Archive

Archive for March, 2010

Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution – Version: 2.0

Revision Note: V2.0 (March 30, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-018 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-018. The vulnerability addressed is the Uninitialized Memory Corruption Vulnerability – CVE-2010-0806.

Categories: Uncategorized Tags:

Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution – 3/30/2010

March 30th, 2010 Comments off

Revision Note: V2.0 (March 30, 2010): Advisory updated to reflect publication of security bulletin. Advisory Summary:Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-018 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-018. The vulnerability addressed is the Uninitialized Memory Corruption Vulnerability – CVE-2010-0806.

Categories: Uncategorized Tags:

Farewell from Mark Curphey & Please Help Me Fight Blood Cancer

March 30th, 2010 No comments

Mark Curphey here…..

It is with some degree of sadness that I have to hang up my spurs from this blog. Next Monday I take up a new role on the Server & Tools Online team (think MSDN & codeplex.com) where I will be heading up the subscriptions engineering team. I have held various security roles in big and small companies for the last 15 years and so it is very much a new chapter in my life as I follow my passions of modern development practices, online community and user experience. I call it Curphey 2.0!

The work of the Security Tools team will not change or be affected in any way. There is great work continuing including CAT.NET, WPL and WACA (as well as a whole lot more internal implementation engineering on Identity Management and other related security management tools). There is a LONG overdue release of CISF and updates due on the Security BI and Risk Tracker work we have been cranking out. The team will continue to use this blog to communicate public releases and share their work and learning’s.

It has been an honor and a pleasure to work with the team. It is a very talented bunch of folks who have made work fun! You can follow my new adventures at my new personal blog http://www.curphey.com and as usual on Twitter using @curphey (or http://www.twitter.com/curphey). I will be posting some notes over on the BlueHat blog about my talk in Beunos Aires next week and have one final security keynote “10 Crazy Ideas That Might Actually Change the State of Information Security

One of the things I have been blown away by at Microsoft is the Corporate Citizenship and the culture of giving. It’s a part of our corporate culture that I think we can be very proud of. As I transition to my new role I wanted to share something personal. Before I move on I have a personal plea. Yes it’s a plea, a plea to your kind hearts and good nature. Last week I signed up to run the Seattle Rock’N’Roll Marathon with The Leukemia & Lymphoma Society’s (LLS) Team In Training. The run is on June 26th, 2010 and I am raising money to help fight blood cancer. I am not going for pace, I just want to finish and raise money for a good cause. I just want to do something good. For a few years I have wanted to do a marathon as one of those things to tick off of the “been there and done that in Life” list but more importantly I know a few people who have been in dealing with cancer of various forms. One friend has a 9 year old son who has been dealing with a brain and a spine tumor for most of his life (I am not going to tug on your heart strings too much but it’s a heart breaking story) and another good friend (my age)  is now recovering from Lupus. The chemotherapy has literally disintegrated his bones to the point where he has had to have his hips replaced so he can walk. He will never be able to run with his kids like I can. My minor skin cancer scares pale into insignificance when you see what others go through and a little bit of pain on a 26 mile run will be negligible in order to help advance the research and prevent others from suffering. I am healthy and alive; getting fit and a few blisters will be a breeze in comparison to what others go through.

PLEASE SPONSOR ME!

Please, please consider sponsoring me and raising money to flight blood cancer. I am happy to accept sponsorship if you want to induce pain in me or help relieve if from others!

My Team in Training Sponsorship page can be found here.  If you work for Microsoft it has directions on how to ensure that Microsoft matches your donation so together we can double the donation for employees.

All donations help. Anything helps! It’s for a great cause!

As I live in a “Connected World” you can even track my run stats on the Garmin Connect site here using an RSS reader to see just how tough I am finding it!

Thanks for your support!

PS : I am also happy to do speaking events, write articles, consider endorsements or wear your company logo in return for donations.  You can write to me at mark at curphey dot com with suggestions.

Categories: Information Security Tools Tags:

Farewell from Mark Curphey & Please Help Me Fight Blood Cancer

March 30th, 2010 No comments

Mark Curphey here…..

It is with some degree of sadness that I have to hang up my spurs from this blog. Next Monday I take up a new role on the Server & Tools Online team (think MSDN & codeplex.com) where I will be heading up the subscriptions engineering team. I have held various security roles in big and small companies for the last 15 years and so it is very much a new chapter in my life as I follow my passions of modern development practices, online community and user experience. I call it Curphey 2.0!

The work of the Security Tools team will not change or be affected in any way. There is great work continuing including CAT.NET, WPL and WACA (as well as a whole lot more internal implementation engineering on Identity Management and other related security management tools). There is a LONG overdue release of CISF and updates due on the Security BI and Risk Tracker work we have been cranking out. The team will continue to use this blog to communicate public releases and share their work and learning’s.

It has been an honor and a pleasure to work with the team. It is a very talented bunch of folks who have made work fun! You can follow my new adventures at my new personal blog http://www.curphey.com and as usual on Twitter using @curphey (or http://www.twitter.com/curphey). I will be posting some notes over on the BlueHat blog about my talk in Beunos Aires next week and have one final security keynote “10 Crazy Ideas That Might Actually Change the State of Information Security

One of the things I have been blown away by at Microsoft is the Corporate Citizenship and the culture of giving. It’s a part of our corporate culture that I think we can be very proud of. As I transition to my new role I wanted to share something personal. Before I move on I have a personal plea. Yes it’s a plea, a plea to your kind hearts and good nature. Last week I signed up to run the Seattle Rock’N’Roll Marathon with The Leukemia & Lymphoma Society’s (LLS) Team In Training. The run is on June 26th, 2010 and I am raising money to help fight blood cancer. I am not going for pace, I just want to finish and raise money for a good cause. I just want to do something good. For a few years I have wanted to do a marathon as one of those things to tick off of the “been there and done that in Life” list but more importantly I know a few people who have been in dealing with cancer of various forms. One friend has a 9 year old son who has been dealing with a brain and a spine tumor for most of his life (I am not going to tug on your heart strings too much but it’s a heart breaking story) and another good friend (my age)  is now recovering from Lupus. The chemotherapy has literally disintegrated his bones to the point where he has had to have his hips replaced so he can walk. He will never be able to run with his kids like I can. My minor skin cancer scares pale into insignificance when you see what others go through and a little bit of pain on a 26 mile run will be negligible in order to help advance the research and prevent others from suffering. I am healthy and alive; getting fit and a few blisters will be a breeze in comparison to what others go through.

PLEASE SPONSOR ME!

Please, please consider sponsoring me and raising money to flight blood cancer. I am happy to accept sponsorship if you want to induce pain in me or help relieve if from others!

My Team in Training Sponsorship page can be found here.  If you work for Microsoft it has directions on how to ensure that Microsoft matches your donation so together we can double the donation for employees.

All donations help. Anything helps! It’s for a great cause!

As I live in a “Connected World” you can even track my run stats on the Garmin Connect site here using an RSS reader to see just how tough I am finding it!

Thanks for your support!

PS : I am also happy to do speaking events, write articles, consider endorsements or wear your company logo in return for donations.  You can write to me at mark at curphey dot com with suggestions.

Categories: Information Security Tools Tags:

Farewell from Mark Curphey & Please Help Me Fight Blood Cancer

March 30th, 2010 Comments off

Mark Curphey here…..

It is with some degree of sadness that I have to hang up my spurs from this blog. Next Monday I take up a new role on the Server & Tools Online team (think MSDN & codeplex.com) where I will be heading up the subscriptions engineering team. I have held various security roles in big and small companies for the last 15 years and so it is very much a new chapter in my life as I follow my passions of modern development practices, online community and user experience. I call it Curphey 2.0!

The work of the Security Tools team will not change or be affected in any way. There is great work continuing including CAT.NET, WPL and WACA (as well as a whole lot more internal implementation engineering on Identity Management and other related security management tools). There is a LONG overdue release of CISF and updates due on the Security BI and Risk Tracker work we have been cranking out. The team will continue to use this blog to communicate public releases and share their work and learning’s.

It has been an honor and a pleasure to work with the team. It is a very talented bunch of folks who have made work fun! You can follow my new adventures at my new personal blog http://www.curphey.com and as usual on Twitter using @curphey (or http://www.twitter.com/curphey). I will be posting some notes over on the BlueHat blog about my talk in Beunos Aires next week and have one final security keynote “10 Crazy Ideas That Might Actually Change the State of Information Security

One of the things I have been blown away by at Microsoft is the Corporate Citizenship and the culture of giving. It’s a part of our corporate culture that I think we can be very proud of. As I transition to my new role I wanted to share something personal. Before I move on I have a personal plea. Yes it’s a plea, a plea to your kind hearts and good nature. Last week I signed up to run the Seattle Rock’N’Roll Marathon with The Leukemia & Lymphoma Society’s (LLS) Team In Training. The run is on June 26th, 2010 and I am raising money to help fight blood cancer. I am not going for pace, I just want to finish and raise money for a good cause. I just want to do something good. For a few years I have wanted to do a marathon as one of those things to tick off of the “been there and done that in Life” list but more importantly I know a few people who have been in dealing with cancer of various forms. One friend has a 9 year old son who has been dealing with a brain and a spine tumor for most of his life (I am not going to tug on your heart strings too much but it’s a heart breaking story) and another good friend (my age)  is now recovering from Lupus. The chemotherapy has literally disintegrated his bones to the point where he has had to have his hips replaced so he can walk. He will never be able to run with his kids like I can. My minor skin cancer scares pale into insignificance when you see what others go through and a little bit of pain on a 26 mile run will be negligible in order to help advance the research and prevent others from suffering. I am healthy and alive; getting fit and a few blisters will be a breeze in comparison to what others go through.

PLEASE SPONSOR ME!

Please, please consider sponsoring me and raising money to flight blood cancer. I am happy to accept sponsorship if you want to induce pain in me or help relieve if from others!

My Team in Training Sponsorship page can be found here.  If you work for Microsoft it has directions on how to ensure that Microsoft matches your donation so together we can double the donation for employees.

All donations help. Anything helps! It’s for a great cause!

As I live in a “Connected World” you can even track my run stats on the Garmin Connect site here using an RSS reader to see just how tough I am finding it!

Thanks for your support!

PS : I am also happy to do speaking events, write articles, consider endorsements or wear your company logo in return for donations.  You can write to me at mark at curphey dot com with suggestions.

Categories: Information Security Tools Tags:

Farewell from Mark Curphey & Please Help Me Fight Blood Cancer

March 29th, 2010 No comments

Mark Curphey here…..

It is with some degree of sadness that I have to hang up my spurs from this blog. Next Monday I take up a new role on the Server & Tools Online team (think MSDN & codeplex.com) where I will be heading up the subscriptions engineering team. I have held various security roles in big and small companies for the last 15 years and so it is very much a new chapter in my life as I follow my passions of modern development practices, online community and user experience. I call it Curphey 2.0!

The work of the Security Tools team will not change or be affected in any way. There is great work continuing including CAT.NET, WPL and WACA (as well as a whole lot more internal implementation engineering on Identity Management and other related security management tools). There is a LONG overdue release of CISF and updates due on the Security BI and Risk Tracker work we have been cranking out. The team will continue to use this blog to communicate public releases and share their work and learning’s.

It has been an honor and a pleasure to work with the team. It is a very talented bunch of folks who have made work fun! You can follow my new adventures at my new personal blog http://www.curphey.com and as usual on Twitter using @curphey (or http://www.twitter.com/curphey). I will be posting some notes over on the BlueHat blog about my talk in Beunos Aires next week and have one final security keynote “10 Crazy Ideas That Might Actually Change the State of Information Security

One of the things I have been blown away by at Microsoft is the Corporate Citizenship and the culture of giving. It’s a part of our corporate culture that I think we can be very proud of. As I transition to my new role I wanted to share something personal. Before I move on I have a personal plea. Yes it’s a plea, a plea to your kind hearts and good nature. Last week I signed up to run the Seattle Rock’N’Roll Marathon with The Leukemia & Lymphoma Society’s (LLS) Team In Training. The run is on June 26th, 2010 and I am raising money to help fight blood cancer. I am not going for pace, I just want to finish and raise money for a good cause. I just want to do something good. For a few years I have wanted to do a marathon as one of those things to tick off of the “been there and done that in Life” list but more importantly I know a few people who have been in dealing with cancer of various forms. One friend has a 9 year old son who has been dealing with a brain and a spine tumor for most of his life (I am not going to tug on your heart strings too much but it’s a heart breaking story) and another good friend (my age)  is now recovering from Lupus. The chemotherapy has literally disintegrated his bones to the point where he has had to have his hips replaced so he can walk. He will never be able to run with his kids like I can. My minor skin cancer scares pale into insignificance when you see what others go through and a little bit of pain on a 26 mile run will be negligible in order to help advance the research and prevent others from suffering. I am healthy and alive; getting fit and a few blisters will be a breeze in comparison to what others go through.

PLEASE SPONSOR ME!

Please, please consider sponsoring me and raising money to flight blood cancer. I am happy to accept sponsorship if you want to induce pain in me or help relieve if from others!

My Team in Training Sponsorship page can be found here.  If you work for Microsoft it has directions on how to ensure that Microsoft matches your donation so together we can double the donation for employees.

All donations help. Anything helps! It’s for a great cause!

As I live in a “Connected World” you can even track my run stats on the Garmin Connect site here using an RSS reader to see just how tough I am finding it!

Thanks for your support!

PS : I am also happy to do speaking events, write articles, consider endorsements or wear your company logo in return for donations.  You can write to me at mark at curphey dot com with suggestions.

Categories: Information Security Tools Tags:

Protecting Browsers with Defense In Depth Techniques

March 26th, 2010 No comments

Posted on half of Pete LePage on the Internet Explorer team.

Protecting Windows customers is an absolute priority for the Internet Explorer engineering team.  That’s why we work hard to make sure our browser has some of the best safety and privacy features available today.  We’ve spent a lot of time talking about some of the more visible safety and privacy features like our SmartScreen Filter, that protects users from socially engineered malware and phishing attacks; or the InPrivate features that put you in control of how you share your information.

But there are a number of other features that aren’t as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7.  For example, Protected Mode helps ensure exploited code cannot access system or other resources.  Address Space Layout Randomization (ASLR)helps prevent attackers from getting memory addresses to use in buffer overflow situations.  Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable.  These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities. 

One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire.  Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two.  A stronger fire-proof safe with several defense in depth features still won’t guarantee the valuables forever, but adds significant time and protection to how long the contents will last.

Recently, there has been some news from some security researchers about how they’ve managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well).  But like the fire-proof safe example above, defense in depth techniques aren’t designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability.  Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.

Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them – they’re on by default.  That’s one of the reasons why we encourage users to make sure they’re running the latest and most up-to-date software.

Protecting Browsers with Defense In Depth Techniques

March 26th, 2010 No comments

Posted on half of Pete LePage on the Internet Explorer team.

Protecting Windows customers is an absolute priority for the Internet Explorer engineering team.  That’s why we work hard to make sure our browser has some of the best safety and privacy features available today.  We’ve spent a lot of time talking about some of the more visible safety and privacy features like our SmartScreen Filter, that protects users from socially engineered malware and phishing attacks; or the InPrivate features that put you in control of how you share your information.

But there are a number of other features that aren’t as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7.  For example, Protected Mode helps ensure exploited code cannot access system or other resources.  Address Space Layout Randomization (ASLR)helps prevent attackers from getting memory addresses to use in buffer overflow situations.  Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable.  These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities. 

One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire.  Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two.  A stronger fire-proof safe with several defense in depth features still won’t guarantee the valuables forever, but adds significant time and protection to how long the contents will last.

Recently, there has been some news from some security researchers about how they’ve managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well).  But like the fire-proof safe example above, defense in depth techniques aren’t designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability.  Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.

Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them – they’re on by default.  That’s one of the reasons why we encourage users to make sure they’re running the latest and most up-to-date software.

Protecting Browsers with Defense In Depth Techniques

March 26th, 2010 Comments off

Posted on half of Pete LePage on the Internet Explorer team.

Protecting Windows customers is an absolute priority for the Internet Explorer engineering team.  That’s why we work hard to make sure our browser has some of the best safety and privacy features available today.  We’ve spent a lot of time talking about some of the more visible safety and privacy features like our SmartScreen Filter, that protects users from socially engineered malware and phishing attacks; or the InPrivate features that put you in control of how you share your information.

But there are a number of other features that aren’t as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7.  For example, Protected Mode helps ensure exploited code cannot access system or other resources.  Address Space Layout Randomization (ASLR)helps prevent attackers from getting memory addresses to use in buffer overflow situations.  Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable.  These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities. 

One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire.  Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two.  A stronger fire-proof safe with several defense in depth features still won’t guarantee the valuables forever, but adds significant time and protection to how long the contents will last.

Recently, there has been some news from some security researchers about how they’ve managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well).  But like the fire-proof safe example above, defense in depth techniques aren’t designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability.  Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.

Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them – they’re on by default.  That’s one of the reasons why we encourage users to make sure they’re running the latest and most up-to-date software.

The Web Protection Library – plans and processes.

March 24th, 2010 No comments

First off let me introduce myself; my name is Barry Dorrans, I’m a recent transplant from the UK and I finally joined the Information Security tools team 6 weeks ago after the long and involved process of visa acquisition. Before joining Microsoft I was a consultant in the UK working with various companies on developer security issues, I was a Developer Security MVP and an active member of the UK .NET technical community, running a user group in Oxford and writing “Beginning ASP.NET Security” for Wrox Press.

One of the things that attracted me to the role was the tools the team produces and in particular the open source status of the Web Protection Library and so it’s with great pleasure I am taking on the development of WPL, along with Frank, the new PM for WPL and Randy Evans, my co-developer and Jessika the team’s tester. As part of the process we’re going to share more with you about what we’re doing, what we’re planning and hopefully give you a chance to engage with us as we plan development sprints, gather feature requirements and fix bugs.

We kicked off our first sprint on Monday 21st March, a sprint we’re describing as “fit and finish”. We’re spending a lot of time documenting the code and adding tests. We’re also addressing what has been a pain point for a lot of you – medium trust. The original AntiXSS library performed nothing but encoding and didn’t have any special requirements for hosting. When the first WPL beta was released we added HTML sanitization, which came from another team. Sanitization is rather computationally expensive and the code uses unsafe array manipulation in an effort to cut down the time it takes; however for obvious reasons a lot of shared hosters don’t allow unsafe code to run in their shared environments. With the next release of WPL we’re putting AntiXSS back into its own assembly and  marking it with AllowPartiallyTrusterCallers so you won’t have to strong name your web assemblies to use it. This does mean if you want to use the HTML sanitization functions you’ll need to add a reference to the new assembly into your project.

One other change that will become obvious when we release the code is the move to VS2010. We’re doing this to provide support for ASP 4.0’s ability to switch out HTML encoding engine and we’ll be providing a pre-built class for this. In order to keep support those of you who are on .NET 2.0 – 3.5 this will be made available in yet another assembly or of course you simple take the class and add it into your own project.

It’s unlikely we’ll release the results of this sprint publically as this is these are the only functional changes we’re making and we’d like to wait till we to release under we have some actual bug fixes – but if you feel we should then leave us a comment!

Talking of bug fixes once this sprint has finished we’ll start going through the bug list and feature requests. In case you’re wondering bugs and features from the Connect programme make it into our internal systems automagically. We also had a lot of feedback at the MVP summit from the Developer Security MVPs which we’re planning to address. If you’ve added a bug onto the AntiXSS codeplex site then we manually triage those and bring them into our internal systems on a regular basis.

As we near the end of this sprint Frank will be sharing with you our priorities and tasks for the next sprint and I plan to start sharing our new Threat Models as we prepare them and any mistakes we’ve made with the threat modeling process – something I hope will enable everyone to learn how to model effectively.

Categories: Uncategorized Tags:

The Web Protection Library – plans and processes.

March 24th, 2010 No comments

First off let me introduce myself; my name is Barry Dorrans, I’m a recent transplant from the UK and I finally joined the Information Security tools team 6 weeks ago after the long and involved process of visa acquisition. Before joining Microsoft I was a consultant in the UK working with various companies on developer security issues, I was a Developer Security MVP and an active member of the UK .NET technical community, running a user group in Oxford and writing “Beginning ASP.NET Security” for Wrox Press.

One of the things that attracted me to the role was the tools the team produces and in particular the open source status of the Web Protection Library and so it’s with great pleasure I am taking on the development of WPL, along with Frank, the new PM for WPL and Randy Evans, my co-developer and Jessika the team’s tester. As part of the process we’re going to share more with you about what we’re doing, what we’re planning and hopefully give you a chance to engage with us as we plan development sprints, gather feature requirements and fix bugs.

We kicked off our first sprint on Monday 21st March, a sprint we’re describing as “fit and finish”. We’re spending a lot of time documenting the code and adding tests. We’re also addressing what has been a pain point for a lot of you – medium trust. The original AntiXSS library performed nothing but encoding and didn’t have any special requirements for hosting. When the first WPL beta was released we added HTML sanitization, which came from another team. Sanitization is rather computationally expensive and the code uses unsafe array manipulation in an effort to cut down the time it takes; however for obvious reasons a lot of shared hosters don’t allow unsafe code to run in their shared environments. With the next release of WPL we’re putting AntiXSS back into its own assembly and  marking it with AllowPartiallyTrusterCallers so you won’t have to strong name your web assemblies to use it. This does mean if you want to use the HTML sanitization functions you’ll need to add a reference to the new assembly into your project.

One other change that will become obvious when we release the code is the move to VS2010. We’re doing this to provide support for ASP 4.0’s ability to switch out HTML encoding engine and we’ll be providing a pre-built class for this. In order to keep support those of you who are on .NET 2.0 – 3.5 this will be made available in yet another assembly or of course you simple take the class and add it into your own project.

It’s unlikely we’ll release the results of this sprint publically as this is these are the only functional changes we’re making and we’d like to wait till we to release under we have some actual bug fixes – but if you feel we should then leave us a comment!

Talking of bug fixes once this sprint has finished we’ll start going through the bug list and feature requests. In case you’re wondering bugs and features from the Connect programme make it into our internal systems automagically. We also had a lot of feedback at the MVP summit from the Developer Security MVPs which we’re planning to address. If you’ve added a bug onto the AntiXSS codeplex site then we manually triage those and bring them into our internal systems on a regular basis.

As we near the end of this sprint Frank will be sharing with you our priorities and tasks for the next sprint and I plan to start sharing our new Threat Models as we prepare them and any mistakes we’ve made with the threat modeling process – something I hope will enable everyone to learn how to model effectively.

Categories: Uncategorized Tags:

The Web Protection Library – plans and processes.

March 24th, 2010 Comments off

First off let me introduce myself; my name is Barry Dorrans, I’m a recent transplant from the UK and I finally joined the Information Security tools team 6 weeks ago after the long and involved process of visa acquisition. Before joining Microsoft I was a consultant in the UK working with various companies on developer security issues, I was a Developer Security MVP and an active member of the UK .NET technical community, running a user group in Oxford and writing “Beginning ASP.NET Security” for Wrox Press.

One of the things that attracted me to the role was the tools the team produces and in particular the open source status of the Web Protection Library and so it’s with great pleasure I am taking on the development of WPL, along with Frank, the new PM for WPL and Randy Evans, my co-developer and Jessika the team’s tester. As part of the process we’re going to share more with you about what we’re doing, what we’re planning and hopefully give you a chance to engage with us as we plan development sprints, gather feature requirements and fix bugs.

We kicked off our first sprint on Monday 21st March, a sprint we’re describing as “fit and finish”. We’re spending a lot of time documenting the code and adding tests. We’re also addressing what has been a pain point for a lot of you – medium trust. The original AntiXSS library performed nothing but encoding and didn’t have any special requirements for hosting. When the first WPL beta was released we added HTML sanitization, which came from another team. Sanitization is rather computationally expensive and the code uses unsafe array manipulation in an effort to cut down the time it takes; however for obvious reasons a lot of shared hosters don’t allow unsafe code to run in their shared environments. With the next release of WPL we’re putting AntiXSS back into its own assembly and  marking it with AllowPartiallyTrusterCallers so you won’t have to strong name your web assemblies to use it. This does mean if you want to use the HTML sanitization functions you’ll need to add a reference to the new assembly into your project.

One other change that will become obvious when we release the code is the move to VS2010. We’re doing this to provide support for ASP 4.0’s ability to switch out HTML encoding engine and we’ll be providing a pre-built class for this. In order to keep support those of you who are on .NET 2.0 – 3.5 this will be made available in yet another assembly or of course you simple take the class and add it into your own project.

It’s unlikely we’ll release the results of this sprint publically as this is these are the only functional changes we’re making and we’d like to wait till we to release under we have some actual bug fixes – but if you feel we should then leave us a comment!

Talking of bug fixes once this sprint has finished we’ll start going through the bug list and feature requests. In case you’re wondering bugs and features from the Connect programme make it into our internal systems automagically. We also had a lot of feedback at the MVP summit from the Developer Security MVPs which we’re planning to address. If you’ve added a bug onto the AntiXSS codeplex site then we manually triage those and bring them into our internal systems on a regular basis.

As we near the end of this sprint Frank will be sharing with you our priorities and tasks for the next sprint and I plan to start sharing our new Threat Models as we prepare them and any mistakes we’ve made with the threat modeling process – something I hope will enable everyone to learn how to model effectively.

Categories: Uncategorized Tags:

Windows Server 2008 R2 AD CS Migration Guide

March 19th, 2010 Comments off

The official version of the new 2008 R2 ADCS Migration Guide is now available at http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx.


The guide describes the necessary steps for a successful migration of both enterprise and standalone CAs to Windows Server 2008 R2 from;



  • Windows Server 2003 SP2

  • Windows Server 2003 R2

  • Windows Server 2008

  • Windows Server 2008 R2

Also included are steps for migration to Server Core.

Categories: Uncategorized Tags:

Vulnerability in Virtual PC?

March 17th, 2010 No comments

Earlier today, Core Security Technologies issued a security advisory for our Virtual PC (VPC) software. The advisory calls out a proof of concept where the virtual machine monitor allows memory pages above the 2GB level to be read from or written to by user-space programs running within a guest operating system. The advisory explicitly calls into question the effectiveness of many of the security hardening features of Windows, including DEP, SafeSEH, and ASLR.  Folks are already starting to ask questions about this advisory, so I thought it would be best to answer them here.

First and foremost, customers should rest assured that this advisory does not affect the security of Windows 7 systems directly. The security safeguards (DEP, ASLR, SafeSEH, etc.) that are in place remain effective at helping protect users from malware on that system. In addition, Our Windows Server virtualization technology, Hyper-V, is also not affected by this advisory. Applications running inside a Hyper-V guest continue to benefit from these same security safeguards.

The functionality that Core calls out is not an actual vulnerability per se. Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system. It’s a subtle point, but one that folks should really understand. The protection mechanisms that are present in the Windows kernel are rendered less effective inside of a virtual machine as opposed to a physical machine. There is no vulnerability introduced, just a loss of certain security protection mechanisms.

The functionality described only affects the guest operating system that is running within a Virtual PC environment.  In practice, the guest operating system in a Virtual PC environment is typically Windows XP as part of Windows XP Mode.  Of the safeguards Core calls out, it should be noted that only DEP is available in Windows XP SP3; Windows XP doesn’t contain ASLR. The net result? An attacker can only exploit a vulnerable application running “inside” the guest virtual machine on Windows XP, rather than Windows 7!

We believe that Windows XP Mode and Windows Virtual PC are great bridging strategies to help customers who have legacy applications get up and running on Windows 7. For those customers who need Windows XP Mode, they should look to install only the required subset of applications that need Windows XP in order to function properly while planning to move those applications to Windows 7 in the future.

One final point, whether the version of Windows you are running is virtualized or running physically on a computer, it’s equally important to follow sound security practices. You should make sure your firewall is enabled, that you have anti-virus software installed, and that you keep your software up to date through automatic updates. For more information on how to protect your PC, visit http://www.microsoft.com/protect/.

Vulnerability in Virtual PC?

March 17th, 2010 No comments

Earlier today, Core Security Technologies issued a security advisory for our Virtual PC (VPC) software. The advisory calls out a proof of concept where the virtual machine monitor allows memory pages above the 2GB level to be read from or written to by user-space programs running within a guest operating system. The advisory explicitly calls into question the effectiveness of many of the security hardening features of Windows, including DEP, SafeSEH, and ASLR.  Folks are already starting to ask questions about this advisory, so I thought it would be best to answer them here.

First and foremost, customers should rest assured that this advisory does not affect the security of Windows 7 systems directly. The security safeguards (DEP, ASLR, SafeSEH, etc.) that are in place remain effective at helping protect users from malware on that system. In addition, Our Windows Server virtualization technology, Hyper-V, is also not affected by this advisory. Applications running inside a Hyper-V guest continue to benefit from these same security safeguards.

The functionality that Core calls out is not an actual vulnerability per se. Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system. It’s a subtle point, but one that folks should really understand. The protection mechanisms that are present in the Windows kernel are rendered less effective inside of a virtual machine as opposed to a physical machine. There is no vulnerability introduced, just a loss of certain security protection mechanisms.

The functionality described only affects the guest operating system that is running within a Virtual PC environment.  In practice, the guest operating system in a Virtual PC environment is typically Windows XP as part of Windows XP Mode.  Of the safeguards Core calls out, it should be noted that only DEP is available in Windows XP SP3; Windows XP doesn’t contain ASLR. The net result? An attacker can only exploit a vulnerable application running “inside” the guest virtual machine on Windows XP, rather than Windows 7!

We believe that Windows XP Mode and Windows Virtual PC are great bridging strategies to help customers who have legacy applications get up and running on Windows 7. For those customers who need Windows XP Mode, they should look to install only the required subset of applications that need Windows XP in order to function properly while planning to move those applications to Windows 7 in the future.

One final point, whether the version of Windows you are running is virtualized or running physically on a computer, it’s equally important to follow sound security practices. You should make sure your firewall is enabled, that you have anti-virus software installed, and that you keep your software up to date through automatic updates. For more information on how to protect your PC, visit http://www.microsoft.com/protect/.

Vulnerability in Virtual PC?

March 17th, 2010 Comments off

Earlier today, Core Security Technologies issued a security advisory for our Virtual PC (VPC) software. The advisory calls out a proof of concept where the virtual machine monitor allows memory pages above the 2GB level to be read from or written to by user-space programs running within a guest operating system. The advisory explicitly calls into question the effectiveness of many of the security hardening features of Windows, including DEP, SafeSEH, and ASLR.  Folks are already starting to ask questions about this advisory, so I thought it would be best to answer them here.

First and foremost, customers should rest assured that this advisory does not affect the security of Windows 7 systems directly. The security safeguards (DEP, ASLR, SafeSEH, etc.) that are in place remain effective at helping protect users from malware on that system. In addition, Our Windows Server virtualization technology, Hyper-V, is also not affected by this advisory. Applications running inside a Hyper-V guest continue to benefit from these same security safeguards.

The functionality that Core calls out is not an actual vulnerability per se. Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system. It’s a subtle point, but one that folks should really understand. The protection mechanisms that are present in the Windows kernel are rendered less effective inside of a virtual machine as opposed to a physical machine. There is no vulnerability introduced, just a loss of certain security protection mechanisms.

The functionality described only affects the guest operating system that is running within a Virtual PC environment.  In practice, the guest operating system in a Virtual PC environment is typically Windows XP as part of Windows XP Mode.  Of the safeguards Core calls out, it should be noted that only DEP is available in Windows XP SP3; Windows XP doesn’t contain ASLR. The net result? An attacker can only exploit a vulnerable application running “inside” the guest virtual machine on Windows XP, rather than Windows 7!

We believe that Windows XP Mode and Windows Virtual PC are great bridging strategies to help customers who have legacy applications get up and running on Windows 7. For those customers who need Windows XP Mode, they should look to install only the required subset of applications that need Windows XP in order to function properly while planning to move those applications to Windows 7 in the future.

One final point, whether the version of Windows you are running is virtualized or running physically on a computer, it’s equally important to follow sound security practices. You should make sure your firewall is enabled, that you have anti-virus software installed, and that you keep your software up to date through automatic updates. For more information on how to protect your PC, visit http://www.microsoft.com/protect/.

What CA types are supported for clustering?

March 8th, 2010 Comments off

There are two types of certification authorities: Standalone and Enterprise. Only Enterprise certification authorities have been tested for clustered installations.

A very short but may be important statement.

Categories: Certification authority Tags:

Creating a Safer, More Trusted Internet

March 3rd, 2010 No comments

The RSA Security Conference is underway this week in San Francisco and Microsoft’s own Scott Charney, Corporate Vice President Trustworthy Computing, delivered one of yesterday’s keynote addresses: Creating a Safer, More Trusted Internet. The keynote centered on Microsoft’s Trustworthy Computing initiative, our End to End Trust vision, and how we have been working to further protect the security and privacy of for all the users of the Internet.

The End to End Trust vision has not changed over the last couple of years and we don’t anticipate it changing for some time. We continue to make progress along this vision and Scott outlined many areas where we are actively engaged and providing thought leadership. The keynote showcased how our vision for End to End Trust applies to cloud computing, detailed progress toward a claims-based identity meta-system, and called for public and private organizations alike to prevent and disrupt cybercrime.

One of the most interesting aspects from my perspective was the notion of creating a “World Health Organization” model for the Internet. We are calling on the governments and industry to creatively help prevent cybercrime by implementing technology and policy models that assess PC health before connecting the machine to the Internet. This is an ambitious vision and one I am proud to support.

If you want to know more about the things Scott talked about in his keynote and our End To End vision, I encourage you to visit the newly revamped End To End Trust website for more details.

Creating a Safer, More Trusted Internet

March 3rd, 2010 No comments

The RSA Security Conference is underway this week in San Francisco and Microsoft’s own Scott Charney, Corporate Vice President Trustworthy Computing, delivered one of yesterday’s keynote addresses: Creating a Safer, More Trusted Internet. The keynote centered on Microsoft’s Trustworthy Computing initiative, our End to End Trust vision, and how we have been working to further protect the security and privacy of for all the users of the Internet.

The End to End Trust vision has not changed over the last couple of years and we don’t anticipate it changing for some time. We continue to make progress along this vision and Scott outlined many areas where we are actively engaged and providing thought leadership. The keynote showcased how our vision for End to End Trust applies to cloud computing, detailed progress toward a claims-based identity meta-system, and called for public and private organizations alike to prevent and disrupt cybercrime.

One of the most interesting aspects from my perspective was the notion of creating a “World Health Organization” model for the Internet. We are calling on the governments and industry to creatively help prevent cybercrime by implementing technology and policy models that assess PC health before connecting the machine to the Internet. This is an ambitious vision and one I am proud to support.

If you want to know more about the things Scott talked about in his keynote and our End To End vision, I encourage you to visit the newly revamped End To End Trust website for more details.

Creating a Safer, More Trusted Internet

March 3rd, 2010 Comments off

The RSA Security Conference is underway this week in San Francisco and Microsoft’s own Scott Charney, Corporate Vice President Trustworthy Computing, delivered one of yesterday’s keynote addresses: Creating a Safer, More Trusted Internet. The keynote centered on Microsoft’s Trustworthy Computing initiative, our End to End Trust vision, and how we have been working to further protect the security and privacy of for all the users of the Internet.

The End to End Trust vision has not changed over the last couple of years and we don’t anticipate it changing for some time. We continue to make progress along this vision and Scott outlined many areas where we are actively engaged and providing thought leadership. The keynote showcased how our vision for End to End Trust applies to cloud computing, detailed progress toward a claims-based identity meta-system, and called for public and private organizations alike to prevent and disrupt cybercrime.

One of the most interesting aspects from my perspective was the notion of creating a “World Health Organization” model for the Internet. We are calling on the governments and industry to creatively help prevent cybercrime by implementing technology and policy models that assess PC health before connecting the machine to the Internet. This is an ambitious vision and one I am proud to support.

If you want to know more about the things Scott talked about in his keynote and our End To End vision, I encourage you to visit the newly revamped End To End Trust website for more details.