» Microsoft - Roger's Information Security Blog

Posts tagged ‘Microsoft’

Quicktime and SCUP

September 6, 2010, 8:43 am

When Quicktime 7.6.7 came out, I wanted to deploy it with Microsoft System Center Update Publisher (SCUP). I’d recently used SCUP to deploy Flash (for IE) and the Dell Inventory Agent. It made sense to look at using SCUP and SCCM Software Updates to deploy patches rather than continuing to use the old Software Distribution method. The funny thing was, when I Googled/Binged Quicktime and SCUP, I didn’t find a lot of answers. I found a link or two to my blog. Well, I better actually write something since the search engine expects me to have it.

SCUP can deploy MSP, MSI or EXE. In the past I had used a BAT file to set registry keys, copy configuration files and run the install. So that isn’t going to happen unless I compile that into a EXE. Quicktime also requires the update of Apple Application Support.

I decided to use my old friend SMS Installer to package the install files into one EXE and perform the installation actions. I decided to make it as simple as possible. The SMS install script is something like this:

Get Environment Variable %WinDir% into variable windir
Install File \\server\sourceDIR\quicktime to %empt\quicktime\
Execute %temp%\quicktime\appleapplicationsupport.msi /qn reboot=reallysuppress (wait)
Execute %temp%\quicktime\quicktime.msi
ALLUSERS=1 DESKTOP_SHORTCUTS=0 QTTASKRUNFLAGS=0 REGSRCH_INSTALL_ASU=0 /qn reboot=reallysuppress (wait)

The command-line options seem to kept the “Q” systtray icon or desktop shortcuts from occurring. But I didn’t manage to disable checking for updates when Quicktime is opened. It also has the really annoying new interface. In the past I solved those problems by dropping configuration files. That could still be done with a bit more testing.

Compile your EXE in SMS Installer (or your favorite tool to create an install file).

Once you’re install file is ready to go you’re ready to add it to SCUP. Select Create Update and run through the wizard.

Update Information

Update Title: Quicktime 7.6.7 (this could be anything)
Description: Quicktime 7.6.7 improves security and is recommended for all Quicktime 7 users on Windows. (generally I take the description from the security advisory)
Classification: Security Advisory
Bulletin ID: HT4290
Vendor: Apple
Product: Quicktime

Extended Properties

Artcle ID: HT4290
CVE ID: CVE-2010-1799
Severity: Critical
Support URL: could be an internal url or http://www.apple.com/quicktime/download
More Info URL: http://support.apple.com/kb/HT4290
Impact: Normal
Reboot Behavior: I left this on ‘can request reboot’ although SMS Installer is returning a 0 by default

Define prerequisite Rules

Processor Architecture = x86
and
Windows Version Greater than or Equal to
major Version 5, SP Major Version 2, Minor Version 1
Product Type = workstation

Apple supports Quicktime on XPsp2 or greater. Apple uses a separate install file for x64. I chose keep things simple for now and not try to package that in here.

Select Package
Installer Type = EXE
Update Package Source = Browse to your install file (I used UNC path) doesn’t need to be accessible to anything but your installer.
Download URL or UNC = Paste the same path as above.
Command Line = /S (this tells the SMS installer file to run silently. If you used a different packager you’re on your own)

Define Applicability Rules
File Version:
Common Paths – select program_files
Path – quicktime\quicktimeplayer.exe
Comparison – Less than
Version – 7.67.75.0

AND
Registry key exists
HKLM\Software\Apple Computer, Inc.\Quicktime

Define Installed Rules
File Version
Common Paths – Program_Files
Path – quicktime\quicktimeplayer.exe
Comparison – Greater Than or Equal To
Version 7.67.75.0

Now you’ve got an update that is ready to go. Publish it to WSUS and then sync to SCCM as you would with any other SCUP update. I always see people complaining that very few venders supply CAB files for SCUP. The fact is before this year, very few SCCM admins were using SCUP. Vender supplied CABs might not be configured they way you want anyway. For example the Adobe CAB for Flash assumes you want all your computers to have Flash. If you only want to upgrade existing Flash you need to either collection limit the update or write your own detection rules.

I hope reading thought this you understand now how to roll your own update for even a complicated update like Quicktime. Make sure you thoroughly test your deployment.

Tags: Apple, Microsoft, Quicktime, SCUP
Category: Apple, Microsoft | Comment

SCUP Rule Testing

September 3, 2010, 8:50 am

Microsoft System Center Update Publisher is a method to get third-party updates deployed through SCCM and an internal update server. As I started working with it this summer, I had issues creating applicability rules. When you create a collection in SCCM you get immediate feedback about the accuracy of your rules. You either have the number of computers were expecting or you weren’t.

With SCUP, I wasn’t getting any feedback until I published the rule to the internal update server, imported that to SCCM and waited for computers to check in. This is not a good way to work. Fortunately Greg Ramsey of Dell helped me out on the myitforum.com SMS/SCCM mailing list.

We’re using SCUP 4.5, but SCUP 4.0 has the ability to test the rules much more easily. I installed SCUP 4 to a test computer, imported the update I had created in 4.5, then exported it. The export command in 4.0 has an option to export the update to a XML with a script.

Run the script on each computer to determine if the patch is considered applicable or not. This is a much quicker way to verify that your update’s applicability rules are written correctly. If you make any changes to your rules, export and bring that change back to your production SCUP 4.5.

UPDATE – As it turns out, this wasn’t as great of a tool as I hoped. It clearly reported not applicable on machines with no Adobe Reader as I desired. SCCM unfortunately saw the patch as applicable. Fortunately I fixed the applicability rules before any damage was d0ne.

Tags: Microsoft, MyItForum, Patching, SCUP
Category: Microsoft | Comment

Patching week in review

August 15, 2010, 1:49 am

This week saw a large number of Microsoft patches

Additionally Adobe released updates for Flash and Adobe Air. Acrobat and Reader updates expected for this week will occur next week.

Apple patched the iPhone and released an update for QuickTime. iTunes users were not given the QuickTime update as of this post.

To stay up on all these updates, home users should install something like te Secunia Personal Software Inspector. Sysadmins should wave the dead chicken and hope for the best make plans to deploy these updates if the software is present in the work environment.

Tags: Adobe, Apple, Microsoft, Patching, Quicktime, Secunia
Category: General | Comment

SCUP and Flash

August 6, 2010, 7:25 pm

I deployed Adobe Flash 10.1 through System Center UpdatesPublisher (SCUP). Its kind of sad how excited this makes me.

SCUP is a framework that allows you to integrate third-party update deployment into your SCCM/WSUS server. Companies can provide a CAB file that you import into SCUP, approve updates and publish them to your SCCM server. From there, to the SCCM admin they are deployed like any Microsoft patch. The user experience is just like Microsoft patches as well.

While I have only deployed SCUP in a test environment. I think it has the potential for there to be less work in deploying updates. A more consistent user experience can be achieved by deploying these updates through the same methods. Currently I have a separate wrapper script that tells the user an update is available. Even if I don’t ultimately deploy all my patches using SCUP, I can use it to deploy Dell and HP BIOS, firmware and driver updates. As people try to do more with less, computers are being used longer. It is thus more important to not ignore security and bug fixes in these items.

When you obtain a license to distribute Flash, Adobe sends you a link to download the MSI, EXE or CAB file. I pointed SCUP directly at the CAB file. The first time I tried to deploy to a client the install failed. WindowsUpdate.log reported the error as 0×80070667. Google (or Bing) tells me that error indicates bad command line switches. The log file showed the switches as “/qn reboot=reallysuppress allusers=1 msirestartmanagercontro=disable reboot=reallysuppress”. That has duplicate commands. I recalled a Jason Lewis blog entry recommending the command line switches be left blank in the CAB file. SCUP will automatically add silent install switches. After removing the command line switches in SCUP, I published the change back to SCCM, synced everything and Flash installed without any further problems.

While I haven’t used SCUP in-depth yet, I am excited about what I do have in place. My thanks go out to Jason Lewis, Program Manager at Microsoft, for his great blogcasts showing how to set up SCUP. I also found a PDF from Dell – Dell Catalog to Support Microsoft System Center Configuration Manager for Dell Hardware Updates by Dustin Orrick and Angela Qian to be very helpful.

Tags: Microsoft, Patching, SCCM, SCUP
Category: Microsoft | 1 Comment

GuardianEdge Windows 7 Looking Back

July 30, 2010, 6:13 am

Like a lot of companies we are trying to go to Windows 7 sooner rather than later. We skipped Vista and XP is starting to seem a bit old. One of the things holding us back is GuardianEdge’s Full Disk Encryption product. Here’s our timeline.

In October 2009 I asked GuardianEdge about Windows 7 support and Windows 7 64 bit support. They said both would available in version 9.5 due out in December 2009.

When GuardianEdge Hard Disk Encryption 9.5 was released (January or February), I found that there was no support for preboot authentication. Without preboot authentication, I think the encryption is pretty worthless. Support tells me 9.5.1 will include preboot authentication and be available in April 2010.

9.5.1 is released and I find it doesn’t work on my Toshiba Portege with windows 7 32 bit installed. I decide this may be a one-off. I’m the only one using the Toshiba so I try it out on a few Dell E6500 computers with Windows XP and Windows 7. This failed miserably. It turns out this was a known issue with Dell E6500 and GuardianEdge was working on a patch.

GEHD 9.5.1 patch 1 came out. While it fixed the assorted problems with the E6500, I now see in the release notes:

There are known issues with GuardianEdge Hard Disk on various configurations of the following Dell computer models
■ Dell E4310
■ Dell E6410
■ Dell E6510
■ Dell E5410, and
■ Dell E5510

Unfortunately the E6410 and the E6510 are two of the three systems listed on our standard configuration page. The third E4300, I suspect would really be the E4310.

GuardianEdge says this will be fixed in September 2010.

I wouldn’t this be surprised if this led to looking at other solutions and revisiting Bitlocker. I wrote about Bitlocker in March. These pretzels are making me thirsty.

Tags: Bitlocker, FDE, GuardianEdge, Microsoft, Symantec
Category: FDE | 3 Comments

Email Message Size Limits – The Update

May 19, 2010, 9:06 am

The Microsoft Exchange team wrote a blog back in 2006 summarizing the need to email message limits.
Email size limits help protect you against denial of service attacks. Intentional or not Internal sender or external, a large message can consume all available resources. The problem can be aggravated by Antivirus for Exchange. It only has so many processes and a traffic jam can occur while its trying to deal with this massive file.

Outbound messages may not even reach their destination. The public mail servers like Yahoo, Gmail and Hotmail limit their message size to 10-25 MB. Many companies protect themselves by putting these limits in place as well.
I dont think its too old school to say its bad netiquette to send large email messages.

Alternative methods like file servers and sharepoint are good internally. Externally companies need to be providing easy to use file transfer services. Otherwise users will end up using potentially insecure third party transfer websites like YouSendIt or even god forbid P2P.

When I wrote about message limits in October of 2006, I was hoping that we would end up with a 50 MB message limit at the mail gateway but guessed that we would end up with a 100 MB limit. Instead we ended up with a ludicrous 500 MB limit. As Microsoft says an outrageously large limit (to quiet the restless natives) is the same as the lack of mailbox and message size limits.

The high limits (and no limit internally) have caused multiple performance issues affecting availability this year. Management is now willing to put a (still really high) 50 MB on messages sent via Outlook, but they are not willing to put a better limit on incoming email. We’ve produced statistics showing the low number of messages that would be blocked. At a certain point you just document that management has accepted this risk.

As I finish writing this, I see the new Hotmail allows up to 200 50 MB attachments on a single email message. Still hard to attach a > 51 MB attachment. But this doesn’t actually change my point. This limit isn’t because of how I think the Internet should work. Its a technology limitation. Perhaps Exchange 2010 wont fall to its knees with a 100 MB message. Even so with no guarantee of the recipients server capabilities, I think its better to keep limits imposed.

Tags: Antivirus, eMail, Microsoft
Category: General | 1 Comment

50 Percent of Enterprise XP running SP2

May 15, 2010, 2:04 pm

According to Qualys, 50% of enterprise Windows XP computers are still running Service Pack 2. This was reported by Byron Acohido in a USA Today article.
This matters because MIcosoft will stop providing security patches for computers with this service pack in July. If you’re running XP, you must have service pack 3 to continue to get Operating System and IE patches.
These issues don’t just occur with operating systems. You need to keep your Office applications and other MS apps up to date on their service pack or eventually you’ll find yourself not getting updates. For home users, Windows Update will take care of that. But in a corporate environment where updates are managed, the patch admin might not “approve” all needed service packs. If you dont have a secondary method of checking for patches (e.g. a Qualys) you wont know you’re out of date. An individual in a corporate environment could run Windows Update (select the options to go against the Microsoft server rather than the internal server) or run MBSA. Even if you dont tell MBSA to run using Microsoft’s server, it will tell you if a patch isn’t approved by your administrator.
The end of life for Windows 2000 (all versions) and Windows XP prior to SP3 has been out there for a while. I’ve been using Forescout to find people running old service packs so we’ve caught everyone up on XP and Vista service packs. Windows 2000 has been hanging on on a couple of servers. An upgrade this weekend should take care of one of those.

Tags: Microsoft, Patching, Qualys, XP
Category: Microsoft | Comment

Patch Tuesday

May 11, 2010, 9:25 pm

Here’s a roundup of patch Tuesday.
Microsoft Patches
There are two patches this month from Microsoft. One in Outlook Express/Microsoft Mail. One in Microsoft Visual Basic for Applications
Adobe released an update for ColdFusion.
A security update for Shockwave.
This one is listed as critical.
Not a bang-your-head-on-the-desk as last month, but I could have gone a month without updating an Adobe product.

Tags: Adobe, Microsoft, Patching
Category: Microsoft | Comment

Fake AV on Drudge

May 6, 2010, 10:35 am

I was over at the Drudge Report last night and finally saw a fake antivirus social engineering attempt there. I’d heard before that the ads on drudge often served that up, but it was the first time I ran across it myself.
On my work computers, I have the full Symantec Endpoint Protection suite installed and the IPS generally detects and blocks fake antivirus attempts. My home computer doesn’t have the firewall component of SEP installed thus it can’t have the IPS functionality. This means its relying on the antivirus scanner exclusively for detection. Of course that detected nothing.
I downloaded the inst.exe file. That’s the same file name i see in the fake antivirus attempts that are frequently attempted at pwinsider.com. You’d think the bad guys would avoid using the same file name all the time.
I got sidetracked and didn’t run the file through virus total until this morning. 13 out of 41 detected the virus installed downloaded from a major site the day after.

File inst.exe received on 2010.05.06 14:31:04 (UTC)
Antivirus	Version	Last Update	Result
a-squared	4.5.0.50	2010.05.06	-
AhnLab-V3	2010.05.05.00	2010.05.05	-
AntiVir	8.2.1.236	2010.05.06	TR/Fakealert.mnd
Antiy-AVL	2.0.3.7	2010.05.06	-
Authentium	5.2.0.5	2010.05.06	-
Avast	4.8.1351.0	2010.05.06	-
Avast5	5.0.332.0	2010.05.06	-
AVG	9.0.0.787	2010.05.06	-
BitDefender	7.2	2010.05.06	Trojan.FakeAlert.CCA
CAT-QuickHeal	10.00	2010.05.04	-
ClamAV	0.96.0.3-git	2010.05.06	-
Comodo	4779	2010.05.06	-
DrWeb	5.0.2.03300	2010.05.06	Trojan.Fakealert.15369
eSafe	7.0.17.0	2010.05.05	-
eTrust-Vet	35.2.7471	2010.05.06	Win32/FakeAlert.E!generic
F-Prot	4.5.1.85	2010.05.06	-
F-Secure	9.0.15370.0	2010.05.06	Trojan.FakeAlert.CCA
Fortinet	4.0.14.0	2010.05.05	-
GData	21	2010.05.06	Trojan.FakeAlert.CCA
Ikarus	T3.1.1.84.0	2010.05.06	-
Jiangmin	13.0.900	2010.05.06	-
Kaspersky	7.0.0.125	2010.05.06	Packed.Win32.Krap.ai
McAfee	5.400.0.1158	2010.05.06	-
McAfee-GW-Edition	2010.1	2010.05.06	-
Microsoft	1.5703	2010.05.05	-
NOD32	5091	2010.05.06	a variant of Win32/Kryptik.ECX
Norman	6.04.12	2010.05.06	-
nProtect	2010-05-06.02	2010.05.06	Trojan.FakeAlert.CCA
Panda	10.0.2.7	2010.05.05	Suspicious file
PCTools	7.0.3.5	2010.05.06	-
Prevx	3.0	2010.05.06	High Risk Cloaked Malware
Rising	22.46.03.04	2010.05.06	-
Sophos	4.53.0	2010.05.06	Mal/FakeAV-CZ
Sunbelt	6267	2010.05.06	FraudTool.Win32.SecurityTool (v)
Symantec	20091.2.0.41	2010.05.06	-
TheHacker	6.5.2.0.277	2010.05.06	-
TrendMicro	9.120.0.1004	2010.05.06	-
TrendMicro-HouseCall	9.120.0.1004	2010.05.06	-
VBA32	3.12.12.4	2010.05.06	-
ViRobot	2010.5.6.2304	2010.05.06	-
VirusBuster	5.0.27.0	2010.05.06	-

Additional information
File size: 887824 bytes
MD5…: 2e797ae47b533739a234ffd66d736a55
SHA1..: d3a984790a2d83f33db3b7791d540f259eb1ef34
SHA256: 05a094eb2512b0df90b98e8789ce9166049749dc428d38561d805c577ec52202
ssdeep: 24576:j9r0ObkXlgxp3JEFp56d1Ctz7YQn7jPff7l0xm6U:j6pwp5Ap0A4GPfKzU
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×1000 timedatestamp…..: 0x42f2757e (Thu Aug 04 20:07:26 2005) machinetype…….: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0×58000 0×57400 7.79 c8a376ad4f177f3ae434902b7b8f4a8f .rdata 0×59000 0×1000 0×200 3.79 6d3e2283fc369479980764aca0706a36 .trash 0x5a000 0×80000 0x7f200 7.79 4579192af1340dc0f8377086beb4767c .rsrc 0xda000 0xa3000 0×2000 5.14 00d9d5b447b6a0236d734be8ae5af459 .reloc 0x17d000 0×4 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 2 imports ) > ntdll.dll: DbgPrint, DbgPrompt, NtPulseEvent, RtlUlongByteSwap, atan > KERNEL32.dll: GetModuleHandleA, CreateFileA, GetLastError, WriteFile, ReadFile, GetVersionExA, ExitProcess, CloseHandle, GetCurrentProcessId, GetCurrentProcess, GetCurrentThreadId ( 0 exports )
RDS…: NSRL Reference Data Set -
pdfid.: -
trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
sigcheck: publisher….: n/a copyright….: n/a product……: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments…..: n/a signers……: - signing date.: - verified…..: Unsigned
<a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4′ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4</a>

In March the Senate Sargent at Arms traced the source of an infection back to Drudge. People thought that was politically motivated. Drudge is a high value target due to the number of visitors. Is there anything he should be doing differently? I think he needs to be holding his ad company to a higher standard and switching companies if they continue to allow these malicious ads to sneak in.

Tags: Antivirus, F-Secure, McAfee, Microsoft, Symantec
Category: Antivirus | Comment

PDF Launch Vulnerability

May 2, 2010, 1:07 pm

If you’ve been sleeping on the Adobe Acrobat and Reader /Launch vulnerability, its time to consider taking mitigating steps.
The proof of concept presented by Didier Stevens uses the /launch functionality that is part of the specification for PDF in order to execute arbitrary code.
Because this was a problem with the PDF specification, the problem effects multiple vendors. I had recently read F-Secure call for Microsoft to natively support the PDF/A format. PDF/A is a cut down version of the PDF standard. It specifically doesn’t allow file launches so by default it would be safe from this sort of attack. The problem I see is it does not support PDF encryption. You need that critical mass of people able to read PDF encrypted documents in order to be able to use PDF encryption.
Until last week, the attacks using the /launch functionality were also using JavaScript in the PDF. So if you had disabled JavaScript in Adobe, the user would now have to ignore a LOT of warnings in order to be attacked. Now an attack is in circulation that uses the /launch functionality without using JavaScript.
Its time to step up and apply the mitigation listed by Adobe in the Adobe Reader Blog

For consumers, open up the Preferences panel and click on “Trust Manager” in the left pane. Clear the check box “Allow opening of non-PDF file attachments with external applications”.

For administrators who wish to accomplish this with a registry setting on Windows, add the following DWORD value to:
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Name: bAllowOpenFile
Type: REG_DWORD
Data: 0
Furthermore, an administrator can grey out the preference to keep end-users from turning this capability on, by adding the following DWORD value to: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Name: bSecureOpenFile
Type: REG_DWORD
Data: 1
Note: These samples assumed you were adding registry settings to Adobe Reader 9. For Adobe Acrobat, you would replace “Acrobat Reader” with “Adobe Acrobat”, and for a different version, you would substitute its value for “9.0″.

.
The Adobe blog entry also lists a registry change to gray out the setting so the user can’t change it back if you’d like to do that.
Here’s a link to the ADM file I’m using to disable the /launch and javascript functionality in Adobe Reader and Adobe Acrobat. Make sure you test before using in a production environment.
adobe.adm

Tags: Adobe, F-Secure, Microsoft
Category: General | Comment

Roger's Information Security Blog