Archive

Archive for March, 2012

NEWS: Microsoft offers most popular US antivirus program

March 29th, 2012 No comments

Have you recently installed Microsoft Security Essentials? Earlier this month, the development tools and data services company, OPSWAT, announced that Microsoft’s free antivirus software was the most popular antivirus program in North America during the last 12 months.

Microsoft Security Essentials is free to download and helps protect personal and small business computers from viruses, spyware, and other malicious software.

Diagnostics and Recovery Toolset (DaRT) 8 Beta Released!

March 28th, 2012 No comments

Today, we are happy to announce that the DaRT 8 beta has been released for public download.
For more detailed information on this announcement, please read the recent Windows for Your Business Blog and Springboard Series Blog .
This is a public…(read more)

Categories: Uncategorized Tags:

ASP.NET, Web API and ASP.NET Web Pages Open Sourced

March 28th, 2012 No comments

More Open Source goodness from Microsoft today, with the announcement that we are open sourcing ASP.NET MVC 4, ASP.NET Web API, ASP.NET Web Pages v2 (Razor) – all with contributions – under the Apache 2.0 license.

You can find the source on CodePlex, and all the details on Scott Guthrie’s blog.

“We will also for the first time allow developers outside of Microsoft to submit patches and code contributions that the Microsoft development team will review for potential inclusion in the products,” Guthrie says. “We announced a similar open development approach with the Windows Azure SDK last December, and have found it to be a great way to build an even tighter feedback loop with developers – and ultimately deliver even better products as a result.”

You can now browse, sync and build the source tree of ASP.NET MVC, Web API, and Razor here.

In short, as Principal Program Manager Scott Hanselman notes in his blog about all this goodness: Open Source = Increased Investment. ASP.NET is a part of .NET, it will still ship with Visual Studio. It’s the same ASP.NET, managed by the same developers with the same support.

It is also very important to note, as Guthrie points out, that ASP.NET MVC, Web API and Razor will continue to be fully supported Microsoft products that ship both standalone as well as part of Visual Studio (the same as they do today).

“They will also continue to be staffed by the same Microsoft developers that build them today (in fact, we have more Microsoft developers working on the ASP.NET team now than ever before),” he says. “Our goal with today’s announcement is to increase the feedback loop on the products even more, and allow us to deliver even better products. We are really excited about the improvements this will bring.”

Enhanced security in Internet Explorer 10

March 27th, 2012 No comments

If you’re the type that likes to look under the hood of your web browser, you can download the consumer preview for Windows 8, which includes the preview version of Internet Explorer 10.

Internet Explorer 10 includes an enhanced version of Protected Mode. Protected Mode is a feature of Internet Explorer that essentially blocks off parts of your computer to limit access in case you’re attacked by a virus or cybercriminal. Protected Mode has been around since 2006, but we’re always improving it.

Read about Enhanced Protected Mode in Internet Explorer 10.

Be warned that the preview version of Internet Explorer 10 is not for average computer users. If you think you might not be ready to test drive Internet Explorer 10, download Internet Explorer 9.

Review the security features in Internet Explorer 9.

6…5…4…3…2…

March 26th, 2012 No comments

Nearly nine months after we announced the first annual BlueHat Prize competition for innovations in defensive security technologies, we’re just days away from the submission deadline. On the EcoStrat blog today, Senior Security Strategist Katie Moussouris gives a glimpse into the frantic final days of the competition period. If you’re working on your own entry (deadline April 1!) or simply wondering how the race for “mad loot” is shaping up, be sure to check out her post.

Angela Gunn
Trustworthy Computing.

Categories: BlueHat Prize Tags:

Understanding FEPDW database sizing

March 26th, 2012 No comments

The FEPDW database may be larger than estimated prior to deploying FEP to all the clients in the environments and\or may be larger than estimated after full deployment if you used the FEP Capacity Planning worksheet for size estimation purposes.

For the scenario where the FEPDW is larger than expected prior to deploying FEP to all clients, where you may have deployed FEP to a test group, this is expected and by design. The FEPDW Database contains tables named dtFEP_AM_ComputerDeploymentAndProtectionStateFact_XX where XX is some integer value. These tables will be the largest contributors to the size of the FEPDW as they maintain the historical data of all the SCCM clients in the environment in regards to their FEP state. State includes items such as Engine Version, Signature Version, Write Time and so on. These items will have values for every system, not just the ones that have the FEP Client installed. This is how we maintain statistics for deployment of the FEP client.

For the scenario where the FEPDW is larger than expected after deploying to all clients, this could be for several reasons which I will step through below.  When using the Capacity Planning Worksheet, the information is related to estimates on the size of records and the number of collections, along with the number of clients. We need to confirm each before we assume there is some other issue with the FEPDW Database.

  1. Number of collections. To determine the closest approximation of average collections, run the following SQL Query against the SCCM Database:

WITH MembershipsPerComputer AS

(select COUNT(*) InHowManyCollections from [CollectionMembers] where isClient = ‘1’ group by machineid)

select AVG(M.InHowManyCollections) AS NumberOfCollectionsPerClientAvg

FROM MembershipsPerComputer AS M

2.  Size of each record. To determine the size of each record stored in the dtFEP_AM_ComputerDeploymentAndProtectionStateFact tables, run the following SQL Query against the FEPDW Database:

SET NOCOUNT
ON

CREATE TABLE #TBLSize

(Tblname
varchar(80),

TblRows int,

TblReserved varchar(80),

TblData varchar(80),

TblIndex_Size varchar(80),

TblUnused varchar(80))

DECLARE @DBname
varchar(80)

DECLARE @tablename
varchar(80)

SELECT @DBname
= DB_NAME(DB_ID
())

PRINT ‘User Table size Report for (Server / Database):
+ @@ServerName + ‘ / ‘ +

@DBName

PRINT

PRINT
‘By Size
Descending’

DECLARE TblName_cursor
CURSOR FOR

SELECT NAME

FROM sysobjects

WHERE xType
=
‘U’

OPEN TblName_cursor

FETCH NEXT FROM TblName_cursor

INTO @tablename

WHILE @@FETCH_STATUS = 0

BEGIN

INSERT INTO
#tblSize(Tblname,
TblRows,
TblReserved,
TblData,
TblIndex_Size,
TblUnused
)

EXEC Sp_SpaceUsed @tablename


Get the next author.

FETCH NEXT FROM TblName_cursor

INTO @tablename

END

 

CLOSE TblName_cursor

DEALLOCATE TblName_cursor

SELECT CAST(Tblname
as Varchar(60)) ‘Table’
,

CAST(TblRows
as Varchar(14)) ‘Row Count’
,

CAST(LEFT(TblReserved, CHARINDEX(‘ KB’,
TblReserved)) as int) ‘Total Space (KB)’
,

CAST(TblData
as Varchar(14)) ‘Data Space’
,

CAST(TblIndex_Size
as Varchar(14)) ‘Index Space’
,

CAST(TblUnused
as Varchar(14))
‘Unused
Space’

FROM #tblSize

Order by ‘Total Space (KB)’
Desc

DROP TABLE #TblSize

3.  The output above will have the Row Count column and Total Space (KB) column. We will use these to give us the approximate size of the each record. Add up the Total Space (KB) column for the
dtFEP_AM_ComputerDeploymentAndProtectionStateFact tables, then add up the Row Count column for the dtFEP_AM_ComputerDeploymentAndProtectionStateFact tables. Divide the total from the Total Space (KB) columns by the total from the Row Count column and this will give you the current average record size. The number should be somewhat close to the value from the FEP Capacity Planning worksheet
of 0.1499.

4.  We now have the Average Collections number and the Average Record size for the dtFEP_AM_ComputerDeploymentAndProtectionStateFact tables which can then be used in the FEP Capacity Planning worksheet to see if the estimated size of the worksheet is now closer to the actual size of the FEPDW Database. Put the value from step 1 above in the “Average number of collections to which each client
computer belongs:” cell. Then modify the “Computer deployment and protection state fact table” record size in kilobytes value to what was determined from step 3 above.

5. Once these are entered the value of the Total FEP Datawarehouse size should more closely match what the actual size of the FEP DW database is showing in SQL.

6. There are other factors, including the Retention Period which defaults to 12 months (365 days), however, this can be changed from any value of 3 to 12. See the following for details – http://technet.microsoft.com/en-us/library/gg710931.aspx. Please note that once this is changed, it is not effective immediately. The FEP DW maintenance task listed here – http://technet.microsoft.com/en-us/library/gg710933.aspx – runs once a day, but it does not initially remove the data older than the new value you have chosen. There is a 10 day layover period before the new grooming date takes effect. After the 11 day, you should see that the FEP DW Maintenance job has now dropped the dtFEP_AM_ComputerDeploymentAndProtectionStateFact tables that have data older than the specified amount of time you have set for Retention. To confirm this, run the following SQL query against the FEPDW database and notate the End Time column. It will be within your specified Retention time:

select OBJECT_NAME(TableID),*
from dtAN_Infra_MaintenancePartition where OBJECT_NAME(TableID) =
‘dtFEP_AM_ComputerDeploymentAndProtectionStateFact_SCHEMA’

7.  If the End Time on the dtFEP_AM_ComputerDeploymentAndProtectionStateFact tables is outside of the Retention time that has been sent and it has been longer than 10 days since setting the new Retention time, then we need to verify the FEPDW Maintenance tasks are running. Check for errors regarding these Maintenance tasks in both the Event logs and the SQL Jobs View History option.

NOTE: If you change the retention period, FEP does not shrink the FEPDW database for you to recover space.  You must use SQL to do this manually – http://technet.microsoft.com/en-us/library/ms189035.aspx

Categories: Uncategorized Tags:

Microsoft and partners disrupt Zeus botnets

March 26th, 2012 No comments

We have discussed in the past our collaboration with external parties to combat botnet threats to further the betterment of the Internet, such as Operations b49, b107 and b79. This week, Microsoft has partnered with security experts and the financial services industry on a new action codenamed Operation b71 to disrupt some of the worst known botnets using variants of the notorious Zeus malware (which we detect as Win32/Zbot). 

Due to the complexities of these targets, unlike Microsoft’s prior botnet operations, the goal of this action was not the permanent shutdown of all impacted Zeus botnets. However, this action is expected to significantly impact the cybercriminals’ operations and infrastructure, advance global efforts to help victims regain control of their infected computers and also help further investigations against those responsible for the threat.

The Zbot /Zeus threat has targeted the financial sector for quite some time. We documented the threat in detail in a special Security Intelligence Report whitepaper published in 2010.

Millions of dollars of fraud are a result of this family of threat and it has taken cross-industry collaboration to take effective action against it. Microsoft has partnered with FS-ISAC, NACHA, Kyrus Tech, F-Secure and others to disrupt a large portion of the command and control infrastructure of various botnets using Zbot, Spyeye and Ice IX variants of the Zeus family of malware. More information about this operation can be found here: http://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx

The Microsoft Malware Protection Center (MMPC) is proud to have supported this action, which represents the fourth operation of Project MARS – a component of Microsoft’s End-to-End Trust initiative. Project MARS is a joint effort between the Microsoft Digital Crimes Unit, MMPC, Microsoft Support and the Trustworthy Computing team to annihilate botnets and help make the Internet safer for everyone. 

MMPC is committed to partnering across the industry to help disrupt threats to the Internet and our customers. We will have more to share on Project MARS and related operations as we move forward. 

Jeff Williams, Principal Group Program Manager

Categories: Uncategorized Tags:

Vulnerability analysis, practical data flow analysis and visualization

March 23rd, 2012 No comments

Recently at CanSecWest 2012, we presented on the technology we use for analyzing malicious samples and PoC files. As malware often actively attempts to exploit software vulnerabilities these days, understanding the internals of these vulnerabilities is essential when writing defense logic.

Out of the many methods that can be used for vulnerability analysis, we presented a method that uses dynamic binary instrumentation and data flow analysis. Dynamic binary instrumentation and data flow analysis are fancy concepts, and they can be a little bit difficult to apply to real world cases.

We showed a case where we used data flow analysis for a simple integer overflow vulnerability. By showing the result in a more visualized way, it helped us to understand the vulnerability. But the real issue we raised was how to use these technologies in more complicated cases, for example, for analyzing an uninitialized memory access vulnerability. We used CVE-2011-2462 (a vulnerability in Adobe Reader and Acrobat – this issue was addressed by Adobe and you can find more information here) as an example to show how to trace back to the root cause of the vulnerability using these techniques. (Note: the Adobe Reader X Protected Mode and Acrobat X Protected View mitigations (the Reader X and Acrobat X sandboxes) would prevent exploits of this vulnerability from executing – this is an exercise in analyzing a vulnerability not an exploit.)

The vulnerability is a little bit complicated, as the data flow does not show the whole picture of the connection between the user data and the crash point.

Data flow analysis for crash case

Figure 1 Data flow analysis for crash case

We performed data flow analysis on the data related to the crash point. As you can see from the above picture, we can clearly see that the data source used in the crash point comes from an area of freed memory. As the execution order is from bottom to top, the free operation is performed first – the data is passed to Adobe Reader and is used for operations later which leads to an uninitialized memory issue.

Data flow analysis for normal case

Figure 2 Data flow analysis for normal case

The above data flow graph is from a good sample file which hits the same area of the code as the crash case. But in this case, we can see that the data comes from an allocated area using malloc API.

Crash case and normal case

Figure 3 Crash case and normal case

By performing data differential analysis between the crash case and the normal case, we can pinpoint the exact instruction that is responsible for the diversion of data flow. The following table shows the difference in the instruction that makes the data flow diversion and you can see that “mov dword ptr [ecx+ebx*4h], eax” is the key instruction that makes the difference.

Crash case and normal case

Figure 4 Crash case and normal case

So we start control flow differential analysis from that specific key instruction.

Key instruction from data flow differential analysis

Figure 5 Key instruction from data flow differential analysis

The following graph shows the control flow differential analysis result.

Control flow differential analysis result

Figure 6 Control flow differential analysis result 

From the graph above, we can see that the instruction at 10009E72 basic block (in red) is the instruction that determines the fate of the control flow. The control flow depends on the value of eax register; it is key to creating the crash condition.

We traced back this eax value from that instruction point in the crash case, and got the following graph. Finally we could locate the exact file location where the eax comes from. And this eax value controls the condition for the crash later.

EAX Control

Figure 7 EAX Control

So the whole point of this post is that data flow analysis is a good tool for vulnerability analysis, but it doesn’t solve all the real world vulnerability cases. Real world vulnerabilities are more complicated. So to apply this technology, you need to introduce more strategies and methods. We showed data flow differential analysis and control flow differential analysis as examples that could solve an uninitialized memory access case.

For the full content of the presentation, please visit this page. It should be available soon.

Jeong Wook Oh

CodePlex now Supports Git

March 22nd, 2012 No comments

Great news for our CodePlex community: CodePlex now supports Git!

Git has been one of the top rated requests from the CodePlex community for some time, and giving CodePlex users what they ask for and supporting their open source efforts has always been important to us.

And the goodness continues, as the CodePlex team has a long list of improvements planned.

So, why Git? CodePlex already has Mercurial for distributed version control and TFS (which also supports subversion clients) for centralized version control. The short answer is that the CodePlex community voted, loud and clear, that Git support was critical.

With the addition of Git, CodePlex now has three options when it comes to Open Source project hosting. Projects can now select between TFS, Mercurial, and Git.

Each developer has their own preferences, and for some, centralized version control makes more sense to them. For others, DVCS is the only way to go. We’re equally committed to supporting both these technologies for users.

You can get started today by creating a new project or contribute to an existing project by creating a fork.

For help on getting started with Git on CodePlex, see the help documentation here. If you would like to switch your project to use Git, please contact CodePlex Support with your project information.

For more information on this news, read the CodePlex blog.

Free PC safety scan

March 22nd, 2012 No comments

Think your computer might have a virus? The Microsoft Security scanner is a free download that will scan your computer and help you remove viruses, spyware, and other malicious software.

Download Microsoft Safety Scanner

The scanner is not a replacement for antivirus software. It contains the latest anti-malware definitions, but it works with your antivirus software. The Microsoft Security scanner expires after 10 days, but you can download the newest version again for free. Antivirus software like Microsoft Security Essentials is also free, but provides real-time scanning and does not expire after 10 days.

Get more information about the Microsoft Security Scanner.

New Interoperability Solutions for SQL Server 2012

March 22nd, 2012 No comments

I am excited to share some great news about how we are opening up the SQL Server data platform even further with expanded interoperability support through new tools that allow customers to modernize their infrastructure while maximizing existing investments and extending virtually any data anywhere.

The SQL Server team today introduced several tools that enable interoperability with SQL Server 2012.

These tools help developers to build secure, highly available and high performance applications for SQL Server in .NET, C/C++, Java and PHP, on-premises and in the cloud.

These new tools include a Microsoft SQL Server 2012 Native Client, a SQL Server ODBC Driver for Linux, backward compatibility with ADO.Net and the Microsoft JDBC Driver 4.0 and PHP Driver 3.0.

You can find more information on all this goodness on the SQL Server blog here.

Piecing the malware puzzle – Exploring a spike in exploit activity

March 20th, 2012 No comments

In this post, we explore a telemetry spike in Java/OpenConnection and CVE-2011-3544 exploit activity.

While reviewing user feedback from the Microsoft Malware Protection Center recently, we noticed an unprecedented amount of feedback on one particular Java/OpenConnection variant — TrojanDownloader:Java/OpenConnection.PK. Such interest in this type of Java applet-based exploit is quite unusual, and prompted us to investigate further.

A signature for this threat was introduced on February 22, 2012, and spiked to 7.5k reports on the first day. In the following days, the daily report volume fluctuated between 7.8k and 5k reports a day (this kind of spike is not entirely expected for this kind of threat, and such a peak is not very common), until on 28th February the volume started to subside and broke through 5k support, plateauing around 2.5k reports a day, as shown in the figure below:

Figure 1 – daily report volume of Java/OpenConnection.PK

Looking at prevalent reported samples of TrojanDownloader:Java/OpenConnection.PK, we see that there’s no clear leader in the volume per sample distribution. A long tail spike in the distribution may point out a file of interest; however in this case, the top range numbers were quite flat and didn’t appear in any way skewed, as shown in the graph below:

Top 10 samples

Figure 2 – top 10 Java/OpenConnection.PK samples

Closer examination confirmed all of the top reported files to be malware, detected legitimately.

The detected TrojanDownloader:Java/OpenConnection.PK class file contains mangled strings and variables which suggests that its code was generated by a machine or an obfuscation tool. In other words, it could be a product of one of the Java exploit toolkits, an obfuscation tool, or both.

Some of most prevalent toolkits around today are Blackhole and Phoenix. This particular threat, however, does not seem to be associated with either Blackhole or Phoenix, indicating that possibly another (less-utilized) expolit kit was used. A reminder that there are exploit kits out there that, while not as popular, are still causing users a considerable amount of pain.

What we know is that currently, most of the popular web malware exploit kits attack vulnerabilities described in CVE-2010-0094, CVE-2010-0840 and CVE-2011-3544 Java Runtime Environment vulnerabilities (among other techniques), which fall under our Java/OpenConnection family detections.

When new updates to exploit kits are released, it’s not uncommon to see a spike in the exploits used for malicious purposes. This is just one of the many things we watch for while monitoring our detections.

These particular Java exploits are patched, but in the event a Java-user doesn’t update a vulnerable version, or remove older versions of Java, they can be exploited by these attacks. As such, we recommend you update your version of Java, and remove older versions to thwart such attacks.

 

–Oleg Petrovsky & Jasmine Sesso

Facebook C# SDK submitted to the Outercurve Foundation

March 20th, 2012 No comments

I am pleased to announce another open source milestone as we continue to deliver on our commitment to Interoperability: today, the Facebook C# SDK was submitted to the Outercurve Foundation’s Data, Languages, and Systems Interoperability gallery.

This project is a set of libraries that enables developers of all Microsoft platforms, as well as Mono, to build applications that integrate with Facebook. The project contains core libraries for authentication and calling Facebook APIs. Additionally, the project contains platform specific helpers such as extension methods for ASP.NET MVC.

The Facebook C# libraries give app developers a stable, small-footprint SDK that enables quick app integration into Facebook. This has allowed mobile and web app developers to quickly create Facebook apps that meet the needs of their customers.

The Facebook C# SDK has had 10 major releases, and has been downloaded more than 115,000 times, proving to be one of the most popular community-driven open source projects in the .Net ecosystem.

The project, which already has a significant user base, was hosted on CodePlex.com but has moved to github, with developer discussions supported on Stack Overflow.

Nathan Totten, Jim Zimmerman and Prabir Shrestha developed the Facebook C# SDK and contributed the project to the Outercurve Foundation, which currently has three galleries and 21 projects, each of which was contributed with funding and resources to support the project and/or gallery for a period of three years.

Of the 225 developers who currently contribute to Outercurve projects, fewer than 45% are employed by Microsoft.

Categories: .NET, Interoperability, Open Source Tags:

Win the battle against email fraud

March 20th, 2012 No comments

Cybercriminals use email fraud (sometimes called “phishing”) to steal your personal data or information such as credit card numbers, passwords, account data, or other information.

Cybercriminals might send millions of fraudulent email messages with links to fraudulent websites that appear to come from websites you trust, like your bank or credit card company, and request that you provide personal information. Criminals can use this information for many different types of fraud, such as to steal money from your account, to open new accounts in your name, or to obtain official documents using your identity.

Here are 5 ways to help avoid email fraud:

  1. Never click links or open attachments in emails from your bank or other financial institution. Use your browser bookmarks to access your financial websites or type the URL directly into your browser. Learn more about how to recognize scams.
  2. Use strong passwords. If you use a strong password in your email account your account is less likely to be hacked. Learn how to create strong passwords.
  3. Use email software with built-in spam filtering. SmartScreen filter helps reduce both unwanted and possibly dangerous email. It’s built into Microsoft email programs and is turned on by default. Read more about how SmartScreen works in HotmailOutlook 2010, and Outlook 2007.
  4. Add people you know to your safe sender list and unwanted senders to your blocked list. This helps you get the mail that you want and not the mail that you don’t.
  5. Look for signs that your information is safe. Phishing emails often try to lead you to malicious websites. Before you enter sensitive information on any site, ensure that the site uses encryption, a security measure that helps protect your data as it travels over the Internet. One sign of a secure site is an address that starts with https. Learn more about how to make safer web transactions.

For more information, see Phishing: frequently asked questions.

KB: Upgrading to Microsoft Forefront Unified Access Gateway 2010 Service Pack 1 fails with error 1603

March 20th, 2012 No comments

hotfixHere’s a new Knowledge Base article we published today. This one talks about an issue where upgrading to Microsoft Forefront Unified Access Gateway 2010 SP1 fails with error 1603 and rolls back:

=====

Symptoms

When upgrading to Microsoft Forefront Unified Access Gateway 2010 (UAG) Service Pack 1 (SP1), the upgrade fails with error 1603 and rolls back. You may also see the following in the UAG SP1 Setup log files for UAG which are located at %ProgramData%\Microsoft\UAG\Logs:

Hybrid_Default_Web_App_Access.
MSI (s) (48!98) [08:51:45:640]: Closing MSIHANDLE (577708) of type 790531 for thread 5016
MSI (s) (48!98) [08:51:45:662]: Creating MSIHANDLE (577709) of type 790531 for thread 5016
UAG CA (Info): Error: Caught error (will rethrow after rollback): System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.ThrowHelper.ThrowKeyNotFoundException()
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at Microsoft.UAG.Transformer.Core.PolicyConverter.ProcessTrunk(String trunkName, XmlNode trunkNode, String policySettingsNodeXPath)
at Microsoft.UAG.Transformer.Core.PolicyConverter.ConvertData()
at Microsoft.UAG.Transformer.Core.SchemaConversionRuntime.Run()
MSI (s) (48!98) [08:51:45:662]: Closing MSIHANDLE (577709) of type 790531 for thread 5016
MSI (s) (48!98) [08:51:45:663]: Creating MSIHANDLE (577710) of type 790531 for thread 5016
UAG CA (Info): Info: Firing ProgressChanged event: Step: 0%, Description: ‘Conversion aborted due to error, Rolling back.’.
Cause

This can occur if UAG is configured with the Sharepoint-specific download and upload endpoint policies prior to running the SP1 upgrade. The installation process raises an exception and rolls back when the name of one (or more) of the existing standard policies is in use by an application.

Resolution

To resolve this issue, create new custom policies with the same data and use those instead of the Sharepoint-specific download and upload endpoint policies.

More Information

For more information see the following:

Configuring Forefront UAG access policies : http://technet.microsoft.com/en-us/library/dd857309.aspx

=====

For the most current version of this article please see the following:

2685784 : Upgrading to Microsoft Forefront Unified Access Gateway 2010 Service Pack 1 fails with error 1603

J.C. Hornbeck | System Center & Security Knowledge Engineer

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

KB: Upgrading to Microsoft Forefront Unified Access Gateway 2010 Service Pack 1 fails with error 1603

March 20th, 2012 No comments

hotfixHere’s a new Knowledge Base article we published today. This one talks about an issue where upgrading to Microsoft Forefront Unified Access Gateway 2010 SP1 fails with error 1603 and rolls back:

=====

Symptoms

When upgrading to Microsoft Forefront Unified Access Gateway 2010 (UAG) Service Pack 1 (SP1), the upgrade fails with error 1603 and rolls back. You may also see the following in the UAG SP1 Setup log files for UAG which are located at %ProgramData%\Microsoft\UAG\Logs:

Hybrid_Default_Web_App_Access.
MSI (s) (48!98) [08:51:45:640]: Closing MSIHANDLE (577708) of type 790531 for thread 5016
MSI (s) (48!98) [08:51:45:662]: Creating MSIHANDLE (577709) of type 790531 for thread 5016
UAG CA (Info): Error: Caught error (will rethrow after rollback): System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.ThrowHelper.ThrowKeyNotFoundException()
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at Microsoft.UAG.Transformer.Core.PolicyConverter.ProcessTrunk(String trunkName, XmlNode trunkNode, String policySettingsNodeXPath)
at Microsoft.UAG.Transformer.Core.PolicyConverter.ConvertData()
at Microsoft.UAG.Transformer.Core.SchemaConversionRuntime.Run()
MSI (s) (48!98) [08:51:45:662]: Closing MSIHANDLE (577709) of type 790531 for thread 5016
MSI (s) (48!98) [08:51:45:663]: Creating MSIHANDLE (577710) of type 790531 for thread 5016
UAG CA (Info): Info: Firing ProgressChanged event: Step: 0%, Description: ‘Conversion aborted due to error, Rolling back.’.
Cause

This can occur if UAG is configured with the Sharepoint-specific download and upload endpoint policies prior to running the SP1 upgrade. The installation process raises an exception and rolls back when the name of one (or more) of the existing standard policies is in use by an application.

Resolution

To resolve this issue, create new custom policies with the same data and use those instead of the Sharepoint-specific download and upload endpoint policies.

More Information

For more information see the following:

Configuring Forefront UAG access policies : http://technet.microsoft.com/en-us/library/dd857309.aspx

=====

For the most current version of this article please see the following:

2685784 : Upgrading to Microsoft Forefront Unified Access Gateway 2010 Service Pack 1 fails with error 1603

J.C. Hornbeck | System Center & Security Knowledge Engineer

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

An interesting case of JRE sandbox breach (CVE-2012-0507)

March 20th, 2012 No comments

Recently we received a few samples that exploit the latest patched JRE (Java Runtime Environment) vulnerability. These samples are kind of unusual to see, but they can be used to develop highly reliable exploits. The malicious Java applet is loaded from an obfuscated HTML file. The Java applet contains two Java class files – one Java class file triggers the vulnerability and the other one is a loader class used for loading.

The vulnerability triggering class is actually performing deserialization of an object array and uses a vulnerability in the AtomicReferenceArray to disarm the JRE sandbox mechanism. The attacker deliberately crafted serialized object data. This reference array issue is very serious since the exploit is not a memory corruption issue, but a logical flaw in the handling of the array. So the exploit is highly reliable and that might be one of the reasons why the bad guys picked up this vulnerability for their attacks. We determined this vulnerability to be CVE-2012-0507.

Figure 1 The vulnerability triggering class

The loader class is called from the vulnerability triggering class. This loader class can load additional classes in an escalated privilege context and perform any operations escaping the sandbox mechanism. This loader class creates a new class on the fly and uses it to do malicious jobs with escalated privileges.

The 3rd class that is loaded by the loader class downloads a malicious file and decodes it using a simple XOR algorithm. It saves it into a local temporary folder and executes the file using Runtime’s exec method. The decoded malicious file is detected as PWS:Win32/Zbot.gen!Y.

The following diagram shows the overall process of exploitation. A.class is the vulnerability triggering class, B.class is the loading class and C.class is the 3rd class that downloads, decodes and executes a malicious binary.

Figure 2 The overall view of exploitation

The following code shows the actual decoding code inside the C.class file. The routine is using a very simple form of XOR decoding.

Figure 3 Decoding routine inside C.class file

Example SHA1s:

fc1ab8bf716a5b3450701ca4b2545888a25398c9 (detected as Exploit:Java/CVE-2012-0507.A)
03e26e735b2f33b3b212bea5b27cbefb2af4ed34 (detected as Exploit:Java/CVE-2012-0507.B)

The good news is that the vendor has provided a patch for this vulnerability since late February. Just make sure you have the latest JRE version installed on your system. Or you can visit this patch update advisory page to see if you require any updates.

So please, update your JRE installations and protect yourself.

Jeong Wook (Matt) Oh & Chun Feng

Categories: Uncategorized Tags:

CRM published through ISA/TMG : Save and new button on the form does not work properly, need to click twice on the links in the CRM page

March 19th, 2012 No comments

wrenchMicrosoft’s own Suraj Singh has some great info over on his blog about a couple issues you may see when CRM is published through ISA or TMG.  The issue is that when Internet based users would log on to the CRM site, they had to click on links twice in order for them to open.  Also, when using a user edit form the Save and New buttons were grayed out.  You can check out Suraj’s complete article at the link below:

CRM published through ISA/TMG : Save and new button on the form does not work properly, need to click twice on the links in the CRM page : http://blogs.technet.com/b/sooraj-sec/archive/2012/01/25/crm-published-through-isa-tmg-save-and-new-button-on-the-form-does-not-work-properly-need-to-click-twice-on-the-links-in-the-crm-page.aspx

J.C. Hornbeck | System Center & Security Knowledge Engineer

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: Uncategorized Tags:

Offline CA articles posted to the TechNet Wiki

March 18th, 2012 No comments

Amer Kamal recently posted two articles regarding the security and maintenance of offline CAs based on frequently asked questions from customers. These articles posted as:

Security Best Practices for Offline CAs

and

Offline CA Maintenance Tasks

Since they are TechNet Wiki articles, you can not only review them, but also help to improve them.

Offline CA articles posted to the TechNet Wiki

March 18th, 2012 No comments

Amer Kamal recently posted two articles regarding the security and maintenance of offline CAs based on frequently asked questions from customers. These articles posted as:

Security Best Practices for Offline CAs

and

Offline CA Maintenance Tasks

Since they are TechNet Wiki articles, you can not only review them, but also help to improve them.