WindowSecurity.com - Monthly Newsletter - January 2016

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MCSA, Enterprise Security MVP), independent consultant and Microsoft network security and remote access expert. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.


1. Editor's Corner

Web browsers. Love them or hate them, they are arguably one of the most important applications running on the Windows desktop client. They have evolved from simple web viewing tools to immersive, interactive application platforms. Today, with the world moving to online and cloud-based services at an incredible pace, the majority of applications now use the browser as their primary user interface. Updates to applications are nearly constant, and web browser interoperability and standards support is critical. Application developers must anticipate the feature support provided by a wide variety of browsers and individual browser version. With Microsoft alone having numerous versions of Internet Explorer in production (not to mention the new Edge browser!), just coding for IE alone is not a trivial task. However, things might be getting better in that regard. This month, Microsoft made some important announcements regarding support for older versions of Internet Explorer. Read on to learn more.

--Rich

End of Support for Old Versions of Internet Explorer

Beginning January 12, 2016, Microsoft has ended support for all but the latest supported version of Internet Explorer on all of their currently supported operating systems. That means that for the majority of desktops in the world, only Internet Explorer 11 will be supported (IE 9 will still be supported on Windows Vista SP2).

The crucial implication here is that Internet Explorer versions 7, 8, 9, and 10 will no longer receive important security updates. Of course this has a tremendous impact on security, as the web browser is a commonly exploited attack vector for cybercriminals. The end of support for all versions of IE other than IE 11 will have a unique impact on security for consumers and enterprise.

For consumers, upgrading to IE 11 immediately will be critical. However, as many information security professionals know, consumers commonly put off updates until they are forced to. As these updates will be optional (but recommended), it remains to be seen how quickly consumers migrate to IE 11. Some upgrades will be forced by attrition, with consumers purchasing new computers that come pre-installed with Windows 10 and the new Microsoft Edge browser. Those sticking with Windows 7 may be left out in the cold unless they proactively choose to update their browser. An advantage in the consumer space is that third-party browsers are popular, with many choosing to use Chrome or Firefox, which receive automatic security updates.

The enterprise faces some unique challenges. Many large organizations have standardized on IE versions prior to 11 and are notoriously slow to move up. Often legacy applications don’t work with newer web browsers, so it isn’t simply a matter of choice to upgrade. A browser upgrade may necessitate upgrades to existing applications, which itself is non-trivial. Also, to avoid potential loss of productivity, copious amounts of integration and compatibility testing must be made, itself an important and time consuming effort. However, the rewards that come with this effort will be substantial. Moving to the latest version of IE will greatly improve security and, as an added benefit, may allow organizations to finally rid themselves of their reliance on legacy Java-based applications in favor of modern HTML5 versions. That will definitely be a huge win.

In either case, upgrading sooner rather than later is critically important. No doubt cybercriminals around the world will be taking advantage of the fact that security updates will no longer be produced for older versions of Internet Explorer. And no doubt there will be additional vulnerabilities detected in the future, leaving these browsers in a perpetual 0-day vulnerability state. Not a good situation at all! So, don’t waste time and get moving on your upgrade to Internet Explorer 11!

2. Richard M. Hicks Consulting

Looking for assistance with the design, implementation, or support of a Microsoft DirectAccess remote access solution? Need help migrating from Microsoft Forefront Threat Management Gateway (TMG) 2010? Interested in guidance for integrating on-premises networks with Microsoft Azure or Amazon Web Services? I can help!

I am a Microsoft Certified Solutions Associate (MCSA) with nearly 20 years’ experience working with Microsoft network security platforms. I’ve deployed DirectAccess and VPN solutions for some of the largest organizations in the world. I’ve also helped organizations large and small implement hybrid cloud network solutions, migrate from Forefront TMG to other security platforms, and perform other security related services.

For more information about consulting services, click here.

Image


3. Microsoft Security Bulletins for January 2016

For the month of January Microsoft released 9 security bulletins, 6 of which are rated critical and 3 important. Affected software includes Internet Explorer and Edge, Office, Visual Basic, Exchange, Silverlight, and all supported Windows client and server operating systems. This month marks the last update cycle for Internet Explorer versions prior to 11, so if you haven’t already updated, now is the time to do so. Pay close attention to MS16-006, a vulnerability in Silverlight, as there are reports of active attacks in the wild.

For more information about January’s security bulletins click here.

4. Microsoft Security Advisories for January 2016

For the month of January, Microsoft released three security advisories. Advisory 3109853 outlines an update to improve TLS session resumption interoperability. Advisory 3118753 includes updates for Active X kill bits. Advisory 3123479 provides details on the deprecation of the SHA-1 hashing algorithm for the Microsoft Root Certificate program. Finally, advisory 2755801 has been updated with newly released vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge browsers.


5. Security Articles of Interest

  1. Microsoft has announced that versions of Internet Explorer prior to version 11 will no longer be supported (with the exception of IE 9 on Windows Vista SP2). Going forward, Microsoft will not make security updates available or provide technical support for these browsers. Users and organizations using Internet Explorer versions older than 11 are encouraged to upgrade as soon as possible.

    https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
  2. Europe, and in particular Germany, have very demanding security and privacy laws in place to protect their citizens. Recently Microsoft developed a plan to implement a locked-down instance of Azure running in datacenters in Germany. Microsoft has taken the extraordinary steps to provide important new security controls to address the very specific needs dictated by laws in this region. More details here:

    http://www.zdnet.com/article/microsoft-details-more-on-its-german-datacenter-data-access-lockdown-plan/
  3. Getting compromised is one thing. However, initial compromise is often only the first step in a successful attack. Attackers, once they’ve established a foothold in a target organization, endeavor to move around in the environment to discover additional targets. While preventing compromise is critical, preventing lateral movement once the attacker is on the network is also vitally important. Here is some useful important information for tracking lateral movement using special groups and specific service accounts.

    http://blogs.technet.com/b/jepayne/archive/2015/11/27/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts.aspx
  4. The Azure Security Center is an incredible resource available to customers leveraging Microsoft’s Azure public cloud platforms. Available to both platform and infrastructure-as-a-service customers, the Azure Security center provides a holistic view of security configuration and operations for all resources hosted in Azure. If you haven’t investigated this incredibly powerful platform, I would encourage you to do so immediately.

    http://blogs.microsoft.com/cybertrust/2015/12/11/cloud-security-controls-series-azure-security-center/
  5. In his continuing series on developing an enterprise IPv6 security strategy, IPv6 security veteran Enno Rey published parts 3, 4, and 5 covering topics such as traffic filtering and first hop security.

    https://www.insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-3-traffic-filtering-in-ipv6-networks-i/

    https://www.insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-4-traffic-filtering-in-ipv6-networks-ii/

    https://www.insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-5-first-hop-security-features/
  6. A chain is only as strong as its weakest link. This also applies to security too. For example, you can have well protected servers, but if your administration workstations aren’t adequately protected, the security of the whole environment suffers. Securing privileged access is an important and often overlooked aspect of security in many organizations. Microsoft recently posted guidance for developing and implementing a plan to better secure privileged access. Read on for more details:

    https://technet.microsoft.com/en-us/library/mt631194.aspx
  7. SmartScreen is a highly effective tool integrated with Internet Explorer and Microsoft Edge browsers to detect and prevent social engineering attacks and malicious software downloads. Microsoft has made improvements to SmartScreen to include support for protection from drive-by attacks. More details here:

    https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/
  8. Microsoft has introduced some changes to their Trusted Root Certificate Program. Specifically, beginning in January 2016, some Certificate Authorities will no longer be included in the default trusted root certificate store on Microsoft operating systems. This is due to Microsoft’s implementation of tighter technical and auditing requirements for root CAs. If you begin seeing certificate errors on Windows platforms, it would be a good idea to check the new list to confirm if the root CA is still trusted.

    https://blogs.technet.microsoft.com/mmpc/2015/12/17/microsoft-updates-trusted-root-certificate-program-to-reinforce-trust-in-the-internet/
  9. There seems to be lots of focus around the web browser and browser security lately, huh? Following on that trend, Microsoft has announced they are making changes to the way they handle adware in their web browsers. With a focus on reducing the impact of ad injection and man-in-the-middle techniques for displaying malicious advertisements, Microsoft is adjusting their criteria for evaluating, detecting, and blocking adware. These new policies will begin being enforced on March 31, 2016.

    https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/
  10. Interested in learning more about Windows security and forensics? Here’s an excellent, and FREE, online training course available on the Microsoft Virtual Academy. The session covers a variety of important topics including memory and authentication attacks, Windows and network forensics, and malware incident response. Check it out now!

    https://mva.microsoft.com/en-US/training-courses/windows-security-forensics-14383
  11. Apple, once the darling of the Internet for being “more secure than Windows”, topped the list of 2015’s list of software vulnerabilities. Reported CVEs (Common Vulnerabilities and Exposures) for the Mac OS X operating system accounted for 384 reports. Microsoft first appears on the list at #7 with 231 reported flaws, but the latest browsers and operating systems from Microsoft have even fewer reported vulnerabilities.

    http://microsoft-news.com/adobe-loses-top-spot-on-2015-list-of-vulnerabilities-replaced-by-apple/
  12. Adversaries need credentials more than malware. You can deny them by avoiding these common sins of Windows credential administration.

    https://twitter.com/JohnLaTwC/status/587289888560558080


6. WindowSecurity.com Articles of Interest

  1. Insider Threats: Trust and Negligence can be a Recipe for Disaster
  2. Netwrix Auditor – Voted WindowSecurity.com Readers’ Choice Award Winner for Network Auditing
  3. Shift in Security Focus – The People Problem (Part 2)
  4. IoT: The Threats Keep on Coming (Part 1)

7. Windows Security Tip of the Month

With the end of support for Microsoft Internet Explorer versions prior to 11, many organizations with a reliance on older versions of Internet Explorer may be forced to wait for upgrades due to application incompatibilities. Often a legacy application will not work well, or at all, with newer web browsers. With security updates no longer available for previous versions of IE, some will be forced to choose between security and productivity. Definitely not a good spot to be in. However, Microsoft does offer some mitigating features in IE. For example, some application and browser incompatibles can be effectively addressed using Enterprise Mode for Internet Explorer. This allows for the deployment of the latest version of IE, while at the same time providing a way to integrate with older applications. For more information about Enterprise Mode for Internet Explorer 11, click here.