Archive

Archive for December, 2011

December 2011 Out-Of-Band Bulletin Release: Q&A and Webcast

December 30th, 2011 No comments

Hello,

Today we published the December 2011 Out-of-Band Security Bulletin Webcast Questions & Answers page. We fielded 41 questions on the subject of MS11-100 . There were four questions during the webcast that we were unable to answer and we have included those questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast scheduled for Wednesday, January 11, 2012 at 11 a.m. PST (UTC -8), when we will go into detail about the January 2012 bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, January 11, 2012
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Categories: Uncategorized Tags:

December 2011 Out-Of-Band Security Bulletin Webcast Q&A

December 30th, 2011 No comments

Hosts:              Jonathan Ness, Security Development Manager, MSRC

                          Pete Voss, Sr. Response Communications Manager, Trustworthy Computing

Website:         TechNet/Security

Chat Topic:     December 2011 Out-Of-Band Security Bulletin Release

Date:               Thursday, December 29, 2011

Q: How are Denial of Service, Tampering, Information Disclosure orSpoofing issues rated?
A: The Exploitability Index only attempts to rate vulnerabilities that can be leveraged for code execution. Vulnerabilities that could allow denial of service, tampering, information disclosure or spoofing will receive an Exploitability Index rating of “3.” The notes for that particular CVE will also reflect the nature of the vulnerability.

Q: One angle I’m interested in is those Microsoft products that might use forms authentication, such as Exchange 2010 or TMG 2010. If we’re using forms authentication there, does that mean we’re vulnerable?
A:
Any products that are using ASP.NET forms authentication will be secured with this update. This includes SharePoint and Exchange, when they are using ASP.NET forms authentication. If these products are using a Forms Authentication module other than the one provided by ASP.NET, then the issue addressed in this bulletin does not apply to you. 

Q: Why does Windows Update on Windows 2008 servers show this update, but the check-box next to it is un-checked? What is the difference between patches that are checked by default and those that are not checked?
A:
In the case of “Important Updates”, an update that is in the “PENDING” state will be unchecked when you view it in Windows Update. This means it is already queued for downloading. You can manually override this to start the download manually by checking the box next to the update. 

Q: Please confirm that if an IIS instance is installed that we are at risk for one of the CVE’s and therefore we should patch ASAP. The assumption is that the server has IIS without .NET components.
A:
By default, IIS is not installed with .NET and by default, .NET is not installed by ASP.NET. Customers would first need to have installed .NET framework with ASP.NET in order to be vulnerable to the vulnerabilities documented by MS11-100.

Q: What level of testing or specific tests is recommended for applications using ASP.NET? Is it highly likely that the hashing change will impact applications using the framework?
A:
Microsoft recommends that customers test this update before deploying. There is a change in how forms authentication occurs and will require updates to be deployed at the same time across server environments. Click here for more about forms authentication.  

Q: Can sample DoS requests be provided to allow us to understand what the DOS signature may look like so we can test the patch as well as monitor our production environments until the patching is completed?
A: For more technical information regarding MS11-100, please see the SRD blog, where we have shared a short signature detecting this issue.

Q: Is this critical to environments where there are no Internet-facing systems? And what if there is no IIS installed on the workstation — is it atrisk?
A:
Exploitation requires ASP.NET installed and to be exposed to input from unauthenticated users. Typically this is through IIS. If workstations do not have ASP.NET or IIS installed, then those systems are not exposed. 

Q: In the Critical Elevation of Privilege can the attacker elevate is privilege only if they have the username without having the password? Can we have machines with the fix and without the fix working with each other?
A:
Yes, the attacker only needs the username to carry out the attack. The fix involves changing the format of the forms authentication ticket, so that unpatched and patched machines cannot work with each other. So after patching you cannot have machines with the fix and without it working together, unless you set a configuration setting on the patched machines. For details, please read the FAQ for this CVE for more information on applying updates to web farms.

Q: For CVE-2011-3414, is there a requirement of authentication to exploit the DoS vulnerability successfully?
A:
No, CVE-2011-3414 is anunauthenticated Denial of Service.

Q: What could be a potential impact on server running IIS with custom code? In short, can this update impact server or service to go down after installation? Do you have any suggestions on installation on web servers running custom code?
A:
This update is specifically for ASP.NET, but the issue that was disclosed is an industry-wide issue concerning hash collisions. So, it is possible for your custom code to be affected, but you will need to investigate what kind of hash-tables your custom code uses and if it operates on untrusted user data.

Q: Is there a client-side patch that will protect users that fall for phishing attacks and visit websites that have not patched?
A: As clients are not affected by server-sided vulnerability, the security update does need to be installed on the server. 

Q: If the main target is Internet facing systems with IIS & ASP.NET installed, should I concentrate on patching my webservers first before patching client systems?
A:
Prioritization for this update would be specific to users’ environments, but servers that are internet-facing and accept input from unauthenticated or untrusted user-provided content are most affected and should be prioritized. Likewise, clients are typically not in a web server role, and so systems that are running a web server role should be prioritized. 

Q: What steps can I take to reproduce and see if/how my site is affected, and so I can confirm the issue is gone after applying the patch?
A: For the protection of customers, Microsoft does not disclose proof of concept code (POC). The technical details of this issue are however public.

Q: If Microsoft .NET Framework is installed on an IIS Server, does this mean that ASP.NET is also installed but possibly not enabled?
A:
Whether you have the .NET Framework (and ASP.NET) installed on a machine will depend upon the specific OS platform. Windows Server 2008, Windows Server 2008 SP2, Windows Server 2008 R2 and Windows Server 2008 R2 SP1 all ship with the .NET Framework 2.0 or higher, which includes ASP.NET, and you should install the corresponding patches listed in the security bulletin. If you are using an older Server OS such as Windows Server 2003 SP2 x86, then that platform includes .NET Framework 1.1 SP1, and you should install the corresponding patch listed in the security bulletin. 

Q: From a desktop browsing experience, this update will patch Windows XP, Vista and 7. If machines do not have IIS installed and enabled, as well as ASP.NET enabled, is the criticality of this update reduced? For example if the user goes to an internet site, would their desktop PC be vulnerable? It seems to be mostly if you have IIS and ASP.net installed and acting as a web server.
A:
If you have a client machine with no ASP.NET installed, then your desktop PC would not be vulnerable to the particular security issues that are being addressed in this update.

Q: ASP.Net has been identified for the DoS. How about classic ASP/ISAPI applications? Is it just a .Net hash-table issue? And has the Microsoft Foundation Class / ATL / Visual Basic 6.0 been checked?
A:
This is an industry-wide issue that could affect a broad spectrum of technologies. Since ASP.NET was at the greatest risk because of the public disclosure, we have focused our efforts so far on making sure we secure ASP.NET. We are actively investigating other technologies where this could be vulnerable and so far we do not think that classic ASP is vulnerable. Information on other affected technologies will be revealed as the issue develops.

Q: So just to be clear, Exchange 2010 Outlook Web Access isn’t vulnerable to the privilege of escalation? Just to the DOS?
A:
OWA 2010 can be configured for forms-based authentication. Based on this, it should be considered vulnerable. If there is any doubt, Microsoft KB Article 2638420 discusses parameters you can check for to verify if an application is using forms auth. Specifically, to determine whether your application uses forms authentication,
examine the System.web file. Applications that use forms authentication use the following entry in System.web file: <authentication mode=”Forms”>

Q: What tools are available to remotely scan systems to see if they’re vulnerable — that is, that IIS and ASP are installed and active?
A:
The Detection and Deployment Tools and Guidance section in the security bulletin provides information on how to identify systems to which this update applies. If you want to identify whether a system has IIS installed with ASP.NET enabled, the answer depends on the operating system that each system is running.

Q: Are only webservers vulnerable? We have limited personnel this weekend for QA and deployment. Are we pretty much covered if we just deploy to systems in our DMZ this weekend and then rest of the enterprise next week?
A:
Prioritization for this update would be specific to users’ environments, but servers that are internet-facing and accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. 

Q: Sites that disallow “application/x-www-form-urlencoded” or “multipart/form-data” HTTP content types are not vulnerable. Is this set to disallow by default? How do we verify if it is set to disallow?
A: No, application/x-www-form-urlencoded or multipart/form-data are not disallowed by default. Customers will need to explicitly disallow these. Customers can do this by using IIS request filtering

Q: Forms authorization login from TMG/ISA doesn’t use ASP.NET. Is it still vulnerable?
A:
TMG is not exposed and is not related to the ASP.NET issue described in the bulletin.

Q: Do you suggest immediate patching of all servers (internal/external) or just of externally available servers and allow internal servers to be patched during the next patching cycle?
A:
 Once again, prioritization for this update would be specific to each user’s environment, but servers that are internet-facing and accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. 

Q: Is the critical CVE related to forms authentication only an issue if the site is configured to support forms authentication without cookies? Or, are all forms authentication implementations impacted?
A:
No, this issue applies to all types of ASP.NET forms authentication, cookie and cookie-less.

Q: For CVE 2011-3414, does the patch change the size of request header accepted, place controls on the amount of CPU that can be used, or change the hashing functions used?
A:The security update addresses this issue by limiting the number of inputs ASP.NET accepts from clients.

Q: Does this patch limit the number of parameters passed in the post request? If so, what is the new limit? I am trying to determine what application problems may arise after applying the update.
A:
The security update addresses this issue by limiting the number of inputs ASP.NET accepts from clients. If you are interested in changing the number of parameters passed in the post request, please see the section of the bulletin titled Workarounds for Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414

Q: Can the normally scheduled January bulletins be installed independently of the critical one?
A: Yes, Future security updates can be installed independently of this issue. Microsoft does recommend all customers always read security updates to ensure they fully understand any known issues that may be documented in the security bulletin.

Q: Is the attack vector based on the server or the client? Do we concentrate on server or desktop side first?
A:
The vulnerabilities in the bulletins are primarily focused on systems operating in a Web server role that use ASP.NET. Clients are typically not in a web server role.

Q: Could you provide more detail around the 3rd mitigation factor — specifically the account registration procedure?
A:
I am assuming this question is about the first mitigating factor for CVE-2011-3416: forms authentication bypass. Essentially, to pull off an Elevation of Privilege attack, the attacker would need a valid account on the system they are trying to compromise and the user name of the target of the attack.

Q: Can an ASP.NET site (e.g. SharePoint 2010 site) using authentication (NTLM/Kerberos) come under the DoS attack as described in CVE-2011-3414 by an unauthenticated user?
A:
NTLM/Kerberos authentication changes the attack vector of the vulnerability. An ASP.NET site can come under a DOS attack – however, the attacker would then need to be authenticated. 

Q: Will this affect — or will I need to be aware of — this update impacting ASP.NET session and machine key settings in IIS for a load balanced environment, where all machine keys are matches to make sure sessions are the same across a server farm?
A:
This update changes the way in which forms authentication tickets are created, so all servers would need to use the old or the new ticket format in order to maintain compatibility. Please refer to Knowledge Base Article 2659968 for deployment guidance for this update.

Q: What about servers that have IP address access limitations? Since we are resource-limited, we’d like to skip these servers that are only allowing certain IPs to access IIS.
A:
As we’ve mentioned, prioritization for this update would be specific to users environments, but servers that are Internet-facing and can accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. Servers that have additional protections may reduce the potential attack risk of these vulnerabilities. Customers are encouraged to analyze their own environments.

Q: We have ASP.NET prohibited in in our Web Service Extensions — IIS 6. Are we still vulnerable?
A: No. If ASP.NET is not enabled, you are not vulnerable.

Q: The Section Workarounds for Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414 in the bulletin is confusing. Is it required to put this script and then install the update? 
A:
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability, but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality. Customers are always encouraged to apply the security update. The workarounds are not a prerequisite for installing the security update.

Q: If TMG is not affected then, if TMG is protecting an Exchange 2010 server and the TMG is handling the forum authorization, would the patch for an Exchange server be necessary?
A: Although firewall solutions could protect systems behind the firewall it is important to understand the types of traffic that that FW may proxy to servers behind it. Systems behind the firewall are still vulnerable to internal attacks and have vulnerable code and should be updated to be properly protected.

Q: Is AppSettings.MaxHttpCollectionKeys the new parameter that contains the maximum number of form entries?
A:
Yes it is.

Q: For ASP.NET on Internet-facing systems requiring authentication, does an attacker have to have a valid user name AND the valid password to carry out an attack?
A:
No. The only requirement is to have the target’s username, and *any* valid account on the system.

Q: Will any forms authentication tickets generated before the patch is applied be rendered invalid once the patch is applied? 
A:
Yes. The change in the forms authentication ticket format will render all pre-patch tickets invalid once the update is applied.

Q: Our ASP.NET application requires large file uploads and requires our <httpRuntime maxRequestLength=”200”/> to be set to 102400. How will we be able to handle that and not remain vulnerable?
A:
The maxRequestLength setting is just a workaround. You will not need to worry about this after applying the security update and can remove any previously set workaround configurations.

Q: These updates run on Windows clients whether or not IIS or ASP is installed. Are the updates not effective in this case?
A: By default, IIS is not installed with .NET and by default, .NET is not installed by ASP.NET. Customers would first need to installed .NET framework with ASP.NET in order to be vulnerable to the vulnerabilities documented in MS11-100.

Q: Will there be changes to WSUS to only show the patch needed when ASP.NET is installed?
A:
Updates that shipped in the security bulletin today are updates for the .NET Framework component. As such, the detection logic for these updates scans for different versions of the .NET Framework and offers the appropriate patch. The patches will be offered as long as the .NET Framework (which contains ASP.NET) is installed and irrespective of whether ASP.NET is registered and in use or not.

Q: For CVE-2011-3414, would one machine perform a denial of service based on the hash algorithms the server hosting the page has to consume?
A: Yes, one machine could effectively perform a denial of service, should it launch the correct type of attack.

Q: How much of live client-side authentication is vulnerable? Or is it server-side only (patch your servers, and client side is only vulnerable to the redirected site)?
A: The LiveID authentication system is not forms-based.  Therefore, the forms-based authentication vulnerabilities do not affect LiveID.  Further, it is all server-side and at this point we have applied the security update to our LiveID servers.

Categories: .NET, Bulletin Webcast Tags:

X-flash-version header can prevent ISA/TMG from compressing contents

December 30th, 2011 No comments

 

In this blog post I want to discuss a solution, which we provided to one of our customers.

The problem was linked to a published web site where specific flash content had not been compressed as expected by TMG/ISA.

The first thing which is important to mention is, that it usually it not necessary to compress flash content. My customer had the need to compress the content because of the client which was accessing the data was connected via a slow satellite link. When analyzing the ISAInfo (http://www.isatools.org/tools/isainfo.zip) output generated by the TMG BPA (http://www.microsoft.com/download/en/details.aspx?id=17730), we could see that ISA-TMG skips the compression for the following contents:

Compression Settings

HTTP headers exempt from compression

x-flash-version:

User-Agents exempt from compression

*BITS*

Hence if we want to compress this kind of content we need to “force” ISA/TMG to do it.

Please be aware that with the following changes I want to demonstrate the things you can do by modifying COM properties through scripting in ISA/TMG. Please be aware that all changes you perform through scripts, bypass all the logic verifiers, which are implemented in the UI. Always make a backup of your configuration before performing any changes with a script. Microsoft cannot guarantee that problems resulting from incorrect use of these scripts can be solved! Even if this solution was applied successfully by my customer and tested for a while in his specific environment, this is something Microsoft didn’t test extensively and hence the implementation of the solution itself is at its own risk!

Let’s have a look at the traces to better understand what we are talking about:

The following is a network trace taken before applying our script to modify the compression settings of our ISA-TMG machine:

Allowed www.contoso.com access (test) x.x.x.x Remote Client x.x.x.x 3000 www.contoso.com POST 200

POST /xmlservice/RemoteFramework/http/update HTTP/1.1

Referer: app:/core.html

Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5

x-flash-version: 10,3,181,34

Content-Type: text/xml

Content-Length: 110

Accept-Encoding: gzip,deflate

User-Agent: Test Remote Client

Host: www.contoso.com

Connection: Keep-Alive

Cache-Control: no-cache

<update xmlns="test:remoteframework" id="{c095c364-ec83-4cf8-b79b-83601bd1e78e}" version="2011.1.0.22" />

As we can see the response is NOT compressed:

HTTP/1.1 200 OK

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-type:text/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8"?>

<model xmlns="test:remoteframework"><meta><class up="6EDB::2"><attribute up="6EDB::6" type="text" /><attribute up="6EDB::7" type="pointer" /><attribute up="6EDB::75" type="pointer" /><attribute up="6EDB::65" type="pointer" /><attribute up="6EDB::76" type="boolean" /></class><class up="6EDB::1"><attribute up="6EDB::3

….

<object up="91E4C2::6"><value attribute="46A5D6::262">(PAS) rapport</value></object><object up="91E4C2::8"><value attribute="46A5D6::262">(PAS) # en &#8364;</value></object></class><class up="46A5D6::117" /><class up="46A5D6::116" /><class up="46A5D6::118" /><class up="46A5D6::121" /><class up="46A5D6::122" /></data></model>

0

To change the compression behavior, we had to remove the x-flash-version entry from the list of incompressible content in the configuration. As there’s no UI option for this we had to perform these steps by directly modifying the COM properties. Afterwards TMG/ISA did compress the content as requested by the customer.

In the following I want to describe in detail how we can interact with the COM properties.

We can start from the following URL: http://msdn.microsoft.com/en-us/library/ff824938(v=VS.85).aspx

With the following VBScript we can verify which headers are included in the TMG list of non-compressible content:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

Dim httpHeader ‘ A String

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

‘ Display the unsupported HTTP headers.

For Each httpHeader In httpHeaders

WScript.Echo httpHeader

Next

WScript.Echo "done!"

For more information the following link describes the TMG Administration object model:

http://msdn.microsoft.com/en-us/library/ff824018(v=VS.85).aspx

This article gives us an idea which methods and proprieties are supported by the FPCHTTPHeaders collection object:

http://msdn.microsoft.com/en-us/library/ff824942(v=VS.85).aspx

At this point we can start writing the following scripts to remove the x-flash-version entry:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

httpHeaders.Remove(1)

httpHeaders.Save()

WScript.Echo "done!"

And just in case you want to re-add the header type, you can use this script_:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

httpHeaders.Add("x-flash-version:")

httpHeaders.Save()

WScript.Echo "done!"

At this point as we can see from the below test we have that the content is correctly compressed by ISA/TMG even if in the header of the packets the client application is still inserting the x-flash-version entry:

Host: www.contoso.com \r\n

POST /xmlservice/RemoteFramework/http/update HTTP/1.1

Referer: app:/core.html

Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5

x-flash-version: 10,3,181,34

Content-Type: text/xml

Content-Length: 110

Accept-Encoding: gzip,deflate

User-Agent: Remote Client

Host: www.contoso.com

Connection: Keep-Alive

Cache-Control: no-cache

As we can see the response this time is compressed:

HTTP/1.1 200 OK

Connection: Keep-Alive

Content-length:56138

Content-type:text/xml;charset=UTF-8

Content-Encoding:gzip

Vary: Accept-Encoding

…..g.N…}k..D….+.>q.@,`…….X..M`..q.iz..pO..Zc0..H=O{.U……..=ju.*_../….e..j7u….."..U.Es\.N.z……?……..q…gW…..gm..iO..V.MW.l…..}…/O……..l…W..w….?d………n|n.d..u……{.=.?…Z7…………….i.U..>.p..mD..D..Q…..R@…….9[.~.Ldi.P*….I}[dv…….^*…C…..k…f..P2..Lf…R._.vqJ…..J………..=-.O..

Author
Andrea Vescovo
Support Engineer
Microsoft CSS Forefront Edge Team

Technical Reviewer
Philipp Sand
Support Escalation Engineer
Microsoft CSS Forefront Edge Team

Categories: compression, ISA 2006, TMG Tags:

X-flash-version header can prevent ISA/TMG from compressing contents

December 30th, 2011 No comments

 

In this blog post I want to discuss a solution, which we provided to one of our customers.

The problem was linked to a published web site where specific flash content had not been compressed as expected by TMG/ISA.

The first thing which is important to mention is, that it usually it not necessary to compress flash content. My customer had the need to compress the content because of the client which was accessing the data was connected via a slow satellite link. When analyzing the ISAInfo (http://www.isatools.org/tools/isainfo.zip) output generated by the TMG BPA (http://www.microsoft.com/download/en/details.aspx?id=17730), we could see that ISA-TMG skips the compression for the following contents:

Compression Settings

HTTP headers exempt from compression

x-flash-version:

User-Agents exempt from compression

*BITS*

Hence if we want to compress this kind of content we need to “force” ISA/TMG to do it.

Please be aware that with the following changes I want to demonstrate the things you can do by modifying COM properties through scripting in ISA/TMG. Please be aware that all changes you perform through scripts, bypass all the logic verifiers, which are implemented in the UI. Always make a backup of your configuration before performing any changes with a script. Microsoft cannot guarantee that problems resulting from incorrect use of these scripts can be solved! Even if this solution was applied successfully by my customer and tested for a while in his specific environment, this is something Microsoft didn’t test extensively and hence the implementation of the solution itself is at its own risk!

Let’s have a look at the traces to better understand what we are talking about:

The following is a network trace taken before applying our script to modify the compression settings of our ISA-TMG machine:

Allowed www.contoso.com access (test) x.x.x.x Remote Client x.x.x.x 3000 www.contoso.com POST 200

POST /xmlservice/RemoteFramework/http/update HTTP/1.1

Referer: app:/core.html

Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5

x-flash-version: 10,3,181,34

Content-Type: text/xml

Content-Length: 110

Accept-Encoding: gzip,deflate

User-Agent: Test Remote Client

Host: www.contoso.com

Connection: Keep-Alive

Cache-Control: no-cache

<update xmlns="test:remoteframework" id="{c095c364-ec83-4cf8-b79b-83601bd1e78e}" version="2011.1.0.22" />

As we can see the response is NOT compressed:

HTTP/1.1 200 OK

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-type:text/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8"?>

<model xmlns="test:remoteframework"><meta><class up="6EDB::2"><attribute up="6EDB::6" type="text" /><attribute up="6EDB::7" type="pointer" /><attribute up="6EDB::75" type="pointer" /><attribute up="6EDB::65" type="pointer" /><attribute up="6EDB::76" type="boolean" /></class><class up="6EDB::1"><attribute up="6EDB::3

….

<object up="91E4C2::6"><value attribute="46A5D6::262">(PAS) rapport</value></object><object up="91E4C2::8"><value attribute="46A5D6::262">(PAS) # en &#8364;</value></object></class><class up="46A5D6::117" /><class up="46A5D6::116" /><class up="46A5D6::118" /><class up="46A5D6::121" /><class up="46A5D6::122" /></data></model>

0

To change the compression behavior, we had to remove the x-flash-version entry from the list of incompressible content in the configuration. As there’s no UI option for this we had to perform these steps by directly modifying the COM properties. Afterwards TMG/ISA did compress the content as requested by the customer.

In the following I want to describe in detail how we can interact with the COM properties.

We can start from the following URL: http://msdn.microsoft.com/en-us/library/ff824938(v=VS.85).aspx

With the following VBScript we can verify which headers are included in the TMG list of non-compressible content:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

Dim httpHeader ‘ A String

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

‘ Display the unsupported HTTP headers.

For Each httpHeader In httpHeaders

WScript.Echo httpHeader

Next

WScript.Echo "done!"

For more information the following link describes the TMG Administration object model:

http://msdn.microsoft.com/en-us/library/ff824018(v=VS.85).aspx

This article gives us an idea which methods and proprieties are supported by the FPCHTTPHeaders collection object:

http://msdn.microsoft.com/en-us/library/ff824942(v=VS.85).aspx

At this point we can start writing the following scripts to remove the x-flash-version entry:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

httpHeaders.Remove(1)

httpHeaders.Save()

WScript.Echo "done!"

And just in case you want to re-add the header type, you can use this script_:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

httpHeaders.Add("x-flash-version:")

httpHeaders.Save()

WScript.Echo "done!"

At this point as we can see from the below test we have that the content is correctly compressed by ISA/TMG even if in the header of the packets the client application is still inserting the x-flash-version entry:

Host: www.contoso.com \r\n

POST /xmlservice/RemoteFramework/http/update HTTP/1.1

Referer: app:/core.html

Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5

x-flash-version: 10,3,181,34

Content-Type: text/xml

Content-Length: 110

Accept-Encoding: gzip,deflate

User-Agent: Remote Client

Host: www.contoso.com

Connection: Keep-Alive

Cache-Control: no-cache

As we can see the response this time is compressed:

HTTP/1.1 200 OK

Connection: Keep-Alive

Content-length:56138

Content-type:text/xml;charset=UTF-8

Content-Encoding:gzip

Vary: Accept-Encoding

…..g.N…}k..D….+.>q.@,`…….X..M`..q.iz..pO..Zc0..H=O{.U……..=ju.*_../….e..j7u….."..U.Es\.N.z……?……..q…gW…..gm..iO..V.MW.l…..}…/O……..l…W..w….?d………n|n.d..u……{.=.?…Z7…………….i.U..>.p..mD..D..Q…..R@…….9[.~.Ldi.P*….I}[dv…….^*…C…..k…f..P2..Lf…R._.vqJ…..J………..=-.O..

Author
Andrea Vescovo
Support Engineer
Microsoft CSS Forefront Edge Team

Technical Reviewer
Philipp Sand
Support Escalation Engineer
Microsoft CSS Forefront Edge Team

Categories: ISA 2006, TMG Tags:

MS11-100 – Critical : Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (December 30, 2011): Added entry to the Update FAQ to address security-related changes to functionality contained in this update and added mitigation for CVE-2011-3414
Summary: This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

Categories: Uncategorized Tags:

Microsoft releases MS11-100 for Security Advisory 2659883

December 29th, 2011 No comments

Hello,

Today we released Security Update MS11-100 to address the issue described in Security Advisory 2659883.

The security update has a severity rating of Critical and resolves a publicly disclosed remote unauthenticated Denial of Service issue in ASP.NET versions 1.1 and above on all supported versions of .NET Framework. Of note, the new method of hash collision attacks used to exploit this vulnerability is an industry-wide issue affecting various Web platforms, including ASP.NET.

While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible. Consumers are not vulnerable unless they are running a Web server from their computer. More technical details can be found at the Security Research & Defense Blog.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Dave Forstrom
Director
Microsoft Trustworthy Computing

Categories: Uncategorized Tags:

Microsoft Security Advisory (2659883): Vulnerability in ASP.NET Could Allow Denial of Service – Version: 2.0

Revision Note: V2.0 (December 29, 2011): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS11-100 to address this issue. For more information about this issue, including download links for an available security update, please review MS11-100. The vulnerability addressed is the Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414.

Categories: Uncategorized Tags:

2659883 – Vulnerability in ASP.NET Could Allow Denial of Service – Version: 2.0

Revision Note: V2.0 (December 29, 2011): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS11-100 to address this issue. For more information about this issue, including download links for an available security update, please review MS11-100. The vulnerability addressed is the Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414.

Categories: Uncategorized Tags:

Vulnerability in ASP.NET Could Allow Denial of Service – Version: 2.0

Revision Note: V2.0 (December 29, 2011): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS11-100 to address this issue. For more information about this issue, including download links for an available security update, please review MS11-100. The vulnerability addressed is the Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2659883): Vulnerability in ASP.NET Could Allow Denial of Service – Version: 2.0

Severity Rating:
Revision Note: V2.0 (December 29, 2011): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS11-100 to address this issue. For more information about this issue, including download links for an available security update, please review MS11-100. The vulnerability addressed is the Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414.

Categories: Uncategorized Tags:

Advanced Notification for out-of-band release to address Security Advisory 2659883

December 29th, 2011 No comments

Hello,

Today we’re providing advance notification for an out-of-band security update to address the publicly disclosed issue described in Security Advisory 2659883. The release is scheduled for tomorrow, December 29, at approximately 10 a.m. PST.

The bulletin has a severity rating of Critical and addresses a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework. While we’re currently unaware of any attacks targeting ASP.NET, we encourage all customers to test and deploy the update when it is available.

We will also hold a special edition webcast on Thursday, December 29 at 1 p.m. PST. Click here to register.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

 

Thanks,

Dave Forstrom

Director

Microsoft Trustworthy Computing

Categories: ANS, OOB, Security Advisory Tags:

Microsoft releases Security Advisory 2659883, offers workaround for industry-wide issue

December 28th, 2011 No comments

Hello,

Today we published Security Advisory 2659883 to provide a workaround to help protect ASP.NET customers from a publicly disclosed vulnerability that affects various Web platforms industry-wide. We are not aware of any attacks using this vulnerability, which affects all supported versions of .NET Framework, however we recommend customers use the mitigation and workaround described in the Advisory to help protect sites against this new method to exploit hash tables.

Our teams are working around the clock worldwide to develop a security update of appropriate quality to address this issue. Meanwhile, our Security Research & Defense team has written a blog post to explain how to know if you are vulnerable and detect exploitation, as well as background on the workaround. We are also working closely with our Microsoft Active Protections Program (MAPP) to help our partners build protections when and where possible. We will continue to update customers with new information as it becomes available.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Dave Forstrom
Director
Microsoft Trustworthy Computing

Categories: Uncategorized Tags:

Switching to text file logging fails with Event ID 11003

December 28th, 2011 No comments

 

Some days ago a customer opened a case because an ISA array was randomly refusing all the incoming connections and a restart of the Firewall Service was required to make the connections be accepted again.

After a quick investigation we figured that the cause of the issue was that the Firewall Services went in Lockdown mode after a log failure. Both the Firewall and WebProxy logs were configured to use a Remote SQL server but the connection to the database was not reliable enough to support that critical array, managing a lot of traffic.

Hence, to provide a quick relief and stabilize the system, we chose another logging method: logging to Text Files.
There was not enough space left on the drive C: so we decided to log to a folder on drive E:

clip_image002

Switching to flat files logging failed however unexpectedly and the following error was logged in the Application log:

clip_image004

Event ID 11003, “The failure occurred during reading of logging configuration because the configuration property msFPCLogFileDirectory of the key SOFTWARE\Microsoft\Fpc\Storage\EffecTree1\Arrays\{GUID}\Logs\Proxy-WSP is not valid. Use the source location <location> to report the failure. The error description is: Access Denied.”

Seeing the “Access Denied” error, we checked the rights on the default log folder and found that on that folder SYSTEM and NETWORK SERVICES are assigned Full Control rights.

We also checked the target folder and found that the required rights were already in place – therefore nothing explained an “Access denied” error.

At this point we really needed to figure what is going wrong. Is the error really complaining about insufficient rights on the folder or on the mentioned registry key?

To troubleshoot this problem, we decided to capture a Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645) log while switching the logging method.

Process Monitor allows you to trace File System/ Registry and process/thread activity, along with the result codes. This way we hoped that we can see which exact operation which runs into an “Access Denied” error.

We repeatedthe operation and analyzed the generated PML file by only including “Access Denied” result codes in the display (we used the filteringcapabilities provided by Process Monitor).

This way we found the following:

clip_image006

What we saw is that ISA actually requires permission on the parent folder as well!

After assigning Full Control rights on E:\logfiles folder to SYSTEM and NETWORK SERVICE the switch to Text file logging worked correctly.

This issue is actually covered here:

http://technet.microsoft.com/en-us/library/cc302540.aspx

Event 11002 is Issued in the Event Viewer After Modifying the Default Location of the Logging Folder

Problem: After changing the location of the log folder when logging to a file or to an MSDE 2000 database, the following event is issued: Event 11002 Microsoft Firewall failed to start. The failure occurred during creation of logging module because the configuration property PropertyName is not valid. The error description is: The filename, directory name, or volume label syntax is incorrect.

Cause: Permissions were not configured appropriately on the customized logging folder.

Solution: Ensure that permissions are correctly configured. The Network Service must have read permissions from the root partition and any parent folder for the folder. On the logging folder itself, the following permissions are required:

  • Network Service: Full Control
  • System: Full Control
  • Administrators: Full Control

 

Authors
Gianni Bragante
Support Engineer
Microsoft CSS Forefront Edge Team

Technical Reviewer
Balint Toth
Support Escalation Engineer
Microsoft CSS Forefront Edge Team

Categories: Uncategorized Tags:

Holiday scam alert: “I’ve been mugged; send money!”

December 22nd, 2011 No comments

The holidays are here, and that means that more people are travelling for their vacations. We thought this would be a good time to remind you about a popular online scam designed to trick you into thinking that your friend is in trouble on vacation.

When cybercriminals break into someone’s email or social networking account, they might send emails or post messages pretending to be that person. One fairly common email tries to make your friends and contacts believe that you are in trouble, often in a foreign country, and you need them to send you money.

Here’s a message that I received from a colleague a few weeks ago:

I hope you get this on time, I made a trip to Edinburgh Scotland, and had my bag stolen from me with my passport and personal effects therein. The embassy has just issued me a temporary passport but I have to pay for a ticket and settle hotel bills. I’ve made contact with my bank but it would take me days to access funds in my account from Edinburgh, I need you to lend me some funds to cover these expenses. I can give back to you as soon as I get in.

I can be reached by email, as I lost my phone in the robbery and don’t have access to a phone at the moment.

If you are getting emails like this, it probably means that your friend was hacked. Delete the email or report it. If you use Hotmail, you can use the My friend’s been hacked tool to report it. To do this, select the email, point to Mark as and select My friend’s been hacked.

If people on your contact list are getting emails like this, it probably means that someone has stolen or guessed the password to your email account and your email address has been hijacked.

What to do if your friends are getting email messages that appear to come from you:

  • If you can still get into your email account, sign in and change your password.
  • If you can’t sign in, check the help file of your email provider. You can probably use additional information that you provided when you signed up in order to reset your password.

Categories: fraud, hotmail, phishing Tags:

You cannot install a Forefront Threat Management Gateway 2010 service pack on branch office servers

December 21st, 2011 No comments

hotfixHere’s a new KB article we published on TMG 2010. This one actually first came out a couple weeks ago but since it wasn’t announced at the time I thought I’d send out a quick heads up just to let you know it was there.  This KB article talks about an issue where an installation of SP1 or SP2 at a branch office fails and then rolls back just after Setup stops the Firewall service:

=====

Notice

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

Symptoms

Consider the following scenario:

  • The Microsoft Forefront Threat Management Gateway (TMG) 2010 Enterprise Edition server is running Microsoft Enterprise Management Server (EMS) in the headquarters network.
  • The TMG 2010 server that is installed on the branch office network is connected to the headquarters EMS using a Site to Site VPN that is hosted on the TMG 2010 server.

In this scenario, an installation of Service Pack 1 or Service Pack 2 on the branch office fails just after Setup stops the Firewall service. Then, the EMS connectivity problem is reported, and the Setup process roll backs the service pack installation. For more information about the ISA and TMG branch office scenario, visit the following Microsoft TechNet webpage:

http://technet.microsoft.com/fr-fr/library/bb794783(en-us).aspx

Cause

This problem occurs because the installation process must shut down the Microsoft Forefront TMG Firewall service to update binary files. When the service is stopped, the Site to Site VPN connection to the branch office network from the headquarters EMS server is closed. When this occurs, the installation process loses connection to the headquarters EMS server.

Resolution

To resolve this issue, follow these steps.

Upgrade process

On the headquarters EMS server:

  • Upgrade the computer to TMG 2010 SP1.

On the headquarters TMG server:

  1. On the Remote Access Policy node, click the VPN Clients tab.
  2. Enable VPN client access.
  3. Configure VPN Client Access. To do this, on the Protocols tab, click to select the Enable L2TP/IPsec check box, and then click Apply.
  4. Click Authentication Methods. In the Allow custom IPsec policy for L2TP connection field, click Use preshared key value, and then click Apply.
  5. Apply the configuration changes.
  6. Under Local Users and Groups, click Users, right-click New User, and then click Properties.
  7. Type the user credential details (including the user password), and then click to clear the User must change passwords at next logon check box.
  8. Click Create, and then click Close.
  9. Right-click the new user, click Properties, point to Dial-in, and then click Network Access Permission.
  10. Click Allow Access, click Apply, and then click OK.
  11. Connect remotely to branch office TMG server’s external IP address from the headquarters TMG network.

On the branch office TMG server when it is connected:

  1. Run the following from a command line with administrative permissions:

netsh tmg add allowedrange a.b.c.d a.b.c.d persistent

In this command, the placeholder a.b.c.d is the external address of the headquarters TMG server. This adds a Firewall Engine exception to enable the headquarters TMG server to connect to the branch office TMG network even when it is in lockdown mode (that is, when the TMG service is down).

  1. Create a new dial-up connection:
    1. Open Network and Sharing Center.
    2. Click A new connection or network.
    3. Connect to a workplace.
    4. Click Use my Internet connection (VPN).
    5. Click I’ll set up an Internet connection later.
    6. Type the external address of the headquarters TMG network.
    7. Type the user credentials. Use the headquarters TMG computer name as the domain.
    8. Click Close.
  1. Right-click the new connection, click Properties, and then click the Security tab:
    1. For Type of VPN Connection, select L2TP/IPSec.
    2. Under Advanced settings, click Use preshared key for authentication.
  1. Make sure that the configuration on the headquarters TMG server is synced by using the Monitoring tab. Connect to the headquarters TMG network by using the newly created connection.

On the headquarters TMG after a VPN client connection is established:

  1. In the headquarters TMG 2010 user interface, under Monitoring, click Sessions, and then confirm that a new VPN Client session was established.
  2. Add a rule that enables all traffic from VPN Clients to Internal and Local Host networks for all users. Create the opposite rule enabling Internal plus Local Host to VPN Clients for all users.
  3. Make sure that there is a respective network routing rule. The default VPN Clients to Internal Network would be sufficient for the routing rule.

On the branch office TMG server by using your existing remote connection:

  1. Stop the Firewall service. To do this, at a command prompt with Administrative permissions, type the following:

net stop /y fwsrv

This also stops the Routing and Remote Access service and disconnects the existing Site to Site connection.

  1. Install TMG 2010 SP1 by typing the following command:

Msiexec /p <full msp path> /L*v <full log path>

  1. On the Locate Configuration Storage Server wizard page, provide explicit credentials. Do not use the Current user option.
  2. After you successfully install TMG 2010 SP1, restart the computer if you have to. Then, if you have to, manually start the Firewall service and verify that the Site to Site tunnel is restored.
  3. Disconnect the VPN client connection.

On the headquarters TMG server after you successfully upgrade the branch office TMG server:

Upgrade the headquarters TMG 2010 server to Service Pack 1. Please be aware that in order to be able to see the branch office TMG server’s configuration on the headquarters TMG server, you must first upgrade the headquarters TMG server to Service Pack 1.

Clean up after upgrade

On the headquarters TMG server:

  1. Restore the VPN Client access configuration that you set in the "Upgrade process: On the headquarters TMG server" procedure. If the Routing and Remote Access service restarts, you may have to wait for several minutes until all the services are started.
  2. Delete the user that was created in step 6 of the "Upgrade process: On the headquarters TMG server" procedure.

On the branch office TMG server:

  1. Delete Firewall Engine exceptions created in step 1 of the "On the branch office TMG server when it is connected" procedure. To do this, follow these steps:
    1. Open a command prompt with Administrative permissions.
    2. Run the following command:

netsh tmg show all

    1. In the command output, locate any dynamic and persistent IDs that corresponds to the IP range that you added in the "Upgrade process: On the headquarters TMG server" procedure.
    2. Run the following commands. Use values for x that correspond to the dynamic IDs and use values for y that correspond to the persistent IDs that you found in step 1.c.:

netsh tmg delete allowedrange id=x

netsh tmg delete allowedrange id=y persistent

  1. Delete the dial-up connection that you created in step 2 of the "Upgrade process: On the branch office TMG server when it is connected" procedure.

Query Words

TMG Service Pack Branch Office

=====

For the most current version of this article please see the following:

2648207: You cannot install a Forefront Threat Management Gateway 2010 service pack on branch office servers

J.C. Hornbeck | System Center & Security Knowledge Engineer

App-V Team blog: http://blogs.technet.com/appv/
AVIcode Team blog: http://blogs.technet.com/b/avicode
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
OOB Support Team blog: http://blogs.technet.com/oob/
Opalis Team blog: http://blogs.technet.com/opalis
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
OpsMgr Support Team blog: http://blogs.technet.com/operationsmgr/
SCMDM Support Team blog: http://blogs.technet.com/mdm/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

clip_image001 clip_image002

Categories: Uncategorized Tags:

MS11-094 – Important : Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (December 21, 2011): Added an entry to the Update FAQ to explain why this update is offered to customers running PowerPoint 2010 Service Pack 1.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited either of the vulnerabilities could take complete control of an affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MS11-096 – Important : Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (December 21, 2011): Added Microsoft Office Compatibility Pack Service Pack 3 to the Non-Affected Software table. This is an informational change only. There were no changes to the detection logic or the update files.
Summary: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-3403.

Categories: Uncategorized Tags:

New Xbox? Protect your account

December 20th, 2011 No comments

Whether your family is getting a new Xbox this holiday season or you want to upgrade the security on your current Xbox, here are our top tips.

Password protect your Xbox LIVE profile. Use a strong password to protect your profile. This is especially important if you or your family plan to download your Xbox LIVE profile or gamertag at someone else’s house so you can play on their console.

Learn how to control access to your account.

Add additional security proofs to your Windows Live ID. Add a mobile phone number, email address, secret question or other information to your account. If your password is stolen, this extra information can help you reset it. Think of this as making an extra copy of the keys to your house. To do this, go to the Manage security info webpage, and then sign in with your Windows Live ID.

Be alert for phishing scams. Phishing scams are designed to trick you into revealing personal information. One trick that cybercriminals use is to offer you deals that are too good to be true. Microsoft will never ask for your Windows Live ID password in an email or over the phone. Enter your Windows Live ID password only at known Microsoft trusted sites or through the Xbox 360 console. Learn more about phishing and other kinds of fraud.

Get more information

DirectAccess Connectivity Assistant polling interval

December 20th, 2011 No comments

 

We have recently had a number of customers inquire about the default polling interval for the DCA client. The polling interval of the DCA client is 30 seconds.

More Info

One of the primary functions of the DirectAccess Connectivity Assistant is to indicate the operational status of DirectAccess by using an icon in the notification area. The DCA client is deployed with connectivity verifiers that are configured to poll specified internal resources. These resources can consist of a combination of HTTP/HTTPS and File/SMB resources.

The DCA client polls these resources once every 30 seconds to verify connectivity. The polling interval is not configurable and is not “auto-adjusted” by the DCA client. For more information on the DirectAccess Connectivity Assistant, please see the following article:

DirectAccess Connectivity Assistant 1.5 Deployment Guide

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

DirectAccess Connectivity Assistant polling interval

December 20th, 2011 No comments

 

We have recently had a number of customers inquire about the default polling interval for the DCA client. The polling interval of the DCA client is 30 seconds.

More Info

One of the primary functions of the DirectAccess Connectivity Assistant is to indicate the operational status of DirectAccess by using an icon in the notification area. The DCA client is deployed with connectivity verifiers that are configured to poll specified internal resources. These resources can consist of a combination of HTTP/HTTPS and File/SMB resources.

The DCA client polls these resources once every 30 seconds to verify connectivity. The polling interval is not configurable and is not “auto-adjusted” by the DCA client. For more information on the DirectAccess Connectivity Assistant, please see the following article:

DirectAccess Connectivity Assistant 1.5 Deployment Guide

Author

Richard Barker – Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags: