WindowSecurity.com - Monthly Newsletter - August 2014

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


Editor's Corner

The patching of Windows systems, or any software or firmware for that matter, is vital to providing the highest levels of security and protection. Microsoft has built what is arguably the best, most mature, and well understood automated update system there is today – Windows Update. By configuring a Windows system (client or server) to automatically check for and install updates when they are available, our systems are much less vulnerable to attack than they are without it. In fact, many systems would not be patched at all, ever, if Windows Update didn’t exist. On the consumer side, I regularly encourage my friends and family to opt in to this service. For small and mid-sized businesses I recommend the configuration and deployment of a Windows Server Update Services (WSUS), which is a patch management solution included freely with Windows Server 2012 R2. WSUS can be configured to selectively distribute Microsoft system updates, and it provides valuable reporting tools to evaluate the effectiveness and coverage of our update distribution. You can even manage system updates using Microsoft’s cloud-based PC and mobile device management platform, Windows Intune. What happens when this process causes more problems than it solves? This month we’ll consider just that scenario.

--Rich

Windows Update

In an ideal world, everyone would automatically deploy all of Microsoft’s updates immediately upon release, which is the second Tuesday of every month. Remember that when Microsoft makes a public announcement of a security vulnerability in any one of their platforms or applications, the bad guys get this information at the same time. They will review the list of vulnerabilities, download the updates, and immediately begin to reverse engineer them in an effort to determine how to exploit them. Microsoft has stated that they’ve seen an exploit created using this process in as little as four hours after public availability of a hotfix. Clearly it’s a good idea to patch quickly and completely. But what happens when an update causes instability? Perhaps it breaks some important functionality, or ever worse, cause the system to completely fail. It doesn’t happen often, but disturbingly, scenarios like this have become increasingly more common in the last few years.

This month, Microsoft released a number of updates (details later in this newsletter) addressing several important vulnerabilities. However, it appears that a few of them are causing serious issues for many users. In fact, Microsoft has gone so far as to pull one of the updates, MS14-045, which is reportedly generating stop errors (blue screens of death) on Windows 7 PCs running the 64-bit version of the operating system. Microsoft also recommends removing the patch if it was previously installed. The removal process isn’t trivial, and involves deleting a file and editing the registry. Obviously this is a bad situation, as you don’t want consumers having to make changes like this. Also, for mid-sized and large organizations, removing an update in this manner doesn’t scale well at all, making removal across many thousands of machines extremely tedious.

Statistically speaking, the vast majority of software updates that Microsoft releases work without issue. This is an amazing feat if you consider the ecosystem that they have to support and the number of supported deployment scenarios they have to consider. However, it seems that in recent months (and this month in particular) the stability of updates being produced by Microsoft has fallen off. I don’t have any hard data to back this up, but I’m sure you’ll agree that the frequency with which issues are being reported with updates is increasing. This is disturbing because many individuals and organizations, perhaps rightfully so, will now consider delaying installing updates until they’ve been proven to be stable. This will have a tremendously negative impact on our ability to protect our systems from attack and exploitation and will definitely give attackers an increased window with which to build attack tools to take advantage of these vulnerabilities.

In light of all this, I’d still encourage you to deploy critical updates, especially those that are remotely exploitable, as soon as possible. Given the recent trends, testing and evaluation of updates should be performed with more scrutiny than ever. In addition, it might be a good idea to roll these updates out to limited groups of systems (those that are most vulnerable) and monitor the status of these systems closely for a period of time. If there are no reports of instability or issues caused by the update, proceed with the rest of your deployment as normal.

Practical IPv6 for Windows Administrators

With the rapid depletion of the global IPv4 address pool, the adoption of IPv6 is growing significantly. The total exhaustion of public IPv4 addresses is inevitable, making IPv6 knowledge an important and essential skill that network engineers and systems administrators will need to have to be successful. While there are some excellent IPv6 references available today, until now there has been a lack of practical, real-world implementation guidance for IPv6. Until now! Practical IPv6 for Windows Administrators provides detailed information necessary for network engineers and systems administrators planning to deploy IPv6 on their corporate networks. It covers important topics such as IPv6 address assignment and name resolution, along with specific IPv6 integration information for Microsoft services such as Exchange, SQL, SharePoint, Hyper-V, and more.

IPv4 is a dead man walking. IPv6 is the way of the future; in fact, it is here now! Order your copy of Practical IPv6 for Windows Administrators today.

Image

Click here to order your copy today!


Microsoft Security Bulletins for August 2014

For the month of August, Microsoft released 9 security bulletins addressing 41 vulnerabilities. 2 bulletins are rated as critical, and 7 are rated as important. Affected software includes Windows, Internet Explorer, Office, SQL, SharePoint, and .NET Framework. For more information about August’s security bulletins click here. Microsoft also released security advisory 2755801 that addresses an update for vulnerabilities in Adobe Flash Player in Internet Explorer. As mentioned at the beginning of this newsletter, there have been numerous reports of issues reported with several of the updates released this month. Most importantly, Microsoft has removed MS14-045 due to reports of it causing stop errors (blue screens) on Windows 7 64-bit platforms. If you’ve previously installed this update, Microsoft recommends removing it. Removal instructions are included in the bulletin.


Security Articles of Interest

  1. This month Microsoft announced that the Enhanced Mitigation Experience Toolkit (EMET) v5.0 is now generally available. This is a powerful and effective security mitigation tool that can be used to protect against emerging threats and prevent known and unknown vulnerabilities from being exploited. If you’re not already using it, be sure to download it now and begin your evaluation. There are few tools available that provide the ability to dramatically improve the overall security posture of your organization like EMET can.

    http://blogs.technet.com/b/security/archive/2014/07/31/now-available-enhanced-mitigation-experience-toolkit-emet-5-0.aspx
  2. Microsoft goes a long way to protect the privacy of users of their public cloud applications, platforms, and services. It is not uncommon for Microsoft to go to court to defend what it believes are unwarranted requests for personal information and data for its users. In a recent case, Microsoft is challenging U.S. federal prosecutors who are demanding access to data for a user whose data is stored in a datacenter outside of the U.S. (in this case, Ireland). Microsoft has argued that since the data does not physically reside in the U.S., the federal government doesn’t have jurisdiction. Microsoft’s appeal was recently denied, but they continue to appeal further. This case has important implications for U.S.-based public cloud service providers. If they fail, it will be extremely difficult to sell public cloud services outside of the U.S.

    http://bits.blogs.nytimes.com/2014/07/31/judge-rules-that-microsoft-must-turn-over-data-stored-in-ireland/

  3. The Sender Policy Framework (SPF) is a mechanism that can be used to detect email spoofing. It is implemented using TXT records hosted in public DNS, and the record will include a list of authorized sending hosts for the domain. A receiving email system can reference the list to ensure that the sending host is correct. If it is not, the receiving system can use this information to enforce anti-spam policies in a number of different ways. As you can imagine, the Microsoft organization sends email from many different authorized hosts. Defining that authorized list was challenging, but recently accomplished with great effort.

    http://blogs.msdn.com/b/tzink/archive/2014/07/22/microsoft-com-now-publishes-an-spf-hard-fail-in-its-spf-record.aspx

  4. Independent antimalware testing always produces interesting results. Often, the results from different vendors result in drastically different results. Of course many security and antimalware vendors use whichever test made their product look the best, and their competitors the worst, as fodder for their marketing campaigns. As part of an effort to improve the accuracy and relevancy of independent antimalware testing, Microsoft is offering guidance for the evaluation and testing of antimalware technologies. More details here:

    http://blogs.technet.com/b/mmpc/archive/2014/08/01/the-future-of-independent-antimalware-tests.aspx

  5. One of the updates released by Microsoft this month will now enable the blocking of outdated versions of Java running in Internet Explorer. This is great news, as browser plug-ins have become a common target of malware authors, and Java has proven to be the richest target.

    http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx

  6. Last month in this newsletter I wrote about the security of Azure, Microsoft’s public cloud platform. Also, I mentioned that Microsoft was making changes to encryption policies to improve security and privacy for users of Outlook.com and OneDrive.com. This month Microsoft made additional announcements about improving security and privacy, this time focusing on encryption improvements for guest virtual machines.

    http://blogs.technet.com/b/trustworthycomputing/archive/2014/08/07/strengthening-encryption-for-microsoft-azure-customers.aspx

  7. Cryptolocker is a particularly troublesome piece of malware, actually ransomware, that encrypts data on an infected machine and offers to sell you the decryption key for a price. For users infected by this ransomware, the alternative is to pay the price or lose your data. Thankfully, security researches at FireEye and Fox-IT recently uncovered the encryption keys used by this malware and posted on a freely-available site for users to access. If you or someone you know has been affected and is unable to recover their data (and they haven’t already deleted it!) send them over to decryptcryptolocker.com to recover their files.

    http://blogs.technet.com/b/mmpc/archive/2014/08/12/fireeye-and-fox-it-tool-can-help-recover-crilock-encrypted-files.aspx

  8. Multipath TCP is an emerging technology that promises to add resilience and efficiency to networking. It is, however, not without some serious security concerns. Since it allows TCP connections to move over multiple networks, it has important implications for traditional network security solutions like stateful firewalls and IDS/IPS.

    http://threatpost.com/multipath-tcp-introduces-security-blind-spot/

  9. What will security look like in 2025? Not surprisingly, it will be profoundly influenced by growth, and the Internet-of-Things. With increasingly ubiquitous network connectivity and increased adoption in emerging markets, there are some real challenges ahead in the coming years. The good news is that the future doesn’t look all that bleak! With careful planning and consideration, and a deep understanding of the future deployment scenarios, security can be addressed in an effective manner.

    http://blogs.technet.com/b/security/archive/2014/08/20/what-will-cybersecurity-look-like-in-2025-part-2-microsoft-envisions-an-optimistic-future.aspx

  10. Rogue antivirus software is most insidious, as it purports to be protecting a system while in fact, it does just the opposite. Typically rogue antivirus software exists for the sole purpose of extracting money from unsuspecting users who think they actually have a virus. The irony of course is that the fake antivirus software is itself the virus! After being aggressively targeted by Microsoft and independent antimalware solutions, rogue antivirus software is on the decline. It is, however, far from being completely eradicated. In fact, existing forms of this malicious software are using clever techniques to trick their targets. More details here:

    http://blogs.technet.com/b/mmpc/archive/2014/08/19/the-fall-of-rogue-antivirus-software-brings-new-methods-to-light.aspx

  11. Microsoft has announced the availability of the final release of their security baselines for Windows 8.1, Windows Server 2012 R2, and Internet Explorer. Systems administrators and security engineers will want to download this guidance before deploying these platforms in a production environment.

    http://blogs.technet.com/b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx


WindowSecurity.com Articles of Interest

  1. Verifying Active Directory Delegation is Accurate
  2. Managing AppLocker in Windows Server 2012 and Windows 8/8.1 – Part 4
  3. Netwrix Auditor – Voted WindowSecurity.com Readers’ Choice Award Winner – Group Policy Management
  4. Video: Generating Active Directory Group Members Recursively
  5. Planning Considerations for BYOD and Consumerization of IT – Part 1
  6. Pass-the-Hash: Protect Your Windows Computers! – Part 3

Windows Security Tip of the Month

So you’ve just finished development of an in-house developed line of business application. Is it secure? Do you know if it was built according to security best practices? Well, the BinScope Binary Analyzer from Microsoft can shed some light on that for you! BinScope is a verification tool used to analyze binary files to ensure that they have been prepared according to Microsoft’s Security Development Lifecycle (SDL) guidance and recommendations. The tool can be installed and integrated with Visual Studio and used to perform assessments on a project-wide level. Use of this tool can provide detailed visibility in to application development output and provide a level of assurance that your code is SDL compliant. You can download the BinScope Analyzer here.