Jerry Bryant's Security Blog

SUS 1.0 after December security updates

2005-12-14T15:59:00Z

SUS 1.0 admins may experience an issue where previously approved updates are showing an unapproved. It's important to note that this does not impact the update level of your SUS clients or your ability to deploy the latest updates. We have released the following Knowledge Base article that discusses this issue in detail:

http://support.microsoft.com/?kbid=912307

There are some workarounds in the KB and we are working to get a script out that will eliviate this problem. The KB will be updated as that information becomes available.

Security Bulletin(s) for December 2005

2005-12-14T15:56:00Z

December 13, 2005

Today Microsoft released the following Security Bulletin(s).

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-Dec.mspx

Critical Bulletins:

Cumulative Security Update for Internet Explorer (905915)
http://www.microsoft.com/technet/security/Bulletin/ms05-054.mspx

Important Bulletins:
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523)
http://www.microsoft.com/technet/security/Bulletin/ms05-055.mspx

Released Bulletins
Vulnerability in DirectShow Could Allow Remote Code Execution (904706)
http://www.microsoft.com/technet/security/Bulletin/ms05-050.mspx

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so. If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

Security Bulletin(s) for November 2005

2005-11-08T20:17:00Z

November 8, 2005

Today Microsoft released the following Security Bulletin(s).

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-Nov.mspx

Critical Bulletins:

Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)
http://www.microsoft.com/technet/security/Bulletin/ms05-053.mspx

Two new Anti-Malware sites...

2005-11-02T03:31:00Z

1. A new blog created and staffed by Microsoft's Anti-Malware Team - http://blogs.technet.com/antimalware/

2. The Windows Live Safety Center (Beta), announced / released today - http://safety.live.com. From this site, you can run a virus scan of your machine using Microsoft's Antimalware technology. The difference between this site and the online / ActiveX version of the Windows Malicious Software Removal Tool (at http://www.microsoft.com/malwareremove) is that http://safety.live.com uses our full set of malware signatures. It is likely that http://safety.live.com will eventually replace the online version of the tool, but we will continue to ship the tool to the Download Center and WU / MU / AU / WSUS.

Windows XP Security Guide v2.1

2005-10-25T23:30:00Z

Version 2.1 of the Windows XP Security Guide now available.
The Microsoft Solutions for Security and Compliance (MSSC) team is proud to announce the release to Web of version 2.1 of the Windows XP Security Guide.

This guide is the first of three closely related security guides that are being updated. The other two guides are the Windows Server 2003 Security Guide and Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP.

Solution Content
This version of the Windows XP Security Guide was updated to provide additional security guidance for:

· Maintaining different levels of security and control on Windows XP client computers.

· Securing Windows XP client computers that are not members of an Active Directory domain.

· Security settings for computers that must function reliably in extremely critical roles in high security environments.

Information about the security features in SP2 was included as an appendix in the previous version of this guide. This information has now been integrated throughout the guide, and thoroughly tested templates for Windows Firewall security settings are provided. Information is also provided about closing ports, Remote Procedure Call (RPC) communications, memory protection, e-mail handling, Web download controls, spyware controls, and much more.

Where to Find the Windows XP Security Guide
The guide was developed, reviewed, and approved by teams of authoritative experts in security management. It is available on the TechNet Security Center at http://go.microsoft.com/fwlink/?linkid=14839. The guide is also available for download from the Microsoft Download Center at http://go.microsoft.com/fwlink/?linkid=14840.

For other security solutions from the Microsoft Solutions for Security and Compliance (MSSC) team, click here.

Issues with MS05-051?

2005-10-18T17:20:00Z

SYMPTOMS
On a computer that is running Microsoft Windows XP, Microsoft Windows 2000 Server, or Windows Server 2003, one or more problems may occur after you install the critical update that is discussed in Microsoft Security Bulletin MS05-051. These problems include the following: • The Windows Installer service may not start.
• The Windows Firewall Service may not start.
• The Network Connections folder is empty.
• The Windows Update Web site may incorrectly recommend that you change the Userdata persistence setting in Microsoft Internet Explorer.
• Active Server Pages (ASP) pages that are running on Microsoft Internet Information Services (IIS) return an “HTTP 500 – Internal Server Error” error message.
• The Microsoft COM+ EventSystem service will not start.
• COM+ applications will not start.
• The computers node in the Microsoft Component Services Microsoft Management Console (MMC) tree will not expand.
• Authenticated users cannot log on, and a blank screen appears after the users apply the October Security Updates.

For the Cause and Resolution, see:

http://support.microsoft.com/Default.aspx?id=909444

Security Bulletins for October 2005

2005-10-11T15:47:00Z

October 11, 2005
Today Microsoft released the following Security Bulletin(s).

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-Oct.mspx

Critical Bulletins:

Vulnerability in DirectShow Could Allow Remote Code Execution (904706)
http://www.microsoft.com/technet/security/Bulletin/ms05-050.mspx

Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)
http://www.microsoft.com/technet/security/Bulletin/ms05-051.mspx

Cumulative Security Update for Internet Explorer (896688)
http://www.microsoft.com/technet/security/Bulletin/ms05-052.mspx

Important Bulletins:

Vulnerability in the Client Services for Netware Could Allow Remote Code Execution (899589)
http://www.microsoft.com/technet/security/Bulletin/ms05-046.mspx

Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749)
http://www.microsoft.com/technet/security/Bulletin/ms05-047.mspx

Vulnerability in the Microsoft Collaboration Objects Could Allow Remote Code Execution (907245)
http://www.microsoft.com/technet/security/Bulletin/ms05-048.mspx

Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725)
http://www.microsoft.com/technet/security/Bulletin/ms05-049.mspx

Moderate Bulletins:

Vulnerability in the Windows FTP Client Could Allow File Transfer Location and Tampering (905495)
http://www.microsoft.com/technet/security/Bulletin/ms05-044.mspx

Vulnerability in Network Connection Manager Could Allow Denial of Service (905414)
http://www.microsoft.com/technet/security/Bulletin/ms05-045.mspx

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

Shared Computer Toolkit for Windows XP

2005-09-26T15:08:00Z

Here is a technology a lot of people are interested in...

Overview

Shared computers are commonly found in schools, libraries, Internet and gaming cafés, community centers, and other locations. Often, non-technical personnel are asked to manage shared computers in addition to their primary responsibilities.

Managing shared computers can be difficult, time-consuming, and expensive. Without restrictions, users can change the desktop appearance, reconfigure system settings, and introduce spyware, viruses, and other harmful programs. Repairing damaged shared computers costs significant time and effort.

User privacy is also an issue. Shared computers often use shared accounts that make Internet history, saved documents, and cached Web pages available to subsequent users.

The Microsoft Shared Computer Toolkit for Windows XP provides a simple and effective way to defend shared computers from untrusted users and malicious software, safeguard system resources, and enhance and simplify the user experience. The Toolkit runs on genuine copies of Windows XP Professional, Windows XP Home Edition, and Windows XP Tablet PC Edition.

Tools Summary
The Toolkit includes several command-line tools and the following graphical tools:

Getting Started. Provides access to computer settings and utilities and helps first-time operators learn the Toolkit basics quickly.
Windows Disk Protection. Protects the Windows partition (typically drive C) that contains the Windows operating system and other programs from being modified without administrator approval. Disk changes made are cleared with each restart unless the administrator chooses to save them.
User Restrictions. Restricts user access to programs, settings, and Start menu items. The tool also allows you to lock shared local user profiles to prevent permanent changes. (This tool is specifically for use in workgroup environments that do not use Active Directory and Group Policy. A Group Policy template is also included for use in Active Directory environments.)
Profile Manager. Creates and deletes user profiles. You can use this tool to create user profiles on alternative drives that will retain data and settings even though Windows Disk Protection is on. You can also use the tool to completely delete profiles that have been locked by the User Restrictions tool.
Accessibility. Makes Windows accessibility options and utilities such as StickyKeys, FilterKeys, and Magnifier available to users who have been restricted from accessing Control Panel and other system settings.

http://www.microsoft.com/downloads/details.aspx?familyid=7256d456-e3da-42ea-857d-92b716077a84&displaylang=en

Anti-Phishing White Paper

2005-09-26T15:03:00Z

IE 7.0 will have Anti-Phishing built in and this capability will be added to the MSN toolbar as well. This white paper describes the basic workings of this technology. From what I've seen, this will be a great addition for customers. Download the white paper here:

http://www.microsoft.com/downloads/details.aspx?familyid=b4022c66-99bc-4a30-9ecc-8bdefcf0501d&displaylang=en

Visio Connector for MBSA 2.0

2005-08-15T21:21:00Z

If you like a graphical view of your security scans, you won't want to miss this.

At a glance, you'll be able to:
· Pinpoint vulnerabilities on the color-coded diagram.
· Identify solutions in the detailed network diagram scan results.
· Prioritize actions based on the results presented in the network diagram.

See: http://www.microsoft.com/technet/security/tools/mbsavisio.mspx

MS05-038 Cumulative Patch for IE - Issues

2005-08-10T12:59:00Z

There were some issues with the digital signatures on some of the IE updates that were preventing installation. For that reason the updates were removed from the download center. Windows Update, Microsoft Update, SUS and WSUS are not affected. Will try to post an update as soon as more information is available.

Update: the bulletin was updated today and the downloads restored to the download center.

Microsoft Security Bulletin(s) for August 2005

2005-08-09T15:36:00Z

August 9, 2005
Today Microsoft released the following Security Bulletin(s).

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-Aug.mspx

Critical Bulletins:

Cumulative Security Update for Internet Explorer (896727)
http://www.microsoft.com/technet/security/Bulletin/ms05-038.mspx

Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)
http://www.microsoft.com/technet/security/Bulletin/ms05-039.mspx

Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)
http://www.microsoft.com/technet/security/Bulletin/ms05-043.mspx

Important Bulletins:

Vulnerability in Telephony Service Could Allow Remote Code Execution (893756)
http://www.microsoft.com/technet/security/Bulletin/ms05-040.mspx

Moderate Bulletins:

Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (899591)
http://www.microsoft.com/technet/security/Bulletin/ms05-041.mspx

Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (899587)
http://www.microsoft.com/technet/security/Bulletin/ms05-042.mspx

Re-Released Bulletins:

Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169)
http://www.microsoft.com/technet/security/Bulletin/ms05-023.mspx

Vulnerability in Microsoft Agent Could Allow Spoofing (890046) (890169)http://www.microsoft.com/technet/security/Bulletin/ms05-032.mspx

Microsoft Security Bulletin(s) for July 2005

2005-07-12T15:08:00Z

July 12, 2005
Today Microsoft released the following Security Bulletin(s).

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-Jul.mspx

Critical Bulletins:

Vulnerability in Microsoft Word Could Allow Remote Code Execution (903672)
http://www.microsoft.com/technet/security/Bulletin/ms05-035.mspx

Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214)
http://www.microsoft.com/technet/security/Bulletin/ms05-036.mspx

Vulnerability in JView Profiler Could Allow Remote Code Execution (903235)
http://www.microsoft.com/technet/security/Bulletin/ms05-037.mspx

Re-Released Bulletins:

Vulnerability in Telnet Client Could Allow Information Disclosure (896428)
http://www.microsoft.com/technet/security/Bulletin/ms05-033.mspx

Microsoft Security Bulletin(s) for June 2005

2005-06-14T15:29:00Z

June 14, 2005
Today Microsoft released the following Security Bulletin(s).

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-Jun.mspx

Critical Bulletins:

Cumulative Security Update for Internet Explorer (883939)
http://www.microsoft.com/technet/security/Bulletin/ms05-025.mspx

Vulnerability in HTML Help Could Allow Remote Code Execution (896358)
http://www.microsoft.com/technet/security/Bulletin/ms05-026.mspx

Vulnerability in Server Message Block Could Allow Remote Code Execution (896422)
http://www.microsoft.com/technet/security/Bulletin/ms05-027.mspx

Important Bulletins:

Vulnerability in Web Client Service Could Allow Remote Code Execution (896426)
http://www.microsoft.com/technet/security/Bulletin/ms05-028.mspx

Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179)
http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx

Cumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/ms05-018.mspx

Cumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/ms05-030.mspx

Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458)
http://www.microsoft.com/technet/security/Bulletin/ms05-031.mspx

Moderate Bulletins:

Vulnerability in Microsoft Agent Could Allow Spoofing (890046)
http://www.microsoft.com/technet/security/Bulletin/ms05-032.mspx

Vulnerability in Telnet Client Could Allow Information Disclosure (896428)
http://www.microsoft.com/technet/security/Bulletin/ms05-033.mspx

Cumulative Security Update for ISA Server 2000 (899753)
http://www.microsoft.com/technet/security/Bulletin/ms05-034.mspx

Re-Released Bulletins:

SQL Server Installation Process May Leave Passwords on System (Q263968)
http://www.microsoft.com/technet/security/Bulletin/ms02-032.mspx

ASP.NET Path Validation Vulnerability (887219)
http://www.microsoft.com/technet/security/Bulletin/ms05-004.mspx

Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179)
http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx

How we do security at Microsoft

2005-06-11T05:14:00Z

One of the topics that is requested year after year at our global MVP Summits (event where MVPs from all around the world come to Redmond for a few days) is how do we do security at Microsoft. It should be no surprise that Microsoft has one of the most attacked networks in the world. Well, we don't keep too many secrets about how we do security. Searching our Download Center, you will find numerous white papers on lots of different security topics showing you how we did it. Here are some examples:

Detailed discussion on how Microsoft IT introduced Domain Isolation to the Microsoft global enterprise network.
http://www.microsoft.com/downloads/details.aspx?familyid=a97ddc48-a364-4756-bb3c-91da274118fe&displaylang=en

Overview of why and how Microsoft IT proactively deployed Windows XP Service Pack 2. Windows XP Service Pack 2 is a critical security release that addresses Internet-based security threats.
http://www.microsoft.com/downloads/details.aspx?familyid=36648245-6eac-458e-87bd-046a16f3d385&displaylang=en

Overview discussion on what the Microsoft Corporate Security group does to prevent malicious or unauthorized use of digital assets at Microsoft.
http://www.microsoft.com/downloads/details.aspx?familyid=e959f26c-1f5c-4331-b1fb-6c720795704d&displaylang=en

Patterns & practices Security Wiki is now live on Channel9!

2005-06-07T03:27:00Z

If you are a software developer and you are interested in making sure that your application is robust and secure, this is a MUST see & utilize resource!

The Microsoft PAG ( patterns & practices ) folks have put online a resource that provides a view into their present and future deliverables around security engineering to application scenarios. The additional benefit is that the content is provided as a wiki so that the community can annotate, elaborate and contribute.

The security wiki is brought to you by the same folks who brought you "Improving Web Applicaton Security" and "Building Secure ASP.NET Applications" which are both great resources in their own right.

In their own words "This is where we think out loud. Here you’ll find emerging practices, guidance for application scenarios, security engineering, threat modeling, technical guidance and more. We’re looking for your experience, input and feedback to make this a useful resource for application security."

I've had the pleasure of working with the PAG folks on this effort.. I hope that you will also take this opportunity to contribute to making this security wiki a living, working resource that will improve the state of software security.

Check it out @ http://Channel9.Msdn.Com/Security
The topics discussed include everything from ApplicationSecurityMethodology to WebServerSecurity. The products and technologies cover everything from NETFrameworkSecurityHub to ASPNET2SecurityHub. Some of the resources that are provided include SecurityChecklists (These are awesome, BTW!) to information about the SecurityBlocks.

Now Live!

2005-06-06T14:51:00Z

Announced by Steve Ballmer at Tech-Ed today and now live on www.microsoft.com:

Windows Server Update Services (WSUS). Final release of WSUS went live today.

Microsoft Update (MU): Microsoft Update replaces Windows Update. In addition to Windows XP, MU now updates: Windows XP, Windows 2000 SP3, Windows Server 2003, Office XP, Office 2003, SQL Server 2000 SP4 and Exchange 2000.

Lots of new WSUS documentation!

2005-06-06T10:23:00Z

The next version of Software Update Services (SUS) is WSUS (Windows Update Services) which is currently out as a “Release Candidate” (almost the final version ;-).

Lots of documentation is not available for WSUS. Here is a list:

http://www.microsoft.com/downloads/details.aspx?familyid=2478d594-a29c-483c-9dc1-9740bf3081a5&displaylang=en

Overview of WSUS.

http://www.microsoft.com/downloads/details.aspx?familyid=3ba03939-a5a9-407b-a4b0-1290ba5182f8&displaylang=en

Getting started with WSUS on Windows Server 2003

http://www.microsoft.com/downloads/details.aspx?familyid=4169c932-63b5-4629-91d3-c8901c2afa07&displaylang=en

Getting started with WSUS on Windows 2000

http://www.microsoft.com/downloads/details.aspx?familyid=e26bcdb4-ef0b-4399-8a71-9b3b00c4f4cd&displaylang=en

Comprehensive guidance on administering and troubleshooting WSUS.

http://www.microsoft.com/downloads/details.aspx?familyid=e99c9d13-63e0-41ce-a646-eb36f1d3e987&displaylang=en

Comprehensive guidance on deploying WSUS.

http://www.microsoft.com/downloads/details.aspx?familyid=150e795e-ae32-4d47-a6b8-e01f918aae93&displaylang=en

Guidance on migrating from SUS to WSUS

Microsoft Security Bulletin(s) for May 2005

2005-05-10T15:20:00Z

May 10, 2005
Today Microsoft released the following Security Bulletin(s).

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-may.mspx

Important Bulletins:

Vulnerability in Web View Could Allow Remote Code Execution (894320)
http://www.microsoft.com/technet/security/Bulletin/ms05-024.mspx

XP update provides support for WPA2

2005-05-04T18:43:00Z

Wi-Fi Protected Access 2 (WPA2) support now available.

KB article with full details:
http://support.microsoft.com/kb/893357

Download location:
http://www.microsoft.com/downloads/details.aspx?familyid=662bb74d-e7c1-48d6-95ee-1459234f4483&displaylang=en

Windows XP SP2 is required and your wireless access point also has to support WPA2 so you may want to check your vendors site for new firmware.

Update: thanks to Eric Cross (Networking MVP) for pointing out this excellent article on WPA2 by our own Cable Guy:

http://www.microsoft.com/technet/community/columns/cableguy/cg0505.mspx