Archive

Archive for September, 2010

AntiXSS 4.0 Released

September 30th, 2010 No comments

AntiXSS 4.0 has been released and is available from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651. The new source will be published to CodePlex within the next few days.

Minimum Requirements

.NET Framework 3.5

Return Values

If you pass a null as the value an encoding function the function will now return null. The previous behavior was to return String.Empty.

Medium Trust Support

The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and the ability to run unsafe code.

Adjustable safe-listing for HTML/XML Encoding

The safe list for HTML and XML encoding is now adjustable. The UnicodeCharacterEncoder.MarkAsSafe() method allows to you choose from the Unicode Code Charts which languages your web application normally accepts. Safe-listing a language code chart leaves the defined characters in their native form during encoding, which increases readability in the HTML/XML document and speeds up encoding. Certain dangerous characters will also be encoded.

The language code charts are defined in the Microsoft.Security.Application.LowerCodeCharts, Microsoft.Security.Application.LowerMidCodeCharts, Microsoft.Security.Application.MidCodeCharts, Microsoft.Security.Application.UpperMidCodeCharts and Microsoft.Security.Application.UpperCodeCharts enumerations.

It is suggested you safe list your acceptable languages during your application initialization.

Invalid unicode character detection

If any of the HTML or XML encoding methods encounter a character with a character code of 0xFFFE or 0xFFFF, the characters used to detect byte order at the beginning of files an InvalidUnicodeValueException will be thrown.

Surrogate Character Support in HTML and XML encoding

Support for surrogate character pairs for Unicode characters outside the basic multilingual plane has been improved. Such character pairs are now combined and encoded as their &xxxxx; value. If a high surrogate pair character is encountered which is not followed by a low surrogate pair character, or a low surrogate pair character is encountered which is not preceded by a high surrogate pair character an InvalidSurrogatePairException is thrown.

HTML 4.01 Named Entity Support

A new overload of the HtmlEncode method, Encoder.HtmlEncode(string input, bool useNamedEntities) allows you to specify if the named entities from the HTML 4.01 specification should be used in preference to &#xxxx; encoding when a named entity exists. For example if useNamedEntities parameter is set to true the copyright entity would be encoded as ©.

HtmlFormUrlEncode

A new encoding type suitable for using in encoding Html POST form submissions is now available via Encoder.HtmlFormUrlEncode. This encodes according to the W3C specifications for application/x-www-form-urlencoded MIME type.

LDAP Encoding changes

The LdapEncode function has been deprecated in favor of two new functions, Encoder.LdapFilterEncode(string) and Encoder.LdapDistinguishedNameEncode(string)

Encoder.LdapFilterEncode encodes input according to RFC4515 where unsafe values are converted to XX where XX is the representation of the unsafe character

Encoder.LdapDistinguishedNameEncode encodes input according to RFC 2253 where unsafe characters are converted to #XX where XX is the representation of the unsafe character and the comma, plus, quote, slash, less than and great than signs are escaped using slash notation (X). In addition to this a space or octothorpe (#) at the beginning of the input string is escaped as is a space at the end of a string.

LdapDistinguishedNameEncode(string, bool, bool) is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.

MarkOutput

The ability to mark output using an HtmlEncode overload and query string parameter has been removed.

The Security Runtime Engine developer continues in parallel to my other work, but we’ve now separated the two libraries so you don’t have to wait for AntiXSS updates. The WPL will continue to be available as source only from  codeplex until we’re happy with the code model and quality. Once that happens you can expect to see a binary release, but there are no planned release dates as yet.

Categories: Uncategorized Tags:

AntiXSS 4.0 Released

September 30th, 2010 No comments

AntiXSS 4.0 has been released and is available from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651. The new source will be published to CodePlex within the next few days.

Minimum Requirements

.NET Framework 3.5

Return Values

If you pass a null as the value an encoding function the function will now return null. The previous behavior was to return String.Empty.

Medium Trust Support

The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and the ability to run unsafe code.

Adjustable safe-listing for HTML/XML Encoding

The safe list for HTML and XML encoding is now adjustable. The UnicodeCharacterEncoder.MarkAsSafe() method allows to you choose from the Unicode Code Charts which languages your web application normally accepts. Safe-listing a language code chart leaves the defined characters in their native form during encoding, which increases readability in the HTML/XML document and speeds up encoding. Certain dangerous characters will also be encoded.

The language code charts are defined in the Microsoft.Security.Application.LowerCodeCharts, Microsoft.Security.Application.LowerMidCodeCharts, Microsoft.Security.Application.MidCodeCharts, Microsoft.Security.Application.UpperMidCodeCharts and Microsoft.Security.Application.UpperCodeCharts enumerations.

It is suggested you safe list your acceptable languages during your application initialization.

Invalid unicode character detection

If any of the HTML or XML encoding methods encounter a character with a character code of 0xFFFE or 0xFFFF, the characters used to detect byte order at the beginning of files an InvalidUnicodeValueException will be thrown.

Surrogate Character Support in HTML and XML encoding

Support for surrogate character pairs for Unicode characters outside the basic multilingual plane has been improved. Such character pairs are now combined and encoded as their &xxxxx; value. If a high surrogate pair character is encountered which is not followed by a low surrogate pair character, or a low surrogate pair character is encountered which is not preceded by a high surrogate pair character an InvalidSurrogatePairException is thrown.

HTML 4.01 Named Entity Support

A new overload of the HtmlEncode method, Encoder.HtmlEncode(string input, bool useNamedEntities) allows you to specify if the named entities from the HTML 4.01 specification should be used in preference to &#xxxx; encoding when a named entity exists. For example if useNamedEntities parameter is set to true the copyright entity would be encoded as ©.

HtmlFormUrlEncode

A new encoding type suitable for using in encoding Html POST form submissions is now available via Encoder.HtmlFormUrlEncode. This encodes according to the W3C specifications for application/x-www-form-urlencoded MIME type.

LDAP Encoding changes

The LdapEncode function has been deprecated in favor of two new functions, Encoder.LdapFilterEncode(string) and Encoder.LdapDistinguishedNameEncode(string)

Encoder.LdapFilterEncode encodes input according to RFC4515 where unsafe values are converted to \XX where XX is the representation of the unsafe character

Encoder.LdapDistinguishedNameEncode encodes input according to RFC 2253 where unsafe characters are converted to #XX where XX is the representation of the unsafe character and the comma, plus, quote, slash, less than and great than signs are escaped using slash notation (\X). In addition to this a space or octothorpe (#) at the beginning of the input string is \ escaped as is a space at the end of a string.

LdapDistinguishedNameEncode(string, bool, bool) is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.

MarkOutput

The ability to mark output using an HtmlEncode overload and query string parameter has been removed.

The Security Runtime Engine developer continues in parallel to my other work, but we’ve now separated the two libraries so you don’t have to wait for AntiXSS updates. The WPL will continue to be available as source only from  codeplex until we’re happy with the code model and quality. Once that happens you can expect to see a binary release, but there are no planned release dates as yet.

Categories: Uncategorized Tags:

AntiXSS 4.0 Released

September 30th, 2010 Comments off

AntiXSS 4.0 has been released and is available from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651. The new source will be published to CodePlex within the next few days.

Minimum Requirements

.NET Framework 3.5

Return Values

If you pass a null as the value an encoding function the function will now return null. The previous behavior was to return String.Empty.

Medium Trust Support

The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and the ability to run unsafe code.

Adjustable safe-listing for HTML/XML Encoding

The safe list for HTML and XML encoding is now adjustable. The UnicodeCharacterEncoder.MarkAsSafe() method allows to you choose from the Unicode Code Charts which languages your web application normally accepts. Safe-listing a language code chart leaves the defined characters in their native form during encoding, which increases readability in the HTML/XML document and speeds up encoding. Certain dangerous characters will also be encoded.

The language code charts are defined in the Microsoft.Security.Application.LowerCodeCharts, Microsoft.Security.Application.LowerMidCodeCharts, Microsoft.Security.Application.MidCodeCharts, Microsoft.Security.Application.UpperMidCodeCharts and Microsoft.Security.Application.UpperCodeCharts enumerations.

It is suggested you safe list your acceptable languages during your application initialization.

Invalid unicode character detection

If any of the HTML or XML encoding methods encounter a character with a character code of 0xFFFE or 0xFFFF, the characters used to detect byte order at the beginning of files an InvalidUnicodeValueException will be thrown.

Surrogate Character Support in HTML and XML encoding

Support for surrogate character pairs for Unicode characters outside the basic multilingual plane has been improved. Such character pairs are now combined and encoded as their &xxxxx; value. If a high surrogate pair character is encountered which is not followed by a low surrogate pair character, or a low surrogate pair character is encountered which is not preceded by a high surrogate pair character an InvalidSurrogatePairException is thrown.

HTML 4.01 Named Entity Support

A new overload of the HtmlEncode method, Encoder.HtmlEncode(string input, bool useNamedEntities) allows you to specify if the named entities from the HTML 4.01 specification should be used in preference to &#xxxx; encoding when a named entity exists. For example if useNamedEntities parameter is set to true the copyright entity would be encoded as ©.

HtmlFormUrlEncode

A new encoding type suitable for using in encoding Html POST form submissions is now available via Encoder.HtmlFormUrlEncode. This encodes according to the W3C specifications for application/x-www-form-urlencoded MIME type.

LDAP Encoding changes

The LdapEncode function has been deprecated in favor of two new functions, Encoder.LdapFilterEncode(string) and Encoder.LdapDistinguishedNameEncode(string)

Encoder.LdapFilterEncode encodes input according to RFC4515 where unsafe values are converted to \XX where XX is the representation of the unsafe character

Encoder.LdapDistinguishedNameEncode encodes input according to RFC 2253 where unsafe characters are converted to #XX where XX is the representation of the unsafe character and the comma, plus, quote, slash, less than and great than signs are escaped using slash notation (\X). In addition to this a space or octothorpe (#) at the beginning of the input string is \ escaped as is a space at the end of a string.

LdapDistinguishedNameEncode(string, bool, bool) is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.

MarkOutput

The ability to mark output using an HtmlEncode overload and query string parameter has been removed.

The Security Runtime Engine developer continues in parallel to my other work, but we’ve now separated the two libraries so you don’t have to wait for AntiXSS updates. The WPL will continue to be available as source only from  codeplex until we’re happy with the code model and quality. Once that happens you can expect to see a binary release, but there are no planned release dates as yet.

Categories: Uncategorized Tags:

SHA2 and Windows

September 30th, 2010 No comments

UPDATE (2/8):  Based on some recent questions, additional information has been posted about SHA2 and Windows.

Introduction

We’ve recently received a couple of requests from customers around the functionality of SHA-256 when running on Windows XP and 2003. This has been more important recently, as NIST has recommended the migration off of SHA-1 by end of the year. More details about the NIST recommendation can be found in SP 800-78-2 and SP 800-57. Hopefully this blog post can help clear up the confusion surrounding scenarios that work and the ones that don’t.

Windows XP Support

Prior to Windows XP Service Pack 3, there was no SHA2 functionality within Windows XP. With the release of Service Pack 3 some limited functionality was added to the crypto module rsaenh.dll. This includes the following SHA2 hashes: SHA-256, SHA-384, SHA-512. SHA-224 was not included.

Windows Server 2003 Support

Windows Server 2003 Service Pack 2 does not ship with support for SHA2. This limitation can become an important concern when processing smart card logons and for mutual TLS authentications to web servers. As unlike other technologies, smart card logon and mutual TLS both use strict revocation checking; so should either the certificate itself or the revocation information (CRL/OCSP) use SHA2, the logon would fail.

KB 938397

Though support SHA2 is not included in Windows Server 2003 Service Pack 2, it is available for download. KB 938397 will bring Windows Server 2003 to the same level of functionality as Windows XP with Service Pack 3. KB 938397 is not available via Windows Update; it needs to be requested via the “View and request hotfix downloads” link on the support page. Note, KB 938397 is also offered for Windows Server 2003 Service Pack 1.

KB 968730

With the release of Windows Server 2008 it was found that Windows XP Service Pack 3 and Windows Server 2003 Service Pack 2 with KB 938397 were unable to request certificates from a Windows Server 2008 (and 2008 R2) certificate authority (CA) who’s certificate was signed with a SHA2 hash. KB 968730 was release to address this issue. Incidentally, KB 968730 completely supersedes KB 938397; so if a Windows Server 2003 Service Pack 2 system would need to both enroll from a SHA2 certificate authority and process SHA2 certificates, only KB 968730 would need to be installed. As before, KB 968730 is not available via Windows Update; it needs to be requested via the “View and request hotfix downloads” link on the support page. Note, KB 968730 is not offered for Windows Server 2003 Service Pack 1.

Windows Vista, 7, Server 2008, and Server 2008 R2

Starting with Windows Vista and Server 2008, the Cryptography Next Generation (CNG) Suite B algorithms (including SHA2) are included in the operating system. It is worth noting that even though the algorithms are available, it is up to the individual applications to implement support.

Outlook and S/MIME

Besides logon, another very popular use for smart cards is S/MIME. But before diving into Outlook and S/MIME, the following warning should be given: Regardless of the functionality Windows and Outlook provide; in order for mail to be delivered between two users, there are any number of spam filters, relays, mailboxes, etc between sender and recipient. Each of these can be made by a wide range of vendors; running on a wide range of platforms. So before deploying SHA2, testing should be done against one’s own email infrastructure, in addition to the email infrastructure of external organizations from whom S/MIME signed mail needs to be exchanged with.

All those warnings aside, the basic functionality for Outlook is a follows. Outlook 2003, 2007, and 2010 running on Windows XP Service Pack 3 can sign and validate certificates when that certificate itself is SHA2 signed. Outlook 2003, 2007, and 2010 running on Windows XP Service Pack 3 cannot validate email messages when the message itself is SHA2 signed (regardless of the certificate used). Outlook 2003, 2007, and 2010 running on Windows XP Service Pack 3 cannot sign a message with SHA2; only SHA-1 and MD5 are available.

In order to validate SHA2 messages, Windows Vista with Outlook 2003 (or newer) is needed. In order to both sign and validate SHA2 messages, Windows Vista or 7 with Outlook 2007 or 2010 is needed.

Recommendations

For organizations looking to deploy SHA2 or organizations that interact with 3rd parties that will soon begin using SHA2, the following is recommended.

  • If Windows XP is used in the environment, Service Pack 3 should be deployed. In addition to SHA2 functionality, Service Pack 3 is currently the only Windows XP service pack that is supported.
  • If Windows XP systems would need to enroll in certificates from a SHA2 certificate authority, KB 968730 should be deployed.
  • If Windows Server 2003 is used in the environment, Service Pack (1 or 2) and KB 938397 should be deployed.
  • If Windows Server 2003 would need to enroll in certificates from a SHA2 certificate authority, Service Pack 2 and KB 968730 should be deployed. If planning on deploying KB 968730, installing KB 938397 is not necessary.
  • If S/MIME using SHA2 signing for the message body is needed, workstations should be upgraded to at least Windows Vista running Office 2003.

Summary Chart

XP SP3

XP SP3 with KB968730

2003 R2 SP2

2003 R2 SP2 with KB968730

Windows Vista, 7, 2008, 2008 R2

Basic Functionality

Browsing a website using SHA2 certificate

Works

Works

Unable to validate certificate

Works

Works

Open a certificate and viewing properties

Works

Works

Unable to validate certificate

Works

Works

Interactive logon and mutual TLS (client system)

Client with SHA2 certificate; server with SHA1 certificate

Works

Works

Works

Works

Works

Client with SHA2 certificate; server with SHA2 certificate

Works

Works

Unable to login

Works

Works

Interactive logon and mutual TLS (domain controller / IIS server)

Client with SHA2 certificate; server with SHA1 certificate

N/A

N/A

Unable to login

Works

Works

Certificate Enrollment

V3 certificate template enrollment from any type of root

Unable to select template

Unable to select template

Unable to select template

Unable to select template

Works

V2 certificate template enrollment from SHA2 root

Request fails

Works

Request fails

Works

Works

S/MIME (Outlook 2003)

Validate and sign to a SHA2 certificate

Works

Works

N/A

N/A

Works

Validate message body signed with SHA2

Unable to validate certificate

Unable to validate certificate

N/A

N/A

Works

Sign message body with SHA2

Not an available option

Not an available option

N/A

N/A

Not an available option

S/MIME (Outlook 2007 and 2010)

Validate and sign to a SHA2 certificate using SHA-1 for the message signature

Works

Works

N/A

N/A

Works

Validate message body signed with SHA2

Unable to validate certificate

Unable to validate certificate

N/A

N/A

Works

Sign message body with SHA2

Not an available option

Not an available option

N/A

N/A

Works

-Adam Stasiniewicz

 

UPDATE (2/8):  Based on some recent questions, additional information has been posted about SHA2 and Windows.

Categories: SHA2 NIST SP800-78-2 SP800-57 Tags:

SHA2 and Windows

September 30th, 2010 Comments off

UPDATE (2/8):  Based on some recent questions, additional information has been posted about SHA2 and Windows.

Introduction

We’ve recently received a couple of requests from customers around the functionality of SHA-256 when running on Windows XP and 2003. This has been more important recently, as NIST has recommended the migration off of SHA-1 by end of the year. More details about the NIST recommendation can be found in SP 800-78-2 and SP 800-57. Hopefully this blog post can help clear up the confusion surrounding scenarios that work and the ones that don’t.

Windows XP Support

Prior to Windows XP Service Pack 3, there was no SHA2 functionality within Windows XP. With the release of Service Pack 3 some limited functionality was added to the crypto module rsaenh.dll. This includes the following SHA2 hashes: SHA-256, SHA-384, SHA-512. SHA-224 was not included.

Windows Server 2003 Support

Windows Server 2003 Service Pack 2 does not ship with support for SHA2. This limitation can become an important concern when processing smart card logons and for mutual TLS authentications to web servers. As unlike other technologies, smart card logon and mutual TLS both use strict revocation checking; so should either the certificate itself or the revocation information (CRL/OCSP) use SHA2, the logon would fail.

KB 938397

Though support SHA2 is not included in Windows Server 2003 Service Pack 2, it is available for download. KB 938397 will bring Windows Server 2003 to the same level of functionality as Windows XP with Service Pack 3. KB 938397 is not available via Windows Update; it needs to be requested via the “View and request hotfix downloads” link on the support page. Note, KB 938397 is also offered for Windows Server 2003 Service Pack 1.

KB 968730

With the release of Windows Server 2008 it was found that Windows XP Service Pack 3 and Windows Server 2003 Service Pack 2 with KB 938397 were unable to request certificates from a Windows Server 2008 (and 2008 R2) certificate authority (CA) who’s certificate was signed with a SHA2 hash. KB 968730 was release to address this issue. Incidentally, KB 968730 completely supersedes KB 938397; so if a Windows Server 2003 Service Pack 2 system would need to both enroll from a SHA2 certificate authority and process SHA2 certificates, only KB 968730 would need to be installed. As before, KB 968730 is not available via Windows Update; it needs to be requested via the “View and request hotfix downloads” link on the support page. Note, KB 968730 is not offered for Windows Server 2003 Service Pack 1.

Windows Vista, 7, Server 2008, and Server 2008 R2

Starting with Windows Vista and Server 2008, the Cryptography Next Generation (CNG) Suite B algorithms (including SHA2) are included in the operating system. It is worth noting that even though the algorithms are available, it is up to the individual applications to implement support.

Outlook and S/MIME

Besides logon, another very popular use for smart cards is S/MIME. But before diving into Outlook and S/MIME, the following warning should be given: Regardless of the functionality Windows and Outlook provide; in order for mail to be delivered between two users, there are any number of spam filters, relays, mailboxes, etc between sender and recipient. Each of these can be made by a wide range of vendors; running on a wide range of platforms. So before deploying SHA2, testing should be done against one’s own email infrastructure, in addition to the email infrastructure of external organizations from whom S/MIME signed mail needs to be exchanged with.

All those warnings aside, the basic functionality for Outlook is a follows. Outlook 2003, 2007, and 2010 running on Windows XP Service Pack 3 can sign and validate certificates when that certificate itself is SHA2 signed. Outlook 2003, 2007, and 2010 running on Windows XP Service Pack 3 cannot validate email messages when the message itself is SHA2 signed (regardless of the certificate used). Outlook 2003, 2007, and 2010 running on Windows XP Service Pack 3 cannot sign a message with SHA2; only SHA-1 and MD5 are available.

In order to validate SHA2 messages, Windows Vista with Outlook 2003 (or newer) is needed. In order to both sign and validate SHA2 messages, Windows Vista or 7 with Outlook 2007 or 2010 is needed.

Recommendations

For organizations looking to deploy SHA2 or organizations that interact with 3rd parties that will soon begin using SHA2, the following is recommended.

  • If Windows XP is used in the environment, Service Pack 3 should be deployed. In addition to SHA2 functionality, Service Pack 3 is currently the only Windows XP service pack that is supported.
  • If Windows XP systems would need to enroll in certificates from a SHA2 certificate authority, KB 968730 should be deployed.
  • If Windows Server 2003 is used in the environment, Service Pack (1 or 2) and KB 938397 should be deployed.
  • If Windows Server 2003 would need to enroll in certificates from a SHA2 certificate authority, Service Pack 2 and KB 968730 should be deployed. If planning on deploying KB 968730, installing KB 938397 is not necessary.
  • If S/MIME using SHA2 signing for the message body is needed, workstations should be upgraded to at least Windows Vista running Office 2003.

Summary Chart

XP SP3

XP SP3 with KB968730

2003 R2 SP2

2003 R2 SP2 with KB968730

Windows Vista, 7, 2008, 2008 R2

Basic Functionality

Browsing a website using SHA2 certificate

Works

Works

Unable to validate certificate

Works

Works

Open a certificate and viewing properties

Works

Works

Unable to validate certificate

Works

Works

Interactive logon and mutual TLS (client system)

Client with SHA2 certificate; server with SHA1 certificate

Works

Works

Works

Works

Works

Client with SHA2 certificate; server with SHA2 certificate

Works

Works

Unable to login

Works

Works

Interactive logon and mutual TLS (domain controller / IIS server)

Client with SHA2 certificate; server with SHA1 certificate

N/A

N/A

Unable to login

Works

Works

Certificate Enrollment

V3 certificate template enrollment from any type of root

Unable to select template

Unable to select template

Unable to select template

Unable to select template

Works

V2 certificate template enrollment from SHA2 root

Request fails

Works

Request fails

Works

Works

S/MIME (Outlook 2003)

Validate and sign to a SHA2 certificate

Works

Works

N/A

N/A

Works

Validate message body signed with SHA2

Unable to validate certificate

Unable to validate certificate

N/A

N/A

Works

Sign message body with SHA2

Not an available option

Not an available option

N/A

N/A

Not an available option

S/MIME (Outlook 2007 and 2010)

Validate and sign to a SHA2 certificate using SHA-1 for the message signature

Works

Works

N/A

N/A

Works

Validate message body signed with SHA2

Unable to validate certificate

Unable to validate certificate

N/A

N/A

Works

Sign message body with SHA2

Not an available option

Not an available option

N/A

N/A

Works

-Adam Stasiniewicz

 

UPDATE (2/8):  Based on some recent questions, additional information has been posted about SHA2 and Windows.

Categories: SHA2 NIST SP800-78-2 SP800-57 Tags:

AntiXSS 4.0 Released

September 30th, 2010 No comments

AntiXSS 4.0 has been released and is available from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651. The new source will be published to CodePlex within the next few days.

Minimum Requirements

.NET Framework 3.5

Return Values

If you pass a null as the value an encoding function the function will now return null. The previous behavior was to return String.Empty.

Medium Trust Support

The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and the ability to run unsafe code.

Adjustable safe-listing for HTML/XML Encoding

The safe list for HTML and XML encoding is now adjustable. The UnicodeCharacterEncoder.MarkAsSafe() method allows to you choose from the Unicode Code Charts which languages your web application normally accepts. Safe-listing a language code chart leaves the defined characters in their native form during encoding, which increases readability in the HTML/XML document and speeds up encoding. Certain dangerous characters will also be encoded.

The language code charts are defined in the Microsoft.Security.Application.LowerCodeCharts, Microsoft.Security.Application.LowerMidCodeCharts, Microsoft.Security.Application.MidCodeCharts, Microsoft.Security.Application.UpperMidCodeCharts and Microsoft.Security.Application.UpperCodeCharts enumerations.

It is suggested you safe list your acceptable languages during your application initialization.

Invalid unicode character detection

If any of the HTML or XML encoding methods encounter a character with a character code of 0xFFFE or 0xFFFF, the characters used to detect byte order at the beginning of files an InvalidUnicodeValueException will be thrown.

Surrogate Character Support in HTML and XML encoding

Support for surrogate character pairs for Unicode characters outside the basic multilingual plane has been improved. Such character pairs are now combined and encoded as their &xxxxx; value. If a high surrogate pair character is encountered which is not followed by a low surrogate pair character, or a low surrogate pair character is encountered which is not preceded by a high surrogate pair character an InvalidSurrogatePairException is thrown.

HTML 4.01 Named Entity Support

A new overload of the HtmlEncode method, Encoder.HtmlEncode(string input, bool useNamedEntities) allows you to specify if the named entities from the HTML 4.01 specification should be used in preference to &#xxxx; encoding when a named entity exists. For example if useNamedEntities parameter is set to true the copyright entity would be encoded as ©.

HtmlFormUrlEncode

A new encoding type suitable for using in encoding Html POST form submissions is now available via Encoder.HtmlFormUrlEncode. This encodes according to the W3C specifications for application/x-www-form-urlencoded MIME type.

LDAP Encoding changes

The LdapEncode function has been deprecated in favor of two new functions, Encoder.LdapFilterEncode(string) and Encoder.LdapDistinguishedNameEncode(string)

Encoder.LdapFilterEncode encodes input according to RFC4515 where unsafe values are converted to XX where XX is the representation of the unsafe character

Encoder.LdapDistinguishedNameEncode encodes input according to RFC 2253 where unsafe characters are converted to #XX where XX is the representation of the unsafe character and the comma, plus, quote, slash, less than and great than signs are escaped using slash notation (X). In addition to this a space or octothorpe (#) at the beginning of the input string is escaped as is a space at the end of a string.

LdapDistinguishedNameEncode(string, bool, bool) is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.

MarkOutput

The ability to mark output using an HtmlEncode overload and query string parameter has been removed.

The Security Runtime Engine developer continues in parallel to my other work, but we’ve now separated the two libraries so you don’t have to wait for AntiXSS updates. The WPL will continue to be available as source only from  codeplex until we’re happy with the code model and quality. Once that happens you can expect to see a binary release, but there are no planned release dates as yet.

Categories: Uncategorized Tags:

Microsoft Security Essentials Celebrates First Birthday with 30 Million Customers!

September 29th, 2010 No comments

It has been one year since Microsoft Security Essentials was made generally available to the public and to celebrate, we are pleased to share that there are now over 30 million customers in 74 different countries around the world enjoying the trusted security and quiet protection that Microsoft Security Essentials provides.

clip_image001

In addition, we are also pleased to share that Microsoft Security Essentials will now come pre-installed on the HP ENVY 14 series and HP ENVY 14 Beats™ edition series PCs starting today. But we’ll talk more about that in a minute.

First, let’s talk about the impact Microsoft Security Essentials is having on the Windows ecosystem.

Making an Impact with Microsoft Security Essentials

When we announced Microsoft Security Essentials last year, we said, “Making Microsoft Security Essentials broadly available as a free consumer download for genuine Windows-based PCs is part of Microsoft’s ongoing commitment to provide a more trustworthy computing experience for all customers. By making Microsoft Security Essentials easy to get and easy to use, Microsoft hopes to encourage broader adoption of antivirus protection across the consumer audience, which in turn will help increase security across the entire Windows ecosystem.”

And today, helping increase security across the Windows ecosystem is exactly what we are doing.

According to the Microsoft Malware Protection Center (MMPC), in addition to providing a no-cost security solution to tens of millions of customers that may not have been actively protected before, Microsoft Security Essentials detected nearly 400 million threats over the past year, with customers choosing to remove more than 366 million of those threats. For more information about the specific threat breakdown, please visit the MMPC Blog.

Other highlights from this past year include:

· Originally introduced in 8 languages and 19 countries around the world, Microsoft Security Essentials is currently available and supported in 25 languages and 74 countries globally.

· Microsoft Security Essentials is certified by two of the industry’s leading independent certification authorities: International Computer Security Association Labs (ICSA) and West Coast LabsIt also received the most recent VB100 Award and as well as certification from AV-Test.

· Beginning in October Microsoft Security Essentials will be made available to small businesses on up to 10 PCs for free.

· Microsoft Security Essentials was made available for online partner distribution, as a pre-install on OEM PCs and for distribution by publications as covermount software.

· Microsoft Security Essentials received the PC Advisor Awards 2010 – Best Free Software award and is rated by Consumer Reports as a “Best Buy”.

As you can see, it’s been a pretty exciting year for Microsoft Security Essentials! And the fun doesn’t stop here…

Microsoft Security Essentials Coming Pre-installed on HP Envy Notebooks

Microsoft Security Essentials is currently available to consumers, and soon to small businesses on up to 10 PCs, as a download directly from Microsoft. But today we are thrilled to let you know that HP will be pre-installing Microsoft Security Essentials on the HP ENVY 14 series and the HP ENVY 14 Beats™ edition series PCs beginning today, so be sure to go check these out.

These PCs are stylish and feature powerful Intel® Core™ processors designed to fit the needs of a variety of consumers. In fact, Ben Rudolph (aka “Ben the PC Guy”) has taken the HP ENVY 14 Beats™ edition series for a test drive.  For more details on that please visit the Windows Experience Blog.

To learn more about Microsoft Security Essentials, please visit the Microsoft Security Essentials Web site.

So, Happy Birthday Microsoft Security Essentials! And thank you to our valued customers and partners for a very exciting year.

Cheers!

Eric and the entire Microsoft Security Essentials product team

Microsoft Security Essentials Celebrates First Birthday with 30 Million Customers!

September 29th, 2010 No comments

It has been one year since Microsoft Security Essentials was made generally available to the public and to celebrate, we are pleased to share that there are now over 30 million customers in 74 different countries around the world enjoying the trusted security and quiet protection that Microsoft Security Essentials provides.

clip_image001

In addition, we are also pleased to share that Microsoft Security Essentials will now come pre-installed on the HP ENVY 14 series and HP ENVY 14 Beats™ edition series PCs starting today. But we’ll talk more about that in a minute.

First, let’s talk about the impact Microsoft Security Essentials is having on the Windows ecosystem.

Making an Impact with Microsoft Security Essentials

When we announced Microsoft Security Essentials last year, we said, “Making Microsoft Security Essentials broadly available as a free consumer download for genuine Windows-based PCs is part of Microsoft’s ongoing commitment to provide a more trustworthy computing experience for all customers. By making Microsoft Security Essentials easy to get and easy to use, Microsoft hopes to encourage broader adoption of antivirus protection across the consumer audience, which in turn will help increase security across the entire Windows ecosystem.”

And today, helping increase security across the Windows ecosystem is exactly what we are doing.

According to the Microsoft Malware Protection Center (MMPC), in addition to providing a no-cost security solution to tens of millions of customers that may not have been actively protected before, Microsoft Security Essentials detected nearly 400 million threats over the past year, with customers choosing to remove more than 366 million of those threats. For more information about the specific threat breakdown, please visit the MMPC Blog.

Other highlights from this past year include:

· Originally introduced in 8 languages and 19 countries around the world, Microsoft Security Essentials is currently available and supported in 25 languages and 74 countries globally.

· Microsoft Security Essentials is certified by two of the industry’s leading independent certification authorities: International Computer Security Association Labs (ICSA) and West Coast LabsIt also received the most recent VB100 Award and as well as certification from AV-Test.

· Beginning in October Microsoft Security Essentials will be made available to small businesses on up to 10 PCs for free.

· Microsoft Security Essentials was made available for online partner distribution, as a pre-install on OEM PCs and for distribution by publications as covermount software.

· Microsoft Security Essentials received the PC Advisor Awards 2010 – Best Free Software award and is rated by Consumer Reports as a “Best Buy”.

As you can see, it’s been a pretty exciting year for Microsoft Security Essentials! And the fun doesn’t stop here…

Microsoft Security Essentials Coming Pre-installed on HP Envy Notebooks

Microsoft Security Essentials is currently available to consumers, and soon to small businesses on up to 10 PCs, as a download directly from Microsoft. But today we are thrilled to let you know that HP will be pre-installing Microsoft Security Essentials on the HP ENVY 14 series and the HP ENVY 14 Beats™ edition series PCs beginning today, so be sure to go check these out.

These PCs are stylish and feature powerful Intel® Core™ processors designed to fit the needs of a variety of consumers. In fact, Ben Rudolph (aka “Ben the PC Guy”) has taken the HP ENVY 14 Beats™ edition series for a test drive.  For more details on that please visit the Windows Experience Blog.

To learn more about Microsoft Security Essentials, please visit the Microsoft Security Essentials Web site.

So, Happy Birthday Microsoft Security Essentials! And thank you to our valued customers and partners for a very exciting year.

Cheers!

Eric and the entire Microsoft Security Essentials product team

Microsoft Security Essentials Celebrates First Birthday with 30 Million Customers!

September 29th, 2010 Comments off

It has been one year since Microsoft Security Essentials was made generally available to the public and to celebrate, we are pleased to share that there are now over 30 million customers in 74 different countries around the world enjoying the trusted security and quiet protection that Microsoft Security Essentials provides.

clip_image001

In addition, we are also pleased to share that Microsoft Security Essentials will now come pre-installed on the HP ENVY 14 series and HP ENVY 14 Beats™ edition series PCs starting today. But we’ll talk more about that in a minute.

First, let’s talk about the impact Microsoft Security Essentials is having on the Windows ecosystem.

Making an Impact with Microsoft Security Essentials

When we announced Microsoft Security Essentials last year, we said, “Making Microsoft Security Essentials broadly available as a free consumer download for genuine Windows-based PCs is part of Microsoft’s ongoing commitment to provide a more trustworthy computing experience for all customers. By making Microsoft Security Essentials easy to get and easy to use, Microsoft hopes to encourage broader adoption of antivirus protection across the consumer audience, which in turn will help increase security across the entire Windows ecosystem.”

And today, helping increase security across the Windows ecosystem is exactly what we are doing.

According to the Microsoft Malware Protection Center (MMPC), in addition to providing a no-cost security solution to tens of millions of customers that may not have been actively protected before, Microsoft Security Essentials detected nearly 400 million threats over the past year, with customers choosing to remove more than 366 million of those threats. For more information about the specific threat breakdown, please visit the MMPC Blog.

Other highlights from this past year include:

· Originally introduced in 8 languages and 19 countries around the world, Microsoft Security Essentials is currently available and supported in 25 languages and 74 countries globally.

· Microsoft Security Essentials is certified by two of the industry’s leading independent certification authorities: International Computer Security Association Labs (ICSA) and West Coast LabsIt also received the most recent VB100 Award and as well as certification from AV-Test.

· Beginning in October Microsoft Security Essentials will be made available to small businesses on up to 10 PCs for free.

· Microsoft Security Essentials was made available for online partner distribution, as a pre-install on OEM PCs and for distribution by publications as covermount software.

· Microsoft Security Essentials received the PC Advisor Awards 2010 – Best Free Software award and is rated by Consumer Reports as a “Best Buy”.

As you can see, it’s been a pretty exciting year for Microsoft Security Essentials! And the fun doesn’t stop here…

Microsoft Security Essentials Coming Pre-installed on HP Envy Notebooks

Microsoft Security Essentials is currently available to consumers, and soon to small businesses on up to 10 PCs, as a download directly from Microsoft. But today we are thrilled to let you know that HP will be pre-installing Microsoft Security Essentials on the HP ENVY 14 series and the HP ENVY 14 Beats™ edition series PCs beginning today, so be sure to go check these out.

These PCs are stylish and feature powerful Intel® Core™ processors designed to fit the needs of a variety of consumers. In fact, Ben Rudolph (aka “Ben the PC Guy”) has taken the HP ENVY 14 Beats™ edition series for a test drive.  For more details on that please visit the Windows Experience Blog.

To learn more about Microsoft Security Essentials, please visit the Microsoft Security Essentials Web site.

So, Happy Birthday Microsoft Security Essentials! And thank you to our valued customers and partners for a very exciting year.

Cheers!

Eric and the entire Microsoft Security Essentials product team

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 No comments

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 No comments

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 No comments

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 Comments off

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Microsoft Security Advisory (2416728): Vulnerability in ASP.NET Could Allow Information Disclosure – Version: 2.0

Revision Note: V2.0 (September 28, 2010): Advisory updated to reflect publication of security bulletin
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-070 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-070. The vulnerability addressed is the ASP.NET Padding Oracle Vulnerability – CVE-2010-3332.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2416728): Vulnerability in ASP.NET Could Allow Information Disclosure – Version: 2.0

Revision Note: V2.0 (September 28, 2010): Advisory updated to reflect publication of security bulletin
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-070 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-070. The vulnerability addressed is the ASP.NET Padding Oracle Vulnerability – CVE-2010-3332.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2416728): Vulnerability in ASP.NET Could Allow Information Disclosure – 9/28/2010

September 28th, 2010 Comments off

Revision Note: V2.0 (September 28, 2010): Advisory updated to reflect publication of security bulletin Advisory Summary:Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-070 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-070. The vulnerability addressed is the ASP.NET Padding Oracle Vulnerability – CVE-2010-3332.

Categories: Uncategorized Tags:

New beta setting packs for Windows 7 and Internet Explorer 8

September 27th, 2010 No comments

The Solution Accelerators team is happy to announce the most recent additions to the Security Compliance Manager Baseline Beta Review Program: new setting packs for Windows 7 and Internet Explorer 8.
Join the Security Compliance Manager Baseline Beta…(read more)

New beta setting packs for Windows 7 and Internet Explorer 8

September 27th, 2010 No comments

The Solution Accelerators team is happy to announce the most recent additions to the Security Compliance Manager Baseline Beta Review Program: new setting packs for Windows 7 and Internet Explorer 8.
Join the Security Compliance Manager Baseline Beta…(read more)

New beta setting packs for Windows 7 and Internet Explorer 8

September 27th, 2010 Comments off

The Solution Accelerators team is happy to announce the most recent additions to the Security Compliance Manager Baseline Beta Review Program: new setting packs for Windows 7 and Internet Explorer 8.
Join the Security Compliance Manager Baseline Beta…(read more)

How to View a Report in WACA?

September 24th, 2010 No comments

Web Application Configuration Analyzer v1.0 is the latest tool released by our team that scans a machine for deployment best practices. Here is how you can use this tool to view a scan report which provides resolution details for failed rules.

1. From the presented Launchpad under the “Quick Actions” Section screen click on the “View scan results” link or go to “File” menu and select “View scan results”. You can also get to this screen by clicking on the “View Report” button after a scan, which will automatically select that scan for the report.

2. From the first drop down box, select a server to view a scan result. The drop down box displays all the server names for which results have been generated by the tool. Upon selecting the server name, the list box displays the scanned dates and times starting with latest date and timestamp.
clip_image002

3. The report is divided into multiple sections. You can navigate to corresponding section by clicking the links in summary table. There are four sections for every report. First is the Summary, which tells you about the machine and its specific attributes. This section also serves as the index allowing you to select a link to jump to that specific section. The next section is the General application Rules. This is where all rules pertaining to a machine regardless to the machines purpose. The next section contains the IIS Application rules. If a user knows this machine is an IIS box then this section should have all the security rules for IIS in one contained section. The last section is for SQL server. Assuming the server is a SQL server machine all rules pertaining to SQL Server will be in this section.

4. Results from scanning a machine falls into one of four states: Passed, Failed, Indeterminate and Not Applicable. Passed indicates the rules was tested and based on WACA’s scan discovery the rule passed. Failed indicates after the rule was scanned for the discovery was the rule failed the test. Not Applicable state is used when specific application such as IIS or SQL Server is not present on the target machine. Indeterminate state is applied when a specific rule cannot find the underlying data due to missing information to process the rule. For example, Indeterminate state could be returned for the “Unnecessary service (Alerter) is not running” rule if the service itself is not present on the target machine. Investigate indeterminate rules by using the descriptions and resolutions from Excel export.

5. Severity and resolution provide additional context to the rule and only failed rules include resolutions to fix the violation. Context may determine whether a failure in WACA is a bug to be fixed. Some checks, for example, are applicable for servers facing the extranet, but would be considered false positives for any other environment. The description for the checks provides guidance for these scenarios.

6. Exporting to Excel and using the Filter feature can help with quickly identifying and managing failures.

Thanks
Anil RV

Categories: Uncategorized Tags: