Tag Archives: Microsoft

Microsoft to Introduce New Model for Patch Tuesday

microsoft-patch-tuesdayTuesday, September 13th was the last standard Patch Tuesday from Microsoft. No longer will updates be sent as individual patches.

Patch Tuesday is the infamous term for Microsoft’s monthly updates for its Windows operating systems and software applications. The updates are released on the second Tuesday of each month.

From now on, all Microsoft patches will be bundled together in monthly update packs. Users will have to update the entire batch of patches. Microsoft is no longer giving users the option to pick and choose which updates to install. The monthly updates will also be cumulative from prior months. So November’s update will have the patches from October tacked on as well.

As nice as it is to get all updates lumped together, there is a sacrifice in user control. Users will no longer be able to avoid certain unwanted patches and updates. System administrators should take notice and review how these changing procedures will affect their patch and update process.

Is Your Printer Exposing You to Malware Attacks?

Modern Office PC printers and copiers and other equipment.

Security researchers at Vectra Networks discovered a 20-year-old flaw affecting all versions of Microsoft Windows. The vulnerability is in the way Windows interacts with network printers. It allows an attacker to infect an end-user from the Internet and move throughout the network.

Microsoft Web Point-and-Print

Microsoft realized that while most organizations try to limit the privilege of the devices on their network like laptops, it doesn’t work as smoothly for printers. Printers are only useful if they can support any user wanting to connect and print. Users moving throughout a building expect to easily connect to the nearest printer.

The problem: Most organizations use different printer models within the network, and it’s a hassle for the administrator to install printer drivers for every machine they manage.

The solution: Design a way to deliver a driver for whichever printer is nearby right before it’s used. Enter Microsoft’s Web Point-and-Print protocol. This simple solution allows a Windows machine to receive and install a printer driver from the printer itself.

Vectra Networks Attack

However, Vectra Networks found a major flaw with this widely-used protocol. Their research found “Point-and-Print” lets printers – or anything pretending to be a printer – install malware… going back to Windows 95.

Basically, Microsoft designed a protocol with no user interaction, because that would confuse people and, like we mentioned, you just want it to work. However, the issue is that even in today’s operating systems, it bypasses the User Account Control with no notification or warning. Then it installs a kernel driver (aka God power) for anything your computer finds that looks like a network printer.

Then, voila! Any device that connects and tries to print can be infected with malware. Even if you remove the malware from the device, it will get reinfected every time it tries to print.

This vulnerability can effectively turn any network connected device acting as a printer into an internal drive-by-exploit kit infecting machines when they try to print.

Vectra Networks demonstrated an attack using this flaw in their blog post. They summed it up nicely, “We have a weakly secured device that talks to nearly every Windows end-user device, and is trusted to deliver a system-level driver without checks or warnings.”

Key Takeaways

Unfortunately, this isn’t something that can really be fixed. Microsoft is not able to change this without breaking 20 years of printer driver installation protocols.

Microsoft added a patch for the issue in their latest Patch Tuesday report that will add a warning popup when a new printer driver attempts to install. While it’s not a perfect solution, if combined with internal awareness, it could be a helpful mitigating factor until the real problem can be addressed.

The real fix here is to simply turn off “Point-and-Print” and push it out through Group Policy settings.

Recent Court Ruling Delivers a Victory for Data Privacy

A recent case against Microsoft ended in a victory for data privacy. The U.S. Court of Appeals for the Second Circuit held that Microsoft cannot be compelled to hand over customer emails stored abroad to U.S. law enforcement.

Background

The U.S. government obtained a warrant under the 30-year-old Stored Communications Act (SCA) to access contents of emails and information of a Microsoft user.  Microsoft declined to hand over the emails stored on a server in Ireland. They argued that search warrants under the SCA only apply to data within the U.S.

The government held the belief that the location of stored electronic files is irrelevant. Simply put, the files are under Microsoft’s control and they are required to produce them. Subsequently, in April 2014, a judge ruled that Microsoft must adhere to a search warrant and turn over user data to U.S. law enforcement, even if the data sits outside the U.S.

Appeal Ruling

The ruling was overturned by the Second Circuit based on a narrow interpretation of the SCA. Specifically, the Second Circuit found that the SCA’s warrant provisions were not intended to apply outside the U.S.

Based on this decision, internet service providers subject to the SCA have a good argument for refusing to disclose client information held outside of the U.S. in response to a government warrant. Judge Gerard E. Lynch’s opinion mentioned the original intent, “there is no evidence that Congress has ever weighed the costs and benefits of authorizing court orders of the sort at issue in this case.”

Key Takeaway

In the ongoing battle between the concerns of privacy and law enforcement duties, this seems to be a leg up for the privacy side. Going forward, this decision could give law enforcement and investigators some trouble when dealing with foreign suspects.

Companies can disperse email or communication files throughout the world and provide users a level of protection against U.S. law enforcement. Even domestic cases could be affected if data on U.S. citizens is moved across borders and outside U.S. jurisdiction.

The call to action is for Congress to take the next step and revise the SCA to more accurately reflect the dynamic age of technology and information we’re in.

Time to Upgrade: Microsoft- Older IE No Longer Supported

IE logoUsers of Microsoft’s Internet Explorer will need to upgrade to the latest version or switch to a different browser. As reported, Microsoft is sending out the last security updates for older Internet Explorer versions – IE7, IE8, IE9, and IE10. Microsoft will only be supporting IE9 on Windows Vista and Windows Server 2008, and IE10 on Windows Server 2012. All other Microsoft users must be running IE11 or Edge to receive security updates and technical support from Microsoft.

The following list includes the operating systems and browser version combinations that will continue to be supported:

microsoft end of IE

What Does This Mean for You?

For the versions being left behind, this means no updates, no patches, no fixes, no support options if something goes wrong. This creates more migration work for IT managers to update IE browsers to the latest version. Plenty of malware is being delivered through web browsers, so updating from these now-legacy browsers will be an important task.

Threat Alert: Dorkbot

[US-CERT released this Threat Alert warning about Dorkbot.]

Systems Affected

Microsoft Windows

Overview

Dorkbot is a botnet used to steal online payment, participate in distributed denial-of-service (DDoS) attacks, and deliver other types of malware to victims’ computers. According to Microsoft, the family of malware used in this botnet “has infected more than one million personal computers in over 190 countries over the course of the past year.” The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and Microsoft, is releasing this Technical Alert to provide further information about Dorkbot.

Description

Dorkbot-infected systems are used by cyber criminals to steal sensitive information (such as user account credentials), launch denial-of-service (DoS) attacks, disable security protection, and distribute several malware variants to victims’ computers. Dorkbot is commonly spread via malicious links sent through social networks instant message programs or through infected USB devices.

In addition, Dorkbot’s backdoor functionality allows a remote attacker to exploit an infected system. According to Microsoft’s analysis, a remote attacker may be able to:

  • Download and run a file from a specified URL;
  • Collect logon information and passwords through form grabbing, FTP, POP3, or Internet Explorer and Firefox cached login details; or
  • Block or redirect certain domains and websites (e.g., security sites).

Impact

A system infected with Dorkbot may be used to send spam, participate in DDoS attacks, or harvest users’ credentials for online services, including banking services.

Solution

Users are advised to take the following actions to remediate Dorkbot infections:

  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. Even though Dorkbot is designed to evade detection, security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date. If you suspect you may be a victim of Dorkbot, update your anti-virus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
  • Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords for more information.)
  • Keep your operating system and application software up-to-date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches for more information.)
  • Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (see example below) to help remove Dorkbot from their systems.
  • Disable Autorun­Dorkbot tries to use the Windows Autorun function to propagate via removable drives (e.g., USB flash drive). You can disable Autorun to stop the threat from spreading.

Microsoft

http://www.microsoft.com/security/scanner/en-us/default.aspx (link is external)

The above example does not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

References

Email Scam: Windows 10 Free Upgrade

windows 10 scamMicrosoft released the highly anticipated Windows 10 software on July 29, which was downloaded over 14 million times within the first 24 hours. Also within a short time frame, malware campaigns have sprung up to take advantage of the wave of new users downloading the upgraded software.

Cisco’s Talos Group reported an email message making the rounds posing as Microsoft offering the free upgrade to users in an attachment of the email (the picture is a sample of the fake messages being sent). The email is being sent under the subject: Windows 10 Free Upgrade.

Key Scam Elements:

  • From address. The scammers are making the email look legitimate by spoofing the Microsoft domain (update@microsoft.com). But upon closer examination the header shows the original IP address from Thailand.
  • Color scheme. The color scheme used in the fake emails gives off the look and feel of an email a user would expect to come from Microsoft.
  • Email text. There are several characters throughout the body of the email that don’t show properly. This could be for a variety of reasons, including an alternative character set being used to create the email.
  • Disclaimer. Scammers are starting to add disclaimers that one would expect to be included in an email message from Microsoft. Another key aspect to be aware of is the short message at the bottom indicating the message attachment has been scanned and approved of any dangerous content.

Consequences:

Users that download the zip file from within the email and run the executable are quickly made aware of their mistake. A message will appear alerting the user that their personal files are encrypted by CTB-Locker, a ransomware variant. Users will be required to submit payment before a deadline to keep their files from being permanently locked down.

Best Practices:

Users should backup their data and store offline to prevent it from being targeted by attackers and ransomware.

Windows Server 2003: End of Life

windows server 2003As of July 14, 2015 Microsoft will no longer offer support or issue security updates for any version of Windows Server 2003. Microsoft recommends current users upgrade to Windows Server 2012 R2, and Microsoft Azure and Office 365 where applicable.

Using unsupported software will increase the risks of viruses and other security threats. To continue receiving support for Windows Server 2003 organizations will need to pay a fee that some are expecting to start at $600 per server, per year.

Organizations should migrate to a new operating system as soon as possible and lock down any servers still using the old operating system.

Pros and Cons of New Windows Feature Wi-Fi Sense

WiFi_Sense

Wi-Fi Sense, a new feature added to Windows 10, helps simplify connecting users to nearby Wi-Fi networks. Wi-Fi Sense automatically connects users to open Wi-Fi networks and accepts the network’s terms on behalf of the user. Security experts are concerned with the feature’s ability to allow users to share access to protected Wi-Fi networks with their “contacts” or “friends” in Outlook, Skype, and Facebook.

The users’ Wi-Fi passwords (for example for a home or work Wi-Fi network) are shared with Microsoft. Microsoft claims that passwords are sent over encrypted connections and stored in encrypted files. The Wi-Fi Sense feature, which is enabled by default, then automatically connects “contacts” and “friends” of the user to their protected network through Windows 10 or their Windows smartphone.

Security Risks

This introduces potential security risks in that anyone can use their connections with an employee to “share Wi-Fi” to gain access to the corporate wireless network, for example while sitting in the organization’s parking lot.

Another concern from users is that Wi-Fi network passwords could potentially be shared with contacts of contacts, allowing people you don’t know to connect to your work or home network. Microsoft currently ensures that networks shared are not shared with contact’s of contacts.

Wi-Fi Sense allows Microsoft to map users and their connections. Users must opt out if they don’t want such tracking of their location. The worry is that Microsoft is able to gather valuable location information that can be sold to third parties.

Wi-Fi Sense presents the traditional tradeoff between convenience and security. It provides an added value with greater access to Wi-Fi and the associated saving on data usage, as well as saving time acquiring and entering passwords to connect to a network. However, it could allow someone who shouldn’t be authorized access to a network, or it could connect your device to an unsecure Wi-Fi network without your permission.

Organizations should be aware of this feature in Windows 10 and Windows phones and devices. The security risks should be weighed against the added value and convenience. If the tradeoff isn’t determined to be beneficial, be sure to disable and opt out of Wi-Fi Sense.

Wi-Fi Sense FAQs.

Microsoft Windows 10 Security Features, and the End of Patch Tuesday

With the release of Windows 10, possible as early as this summer, Microsoft will cease to issue its infamous “Patch Tuesday” updates every month, provided since 2003. The new Windows Update for Business will give IT managers the ability to create their own patch-release schedule or have anytime updates.

Agile development techniques and new versions of applications being released every few weeks have caused vendors to release patch updates more frequently. Microsoft is trying to adopt these techniques as well.

Microsoft revealed new features included in Windows 10 at its Ignite conference in Chicago. InfoSec highlighted the key features relating to security:

  • Device protection: Hardware-based Secure Boot can restrict the types of software that load when the device is powered on. A new Device Guard can be set to only allow a “white list” of approved applications to run, backed by Hyper-V, a native hypervisor that creates virtual machines. Microsoft is touting a “new device health capability” that ensures endpoints are free from malware and bugs, and fully updated, before they’re allowed to connect to enterprise resources.
  • Identity protection: Microsoft says the Windows 10 Passport – which also uses Hyper-V – can protect credentials and handle secure authentication with networks and websites without sending passwords, thus providing a defense against phishing attacks. The new Windows Hello feature, meanwhile, allows for biometric access controls via faces or fingerprints.
  • Application protection: Microsoft will certify the security of applications purchased via its Windows Store for Business. Businesses can also set Device Guard to only allow those certified applications to run on a device. All applications will also be restricted to only using kernel-level drivers that are digitally signed by Microsoft. “Windows 10 will not allow older drivers to run unless fully compatible with Windows 10,” says Sean Sullivan, security adviser at anti-virus vendor F-Secure. “Microsoft expects developers to tighten up their old code … which is better for both security and the user experience.”
  • Information protection: Enterprise Data Protection can be set to automatically encrypt all corporate data, including files, emails and website content, as it arrives on the device from online or corporate networks.

Microsoft Adopts ISO Standard for Cloud Privacy

Microsoft has adopted ISO/IEC 27018 – the world’s first international standard for cloud privacy – published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC 27018 establishes commonly accepted control objectives and guidelines for implementing measures to protect personally identifiable information (PII).

According to Microsoft, the British Standards Institute has verified that Office 365, Dynamics CRM Online, and Microsoft Azure are in accordance with the standard’s code for protection of PII in the public cloud.

Adopting ISO/IEC 27018 has several implications for consumer privacy:

  • The organization commits to protecting the privacy of consumers’ PII
  • The consumers’ PII won’t be used for advertising purposes
  • Consumers are informed of government access and legal requests for PII

Key Takeaway:

Being an industry leader, Microsoft’s work to strengthen privacy and compliance protections for consumers should offer a positive outlook for privacy trends overall, and the ISO cloud standard specifically.