Archive

Archive for August, 2012

Fraud alert: Election scams

August 31st, 2012 No comments

Cybercriminals are nothing if not timely. Whatever’s in the news, you can expect to see a phishing scam to follow.

Since it’s election season in the United States, we’ve started to spot scams that attempt to lure unsuspecting voters into fraudulent transactions. The Better Business Bureau warns consumers of text messages and social media postings that claim (among other things) that President Obama will pay your utility bill. They say you only need to provide your social security number.  

Don’t do it.

We agree with the Better Business Bureau that you should never provide your social security number, banking information, or credit card number over the phone. The same goes for offering this information over email, in a text message, or on a social networking site. If you want to donate to a political campaign, learn how to avoid donation scams.

Get more tips on how to recognize and avoid scam emails and websites.  Also, learn how to help protect yourself from phishing scams.

Categories: fraud, phishing Tags:

A technical analysis on CVE-2012-1535 Adobe Flash Player vulnerability: Part 2

August 31st, 2012 No comments

Part 1 of this blog described and analyzed the CVE-2012-1535 vulnerability in Adobe Flash Player. Here, we describe the fixes and mitigations that can be employed for this and similar exploits.

Fixes and mitigations

To avoid being vulnerable, you need to update Adobe Flash Player to the latest release from here. Recent versions of Adobe Flash Player offer a Background Updater feature, which you should enable. To protect users from immediate, zero-day vulnerabilities, Adobe provides security updates automatically, in the background, to users who have enabled the background update feature. For more information on Background Updater and to determine whether it is enabled on your machine, you can read this article.

Update is the best option for protecting yourself from this threat, but there are also some good mitigation methods available. The malicious SWF file is delivered through Microsoft Word and the SWF content is rendered through Adobe Flash Player ActiveX control, so you can set security settings for Microsoft Office to mitigate this threat. What follows is a list of mitigation techniques for mitigating threats delivered through Microsoft Office files.

The mitigation techniques we are talking about here are recommended even with Adobe Flash Player updates because of two main reasons.

First, there are other threats that can be delivered through Microsoft Office. As Microsoft Office supports ActiveX control embedding, this is sometimes used to deliver malicious content. These mitigation techniques are effective on some of those threats.

The second reason for using these mitigation techniques is that they could be very effective in preventing possible 0-days that rely on exploiting memory corruption issues. But, you should not solely rely on these mitigation methods to prevent malware infections. It can’t replace maintaining your software up to date.

There are 3 options we are showing here. Protected View is only available with Office 2010, but ActiveX Settings can be used on both Office 2007 and Office 2010. EMET is more of a general solution on Windows platform. You can set mitigation configuration for Office binaries using this tool.

Mitigation Methods Office 2007 Office 2010
Protected View No Yes
ActiveX Settings Yes Yes
EMET Yes             Yes

Table 1: Mitigation methods for Office 2007, 2010

Using Protected View

By default, if the documents are coming from the Internet, the file will be opened in Protected View in Microsoft Office 2010. With this mode, ActiveX will be disabled and also some settings like DEP will be enabled which will be effective in mitigating some memory corruption vulnerabilities. As Adobe Flash Player contents inside Microsoft Word will be rendered through Adobe Flash Player ActiveX control, disabling ActiveX will mitigate SWF malwares delivered through Microsoft Office files. For detailed information on Protected View, you can read this article

Opening documents in Protected View manually 

Protected View doesn’t kick in when the document is opened from local folders. In that case you can manually open those documents with Protected View by using the “Open” dialog in Microsoft Word. This is a good practice when you’re opening documents passed from an untrusted source.

Figure 4: Opening a potentially malicious document using Protected View

Setting Protected View as the default mode

You can also set Protected View as the default setting for opening some Office document types. You can use File -> Options -> Trust Center -> Trust Center Settings  to open up a Trust Center dialog box as you can see in Figure 5. You need to choose “File Block Settings” to change the settings.

Figure 5: Setting Protected View as the default mode according to file types

Strict ActiveX settings

For Office 2007 and Office 2010, you can also disable ActiveX controls from ActiveX Settings in the “Trust Center” setting. This will disable the Adobe Flash Player ActiveX control loading from Microsoft Office. Also, this will be very effective in mitigating any exploits dependent on ActiveX controls. You can still use prompt options, but in that case there are some chances that users will allow the rendering of ActiveX contents by mistake.

Figure 6: Disable ActiveX Controls

Use EMET

One more good option you can use is using EMET. EMET is a tool that configures mitigation methods for specific binaries on the system. To enable all mitigation methods for a Microsoft Word binary, you can add a rule that looks like Figure 7.

Figure 7: Enabling mitigations for “WINWORD.EXE” binary

For this specific malware, we found EMET was very effective in mitigating exploit attempts. The malware could have been blocked by using 3 different mitigation methods (DEP, EAF, HeapSpray). You can extend these settings to other application binaries depending on your needs.

Conclusion

Recently, Adobe Flash Player vulnerabilities have been used for targeted attacks. In many cases, these malicious SWF files are delivered through Microsoft Office files. In this case, the vulnerability was a memory corruption issue in font format parsing code and a variety of mitigation options could have prevented the exploit code from succeeding. The best option is making your software up to date. But, using mitigation techniques, you have the benefit of mitigating any possible 0-days in the future.

 

Acknowledgement

Thanks to Elia Florio, MSRC Engineering, for providing detailed information on mitigation technology.

 

Jeong Wook (Matt) Oh
MMPC

Categories: Uncategorized Tags:

Protecting yourself from CVE-2012-4681 Java exploits

August 30th, 2012 No comments

As we’ve discussed in previous posts, we are seeing more malware abusing Java issues, including CVE-2012-4681. Currently this vulnerability is an 0-day, and to date there is no patch available from the vendor. It is known that JRE (Java Runtime Environment) 7 is vulnerable to attack on this sandbox-breach vulnerability, while JRE 6 is not. We’ve already talked about increasing your protections from Java malware in general, whether by checking to confirm that your Java installation is up to date or by, if you so choose, disabling the Java plug-in for your browser. In the case of CVE-2012-4681-exploiting malware, updating to the latest version doesn’t increase one’s protection from the issue.

If, after evaluating the available information on current threats, you decide that disabling the Java web plug-in is the right choice for you, we have step-by-step instructions for doing so in Knowledge Base article 2751647. Note that because Java can be invoked in two different ways by Internet Explorer, the KB article includes two sets of instructions – one for the applet object and one for the Java Virtual Machine object. Customers looking to fully disable the plug-in should configure both security controls. If you prefer to undertake these changes by running a script, we’ve written one that encompasses both sets of steps, and that is available here.

 

Update 08/30/2012 PST: Java released an update that addresses the vulnerability discussed here; you can download the update from here.

It may be necessary to remove older versions of Java that are still present. Keeping old and unsecure versions of Java on your system presents a serious security risk. To read more about why you should remove older versions of Java, see the advice here.

 

Jeong Wook (Matt) Oh
MMPC

Categories: Uncategorized Tags:

Privacy in Outlook.com

August 29th, 2012 No comments

If you use Hotmail, you might have seen a message that says your mailbox can be upgraded to Outlook.com. In addition to a new look and feel and tools to help you be more productive, Outlook.com offers more privacy. You’re in control of your data, and your personal conversations aren’t used for ads.

We don’t scan your email content or attachments and sell this information to advertisers or any other company. You decide whether to connect your account to any social networks, and you’re in control of who you friend or follow. 

For more information, see Outlook.com privacy: frequently asked questions

Categories: Microsoft, Outlook.com, privacy Tags:

A technical analysis on CVE-2012-1535 Adobe Flash Player vulnerability: Part 1

August 29th, 2012 No comments

This post is part one of two.

On August 14th, Adobe released a fix and an advisory for a vulnerability (CVE-2012-1535) in Adobe Flash Player. On Windows systems, Adobe Flash Player 11.3.300.270 and earlier versions are vulnerable. The advisory notes that this vulnerability has been used for targeted attacks.

We analyzed a sample with a SHA1 of 04804912C34E91B68222E27C3EF54A2FB9628DEA that we detect as Exploit:SWF/CVE-2012-1535.A. We’ve observed a small number of attacks using this vulnerability in the wild.

Vulnerability detail

The vulnerability is a typical integer overflow issue in the parsing routine for embedded fonts with CFF (Compact Font Format) format inside a SWF file. The integer overflow leads to corruption of the internal data structure of the process. This font data was modified from legitimate fonts and made malicious. We found many modifications were made to the font table data.  

Figure 1 Part of malicious DefineFont4 record

The font is used in ActionScript code like that shown in Figure 2. The code tries to render texts on the Adobe Flash Player control using the malicious font data. The ActionScript code itself is not malicious at all, but this routine is used to trigger the vulnerable condition caused by malicious font data. So unlike many other Adobe Flash Player vulnerabilities, there is no problem with the AVM2 bytecode itself.

Figure 2 The code triggers the vulnerability

From our observations, the attackers are using a heap spray technique to exploit this memory corruption issue to code execution. The heap spray routine is shown below.

Figure 3 Heap spray routine

This malicious SWF content was delivered through Microsoft Word documents. But, there is no Microsoft Word vulnerability involved with exploitation process. As Microsoft Word supports the embedding of SWF content inside it, users are advised to be careful when opening Microsoft Word documents from unknown sources. However, Microsoft Word documents are not the only way in which this attack can be delivered. It is possible for this threat to be delivered via other methods.

The shellcode is run from the heap spray area and it searches through open file handles to grab a handle for a currently open Word document. After that, it searches for payload data inside the file and drops the data inside a temporary folder. The shellcode then runs the dropped file using the WinExec API. After that it displays a harmless Microsoft Word document to avoid making the user suspicious. This is very typical behavior where exploitation occurs through Word documents.

Part 2 of this blog will describe the fixes and mitigations for this exploit.

 

Acknowledgement

Thanks to Elia Florio, MSRC Engineering, for providing detailed information on mitigation technology.

 

Jeong Wook (Matt) Oh
MMPC

 

 

Categories: Uncategorized Tags:

Sent Items delayed when publishing Outlook Anywhere through TMG

August 27th, 2012 No comments

 

Problem

When publishing Exchange 2010 “Outlook Anywhere” via TMG 2010, you may find that some of your external Outlook users may intermittently experience issues sending email. They may report, when sending a new email, that the email may get “stuck” in the Outbox folder. The users may find that the email will be sent after a random number of minutes…or not at all.  Forcing a Send and Receive does not help. However, they may find that if they close and restart the Outlook client, the items are then sent.

The difficulty in troubleshooting this problem is that none of the endpoints in question will log any relative error messages. Neither the Outlook client, TMG nor the Exchange CAS server log any events or errors that appear relative to the issue.

Explanation

This turns out to be a timing issue which can result in ‘orphaned’ TCP connections. The Outlook client has a default RPC timeout of 12 minutes. The server to client default RPC timeout is 15 minutes.

In a publishing scenario that allows access from external clients, it’s not unusual to have a number of different network devices between the Outlook client and the internal Exchange CAS servers.  If the TCP connection timeout of one or more of these devices is sufficiently low enough, the TCP connection may be dropped by the device, causing the RPC connections between the Outlook client and the Exchange CAS server to drop. In our scenario, the device we’re interested in is TMG.

A TMG SP2 server has a default TCP keepalive value of 5 minutes. Therefore, it’s possible that TMG may drop the RPC connection from an ‘idle’ Outlook Anywhere client.

More information

The registry value that controls the Exchanges RPC Proxy connection timeout is:

HKLM\Software\Policies\Microsoft\Windows NT\Rpc\MinimumConnectionTimeout

The TMG servers’ registry value that controls TCP/IP keepalive time is:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime

NOTE: The value of MinimumConnectionTimeout is specified in seconds and the value of KeepAliveTime is specified in milliseconds.

Resolution

Decrease the Exchange CAS servers’ RPC Proxy timeout to be less than the TMG servers’ TCP keepalive time. As the default TCP keepalive value on TMG is 5 minutes, you can configure the CAS servers’ RPC Proxy timeout to 3 minutes (180 seconds) as follows:

HKLM\Software\Policies\Microsoft\Windows NT\Rpc\MinimumConnectionTimeout DWORD 0x000000b4 (180)

NOTE: The MinimumConnectionTimeout registry value does not exist by default. You’ll need to create it if it doesn’t exist in this location. Also note that adding and/or editing this registry value will require a reboot of the Exchange CAS server.

Don’t forget to check other devices on the network and make sure they do not have TCP timeout settings that might be lower than your newly configured RPC Proxy MinimumConnectionTimeout values.

Author

Richard Barker

Sr. Security Support Escalation Engineer

Microsoft CSS Forefront Edge Team

Categories: Uncategorized Tags:

Sent Items delayed when publishing Outlook Anywhere through TMG

August 27th, 2012 No comments

 

Problem

When publishing Exchange 2010 “Outlook Anywhere” via TMG 2010, you may find that some of your external Outlook users may intermittently experience issues sending email. They may report, when sending a new email, that the email may get “stuck” in the Outbox folder. The users may find that the email will be sent after a random number of minutes…or not at all.  Forcing a Send and Receive does not help. However, they may find that if they close and restart the Outlook client, the items are then sent.

The difficulty in troubleshooting this problem is that none of the endpoints in question will log any relative error messages. Neither the Outlook client, TMG nor the Exchange CAS server log any events or errors that appear relative to the issue.

Explanation

This turns out to be a timing issue which can result in ‘orphaned’ TCP connections. The Outlook client has a default RPC timeout of 12 minutes. The server to client default RPC timeout is 15 minutes.

In a publishing scenario that allows access from external clients, it’s not unusual to have a number of different network devices between the Outlook client and the internal Exchange CAS servers.  If the TCP connection timeout of one or more of these devices is sufficiently low enough, the TCP connection may be dropped by the device, causing the RPC connections between the Outlook client and the Exchange CAS server to drop. In our scenario, the device we’re interested in is TMG.

A TMG SP2 server has a default TCP keepalive value of 5 minutes. Therefore, it’s possible that TMG may drop the RPC connection from an ‘idle’ Outlook Anywhere client.

More information

The registry value that controls the Exchanges RPC Proxy connection timeout is:

HKLM\Software\Policies\Microsoft\Windows NT\Rpc\MinimumConnectionTimeout

The TMG servers’ registry value that controls TCP/IP keepalive time is:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime

NOTE: The value of MinimumConnectionTimeout is specified in seconds and the value of KeepAliveTime is specified in milliseconds.

Resolution

Decrease the Exchange CAS servers’ RPC Proxy timeout to be less than the TMG servers’ TCP keepalive time. As the default TCP keepalive value on TMG is 5 minutes, you can configure the CAS servers’ RPC Proxy timeout to 3 minutes (180 seconds) as follows:

HKLM\Software\Policies\Microsoft\Windows NT\Rpc\MinimumConnectionTimeout DWORD 0x000000b4 (180)

NOTE: The MinimumConnectionTimeout registry value does not exist by default. You’ll need to create it if it doesn’t exist in this location. Also note that adding and/or editing this registry value will require a reboot of the Exchange CAS server.

Don’t forget to check other devices on the network and make sure they do not have TCP timeout settings that might be lower than your newly configured RPC Proxy MinimumConnectionTimeout values.

Author

Richard Barker

Sr. Security Support Escalation Engineer

Microsoft CSS Forefront Edge Team

Categories: Uncategorized Tags:

Sent Items delayed when publishing Outlook Anywhere through TMG

August 27th, 2012 No comments

 

Problem

When publishing Exchange 2010 “Outlook Anywhere” via TMG 2010, you may find that some of your external Outlook users may intermittently experience issues sending email. They may report, when sending a new email, that the email may get “stuck” in the Outbox folder. The users may find that the email will be sent after a random number of minutes…or not at all.  Forcing a Send and Receive does not help. However, they may find that if they close and restart the Outlook client, the items are then sent.

The difficulty in troubleshooting this problem is that none of the endpoints in question will log any relative error messages. Neither the Outlook client, TMG nor the Exchange CAS server log any events or errors that appear relative to the issue.

Explanation

This turns out to be a timing issue which can result in ‘orphaned’ TCP connections. The Outlook client has a default RPC timeout of 12 minutes. The server to client default RPC timeout is 15 minutes.

In a publishing scenario that allows access from external clients, it’s not unusual to have a number of different network devices between the Outlook client and the internal Exchange CAS servers.  If the TCP connection timeout of one or more of these devices is sufficiently low enough, the TCP connection may be dropped by the device, causing the RPC connections between the Outlook client and the Exchange CAS server to drop. In our scenario, the device we’re interested in is TMG.

A TMG SP2 server has a default TCP keepalive value of 5 minutes. Therefore, it’s possible that TMG may drop the RPC connection from an ‘idle’ Outlook Anywhere client.

More information

The registry value that controls the Exchanges RPC Proxy connection timeout is:

HKLM\Software\Policies\Microsoft\Windows NT\Rpc\MinimumConnectionTimeout

The TMG servers’ registry value that controls TCP/IP keepalive time is:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime

NOTE: The value of MinimumConnectionTimeout is specified in seconds and the value of KeepAliveTime is specified in milliseconds.

Resolution

Decrease the Exchange CAS servers’ RPC Proxy timeout to be less than the TMG servers’ TCP keepalive time. As the default TCP keepalive value on TMG is 5 minutes, you can configure the CAS servers’ RPC Proxy timeout to 3 minutes (180 seconds) as follows:

HKLM\Software\Policies\Microsoft\Windows NT\Rpc\MinimumConnectionTimeout DWORD 0x000000b4 (180)

NOTE: The MinimumConnectionTimeout registry value does not exist by default. You’ll need to create it if it doesn’t exist in this location. Also note that adding and/or editing this registry value will require a reboot of the Exchange CAS server.

Don’t forget to check other devices on the network and make sure they do not have TCP timeout settings that might be lower than your newly configured RPC Proxy MinimumConnectionTimeout values.

Author

Richard Barker

Sr. Security Support Escalation Engineer

Microsoft CSS Forefront Edge Team

Categories: Uncategorized Tags:

KB: Browser returns error code 37 when accessing an Apache site via Unified Access Gateway using HTTP 1.0

August 27th, 2012 No comments

imageHere’s a new Knowledge Base article we published. This one talks about an issue where an Internet browser returns error code 37 when accessing a site via Microsoft Forefront Unified Access Gateway using HTTP 1.0.

=====

Symptom

Consider the following scenario:

1. An Apache-based application is published by Microsoft Forefront Unified Access Gateway 2010 (UAG) using the "Other Web Application" template.
2. A user attempts to access the application from a browser that use HTTP/1.0.

In this scenario, the backend application will reply back with “connection: close” and will terminate the SSL connection with close_notify. UAG, instead of sending that reply back to the client, will either send back a 500.htm error or Error 37: "An unknown error occurred while processing the certificate".

Cause

UAG does not support a client browser sending HTTP 1.0 with an Apache backend when the Apache server is setup to use HTTP 1.0.

Resolution

To work around this issue, enable HTTP 1.1 on the client browsers.

=====

For the most current version of this article please see the following:

2678886 – Browser returns error code 37 when accessing an Apache site via Unified Access Gateway using HTTP 1.0

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

KB: Browser returns error code 37 when accessing an Apache site via Unified Access Gateway using HTTP 1.0

August 27th, 2012 No comments

imageHere’s a new Knowledge Base article we published. This one talks about an issue where an Internet browser returns error code 37 when accessing a site via Microsoft Forefront Unified Access Gateway using HTTP 1.0.

=====

Symptom

Consider the following scenario:

1. An Apache-based application is published by Microsoft Forefront Unified Access Gateway 2010 (UAG) using the "Other Web Application" template.
2. A user attempts to access the application from a browser that use HTTP/1.0.

In this scenario, the backend application will reply back with “connection: close” and will terminate the SSL connection with close_notify. UAG, instead of sending that reply back to the client, will either send back a 500.htm error or Error 37: "An unknown error occurred while processing the certificate".

Cause

UAG does not support a client browser sending HTTP 1.0 with an Apache backend when the Apache server is setup to use HTTP 1.0.

Resolution

To work around this issue, enable HTTP 1.1 on the client browsers.

=====

For the most current version of this article please see the following:

2678886 – Browser returns error code 37 when accessing an Apache site via Unified Access Gateway using HTTP 1.0

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

KB: Browser returns error code 37 when accessing an Apache site via Unified Access Gateway using HTTP 1.0

August 27th, 2012 No comments

imageHere’s a new Knowledge Base article we published. This one talks about an issue where an Internet browser returns error code 37 when accessing a site via Microsoft Forefront Unified Access Gateway using HTTP 1.0.

=====

Symptom

Consider the following scenario:

1. An Apache-based application is published by Microsoft Forefront Unified Access Gateway 2010 (UAG) using the "Other Web Application" template.
2. A user attempts to access the application from a browser that use HTTP/1.0.

In this scenario, the backend application will reply back with “connection: close” and will terminate the SSL connection with close_notify. UAG, instead of sending that reply back to the client, will either send back a 500.htm error or Error 37: "An unknown error occurred while processing the certificate".

Cause

UAG does not support a client browser sending HTTP 1.0 with an Apache backend when the Apache server is setup to use HTTP 1.0.

Resolution

To work around this issue, enable HTTP 1.1 on the client browsers.

=====

For the most current version of this article please see the following:

2678886 – Browser returns error code 37 when accessing an Apache site via Unified Access Gateway using HTTP 1.0

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

KB: Browser returns error code 37 when accessing an Apache site via Unified Access Gateway using HTTP 1.0

August 27th, 2012 No comments

imageHere’s a new Knowledge Base article we published. This one talks about an issue where an Internet browser returns error code 37 when accessing a site via Microsoft Forefront Unified Access Gateway using HTTP 1.0.

=====

Symptom

Consider the following scenario:

1. An Apache-based application is published by Microsoft Forefront Unified Access Gateway 2010 (UAG) using the "Other Web Application" template.
2. A user attempts to access the application from a browser that use HTTP/1.0.

In this scenario, the backend application will reply back with “connection: close” and will terminate the SSL connection with close_notify. UAG, instead of sending that reply back to the client, will either send back a 500.htm error or Error 37: "An unknown error occurred while processing the certificate".

Cause

UAG does not support a client browser sending HTTP 1.0 with an Apache backend when the Apache server is setup to use HTTP 1.0.

Resolution

To work around this issue, enable HTTP 1.1 on the client browsers.

=====

For the most current version of this article please see the following:

2678886 – Browser returns error code 37 when accessing an Apache site via Unified Access Gateway using HTTP 1.0

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

Fraud alert: Microsoft Digital Crimes Unit scam

August 24th, 2012 No comments

We’ve received reports about a new phishing scam email that tells “email users across the world” to validate their email account or it will be deleted from “the world email server.”

This email is fake, but it does use the official logo of the Microsoft Digital Crimes Unit (DCU). The Microsoft DCU is a real worldwide team of lawyers, investigators, technical analysts, and other specialists partnering internationally to disrupt cybercrime and transform the fight against digital crime to make the world safer.

If you receive an email like this you can ignore it and delete it. You can also report it.

This email contains three of the common signs of a scam:

  • Impersonation of a well-known company or organization
  • Time-sensitive threats to delete your account
  • Requests to click a link in an email

Get more information on how to recognize phishing email messages, links, or phone calls.

The role of ‘agent’ as part of distribution channel decision

August 24th, 2012 No comments

In a recent blog post, we pointed out a trend we described as economies of scale in cross-platform vulnerabilities. We noted that this method of distribution allows the attacker to maximize their potential impact on multiple platforms. In this context, we would like to take this discussion further and explain the ways platform specific payloads are carried to targets or victims.

The threat landscape, and the relationship between attacker and victim within the digital distribution space, is widely governed by a supply chain mechanism called ‘push and pull’. As illustrated in the diagram above, the attacker uses a pull strategy by utilizing online technologies to their advantage and replaces or takes over a legitimate seller offering in order to reach a target. The innocent user participates unknowingly, unaware that the supply chain is compromised, and easily falls prey to the attack. The targeted user pulls pages and/or products from the attacker’s distribution channel, consequently leading to the successful installation of malware; this relationship is observed in many facets of malware infection.

In the case of a cross-platform offering, the attacker utilizes a decision agent to recognize the appropriate package or software for its target. When the victim pulls pages or content from the attacker’s distribution channel, an agent (often referred to as the browser’s user-agent) provides information, and a decision is made on behalf of the victim – that is, it automatically identifies the appropriate package or software without asking the user.

However, in the recent event described, we observed that the delivery of malicious code through vulnerabilities in Java employs a decision agent as part of a cross-platform attack. As shown in the timeline below, we first noticed this feature used in a Java vulnerability referred to as CVE-2011-3544. It was followed last month by the use of a Java Signed Applet attack – a form of social engineering where the user is lured to accept a signed Java applet and thereafter allows the attacker to run any payload.

We further observed that the decision agent may act as a loader, and carry specific tasks such that it may pull content from the attacker’s distribution channel, or simply locate a file within its container to load or install onto the victim’s machine (take note that it may encrypt its payload – which may thus evade detection).

While what we have described here is based on and limited to samples we have handled and processed, this observation gives us an opportunity to understand the role of agent as part of the distribution channel decision, and moving forward, the likelihood of the appearance of intelligent agents carrying out attacks within compromised networks.

We would like to reiterate that this type of attack highlights the importance of keeping security software signatures up-to-date, and ensuring operating system and 3rd party applications are always updated to reduce the risk of malware infection. This best practice must extend to all devices and platforms, especially those in large enterprise networks.

 

Methusela Cebrian Ferrer
MMPC Melbourne

Categories: Uncategorized Tags:

Avoid scam phone calls

August 22nd, 2012 No comments

Gabby writes:

I just wanted to let you know that I received a phone call this evening from a guy called “Daniel” from “Technical Maintenance of Microsoft Windows.” He said that Microsoft had received error messages from my computer and he asked me to turn my computer on and follow his directions to fix this. I told him that I would sort it out myself and hung up on him.

That sounds like a typical tech support phone scam that cybercriminals use to:

  • Trick you into downloading malicious software.
  • Take control of your computer remotely and adjust settings to leave your computer vulnerable.
  • Request credit card information so they can bill you for phony services.

Gabby did the right thing by hanging up on “Daniel.” For more information, see Avoid tech support phone scams.

 

An enterprise node is incorrectly added in the Forefront TMG 2010 MMC after you run repair on Forefront TMG 2010 SP1 Update 1

August 22nd, 2012 No comments

toolsignMicrosoft’s own Junaid Jan (Security Support Escalation Engineer – Forefront Edge Team) recently wrote a great article in our TechNet Wiki about an issue where an enterprise node is incorrectly added in the Forefront TMG 2010 management console after you run a repair on Forefront TMG 2010 SP1 Update 1. When this happens, you won’t be able to add that server to an array because it thinks it’s already part of an array. To fix it we need to install TMG 2010 SP1 Update 1 Rollup 3 and run a script as well.

For all the details, including a link to the update and his script see the following:

An enterprise node is incorrectly added in the Forefront TMG 2010 MMC after you run repair on Forefront TMG 2010 SP1 Update 1 (http://social.technet.microsoft.com/wiki/contents/articles/13053.an-enterprise-node-is-incorrectly-added-in-the-forefront-tmg-2010-mmc-after-you-run-repair-on-forefront-tmg-2010-sp1-update-1.aspx)

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

An enterprise node is incorrectly added in the Forefront TMG 2010 MMC after you run repair on Forefront TMG 2010 SP1 Update 1

August 22nd, 2012 No comments

toolsignMicrosoft’s own Junaid Jan (Security Support Escalation Engineer – Forefront Edge Team) recently wrote a great article in our TechNet Wiki about an issue where an enterprise node is incorrectly added in the Forefront TMG 2010 management console after you run a repair on Forefront TMG 2010 SP1 Update 1. When this happens, you won’t be able to add that server to an array because it thinks it’s already part of an array. To fix it we need to install TMG 2010 SP1 Update 1 Rollup 3 and run a script as well.

For all the details, including a link to the update and his script see the following:

An enterprise node is incorrectly added in the Forefront TMG 2010 MMC after you run repair on Forefront TMG 2010 SP1 Update 1 (http://social.technet.microsoft.com/wiki/contents/articles/13053.an-enterprise-node-is-incorrectly-added-in-the-forefront-tmg-2010-mmc-after-you-run-repair-on-forefront-tmg-2010-sp1-update-1.aspx)

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

An enterprise node is incorrectly added in the Forefront TMG 2010 MMC after you run repair on Forefront TMG 2010 SP1 Update 1

August 22nd, 2012 No comments

toolsignMicrosoft’s own Junaid Jan (Security Support Escalation Engineer – Forefront Edge Team) recently wrote a great article in our TechNet Wiki about an issue where an enterprise node is incorrectly added in the Forefront TMG 2010 management console after you run a repair on Forefront TMG 2010 SP1 Update 1. When this happens, you won’t be able to add that server to an array because it thinks it’s already part of an array. To fix it we need to install TMG 2010 SP1 Update 1 Rollup 3 and run a script as well.

For all the details, including a link to the update and his script see the following:

An enterprise node is incorrectly added in the Forefront TMG 2010 MMC after you run repair on Forefront TMG 2010 SP1 Update 1 (http://social.technet.microsoft.com/wiki/contents/articles/13053.an-enterprise-node-is-incorrectly-added-in-the-forefront-tmg-2010-mmc-after-you-run-repair-on-forefront-tmg-2010-sp1-update-1.aspx)

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

There’s nothing old school about viruses

August 22nd, 2012 No comments

Recently, we discovered a new parasitic infection virus in the wild – Win32/Floxif – which specifically targets DLL files. Most of the attacks of this threat have been observed to come from a specific geographic region.

Win32/Floxif replaces 5 bytes at the entry point of the infected file with a jmp instruction, which jumps directly to the virus body (as shown in Figure 1):

floxif1.jpg
floxif2.jpg

Figure 1: The virus replaces 5 bytes at entry point

The virus body drops a malicious file with a deceptive file name %Program Files%\Common Files\System\symsrv.dll” and then it calls the export function FloodFix of the dropped DLL. The rest of the work is done in this export function, which can be detailed as the following:

  1. Restore the stolen code(including the 5 bytes at the entry point and another code chunk overwritten by the virus) for the host file
  2. Process the relocation table for the host file (the relocation table entry has been removed from the PE file after infection)
  3. Pass control back to the host file

Win32/Floxif adopts 2 different infection strategies to choose the DLL to infect:

  1. Enumerate the loaded DLL files in the running processes
  2. Blanket search for all the DLL files on all drives

In both cases, DLL files under %windows% directory are avoided.

Below is a list of the top 10 reported infected DLL files in our telemetry:

  1. jvm.dll
  2. MSVCR71.DLL
  3. awt.dll
  4. jqs_plugin.dll
  5. ZipLib.dll
  6. WSignature.dll
  7. xappex.1.1.1.38.(919).dll
  8. MSVCR100.dll
  9. msoxmlmf.dll
  10. XLUE.dll

Win32/Floxif downloads an encrypted PE file and executes it. The downloaded file is detected as Trojan:Win32/Plexardu.A.

Chun Feng
MMPC Melbourne

Categories: Uncategorized Tags:

Windows Azure Host Updates: Why, When, and How

August 22nd, 2012 No comments

Windows Azure’s compute platform, which includes Web Roles, Worker Roles, and Virtual Machines, is based on machine virtualization. It’s the deep access to the underlying operating system that makes Windows Azure’s Platform-as-a-Service (PaaS) uniquely…(read more)

Categories: Windows Azure Tags: