earlier this week, I read this article reporting on Passware’s presentation at Password^20.   It reported that if you are using BitLocker or TrueCrypt and you’ve ever used hibernate, then Passware Kit Forensic is able to recover the encryption key from the Hibernate file.   The recommendation was “NEVER EVER EVER EVER allow hibernation for any computer.”

I found this hard to believe.    So I watched the presentation.  The Q and A made it clear that if the disk is truly fully encrypted, that is including the hibernate files, and the system is off.

I’m not as familiar with BitLocker or TrueCrypt as I am with the product I use with at work.   Apparently people using TrueCrypt or BitLocker often only encrypt data volumes.   Certainly that leaves you more vulnerable.   The product I use actually encrypts the full drive,and provides pre-boot authentication at all times.   So I think the advice to never use hibernate isn’t correct if you truly have full disk encryption.

Tags: , , ,
Category: FDE, Microsoft  |  3 Comments

SCUPing Shockwave

November 18, 2010, 1:07 pm

At the risk of stepping on the Queen of SCUP’s toes, I’m going to write-up how I deployed Shockwave with System Center Updates Publisher (SCUP).  For the prologue on what SCUP and SCCM are see last weeks post on SCUPing Flash.

Shockwave is part of our standard config.   I’m not really sure why.   Is it actually used for anything besides basic online games.   Since pushing out a mass uninstall of Shockwave isn’t in the cards, we need to patch it since we deployed it.   Shockwave doesn’t have security updates as often as Flash but it is still necessary to keep on top of.    Since I switched to using SCUP for depoying most software updates, I’ve deployed Shockwave twice.  

The following instructions assume that SCUP is installed and working.

Open the SCUP console.

1.  Right Click System Center Updates Publisher and select Create Update.
UPDATE INFORMATION
Update Title : Shockwave 11.5.9
Description: Generally I take this from the security bulletin.   I pasted:

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.8.612 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities, including CVE-2010-3653, referenced in Security Advisory APSA10-04, could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.8.612 and earlier versions update to Adobe Shockwave Player 11.5.9.615.

Classification : Security Updates
Bulletin ID : APSB10-25
Vendor: Adobe Systems, Inc.
(if you’ve deployed any Adobe updates you’ll have this in a pull down list)
Product: Shockwave
(personally I put Shockwave 11 but having a product version in product number is not considered best practice)

EXTENDED PROPERTIES
Article ID: APSB10-25
CVE ID: CVE-2010-2581, CVE-2010-2582 (these are obtained from the Adobe security bulletin)
Severity: Critical (obtained from security bulletin, or your personal evaluation)
Support URL: http://get.adobe.com/shockwave
More Info URL:  http://www.adobe.com/support/security/bulletins/apsb10-25.html
Impact: Normal
Reboot Behavior: Never Reboots
Oddly enough, Jason Lewis recently wrote that this setting doesn’t actually tell SCCM what switches to use, it tells the admin what the expected patch behavior is.   That is surprising to me.   I expected “never reboots” to add a reallysuppress type of command line switch automatically.

PREREQUISITE RULES
Windows Version
Comparison – Greater Than or Equal To
Major Version = 5
Minor Version = 1
SP Major Version = 2
SP Minor Version = 0
Build Number = Blank
Product Type = Workstation
I’m doing this based on the system requirements for Shockwave.  Also I’m only deploying to workstations, not servers.

SELECT PACKAGE
Installer Type : Windows Installer  File (MSI)
Update Package Source / Download URL.   These should be identical.   You need to download the Shockwave MSI from Adobe and store it locally on a server. 
Binary Language: english
Command Line : Blank

APPLICABILITY RULES
When you add a MSI to SCUP, the applicability rules automatically contain a single applicability rule of Product ID not installed.   This rule would install Shockwave on all computers.   We only care to upgrade Shockwave where needed rather than install on all computers.   This sort of limitation could be performed in a collection within SCCM.    I prefer to build the applicability here.

I’ve found that “file version less than” rules don’t always work by themselves.   You need to check for the file existing and the file less than.   If your environment has 64 bit computers that needs to be accounted for as well.   I tend to do file version checks rather than registry checks.    I think I get more accurate results.

The applicability rule we’re building is something like this:
(File Exists, Common Paths = Windows; Path = system32\adobe\Director\swdir.dll
AND
File Version; Common Paths = Windows; Path = system32\adobe\Director\swdir.dll; Less Than 11.5.9.615
)
OR
(
File Exists; Common Paths = Windows ; Path = SysWOW64\adobe\Director\swdir.dll
AND
File Version ; Common Paths = Windows ; Path = SysWOW64\adobe\Director\swdir.dll ; Less Than 11.5.9.615
))

It is a serious pain to get these parenthesis correct.   I believe the trick was selecting the entire row.

INSTALLED RULES
The default Product installed rule works.

 After that its just like any other SCUP update.    Hit the publish button (publishes to WSUS).   Synchronise into SCCM.   Deploy

Download CAB file
This CAB file is provided as an example without warranty.   You’d need to import it into SCUP, add your own MSI and publish.

Tags: , , , , ,
Category: General  |  2 Comments
« Previous Entries